MSSND: How to Secure Devices

Device Security

If you have a personally-managed Windows, Mac, IOS or Android device that needs to comply with MSSND requirements, follow the step-by-step instructions below for how to configure your device to meet campus policy.

MSSND #1: Patching and Updates 

Supported Operating System:

Upgrade your Windows or Mac desktop or laptop devices to the latest operating system version to take advantage of built-in security features.

Windows

Windows 8 and below is no longer supported and not receiving security updates without extended support. 

Windows 10 is available to registered Students, Staff, and Faculty here:  https://software.berkeley.edu/microsoft-operating-system 

If you need help upgrading your operating system, contact IT Client Services or your departmental IT support for assistance.

Windows 10 releases feature updates twice a year. 

  • Feature updates are not enabled by default and will need to be manually applied. 

  • If a feature update is available for your device, it will appear separately on the Windows Update page. To install it, select Download and Install now.

  • Feature updates receive security patches for 18 to 30 months from the date of release. Once the feature version has reached its End of Life it will no longer receive the security patches and will need to be upgraded. 

  • The release and End of Life schedule can be found here: https://docs.microsoft.com/en-us/windows/release-information/

To install the latest feature update:  

Settings > Update & Security > Select Check for Updates > Install now

Download full instructions with screenshots of MSSND 1 Windows Part 1 (PDF).

Mac

Apple does not officially acknowledge the end of support for Mac OS X operating systems. Security updates addressing critical vulnerabilities are only released for the current and one previous version of Mac OS X. 

Mac OS X users should plan on upgrading their operating systems regularly as Apple releases new versions. We recommend updating to either the latest version, or one previous version, no more than 90 days after a new version is released.

For more information, see https://security.berkeley.edu/faq/isp-security-notices/operating-system-unsupported

Make a backup before upgrading the OS, rolling back the OS is not supported by Apple, a full restore to a backup will be needed to roll back an update. 

To install the latest OS upgrade:

System Preferences > Software Update > MacOS upgrade now 

Download full instructions with screenshots MSSND 1 Mac Part 1 (PDF).

Updates:

Keep your Windows, Mac, Android and iOS mobile devices up-to-date.

Windows

Automatic updates should be enabled by default and should not need to be manually applied. 

To manually check and apply updates 

Settings > Update & Security > Select Check for Updates > Install now 

Download full instructions with screenshots MSSND 1 Windows Part 2 (PDF).

Mac

System Preferences > Software Update > Automatically keep my Mac up to date  > Advanced > Check all items

Download full instructions with screenshots MSSND 1 Mac part 2 (PDF).

Android

If a message says that an update is available, tap Install Now

To manually check for updates

Settings > System > Advanced > System Update > Check for update

Download full instructions with screenshots MSSND 1 Android (PDF).

iOS

Automatic Updates 

If a message says that an update is available, tap Install Now

Manual Updates with wireless connection 

  1. Plug your device into power and connect to the Internet with Wi-Fi

  2. Settings > General, then tap Software Update

  3. Tap Download and Install

  4. If asked, enter your passcode

Manual Updates without wireless connection 

If you can’t update wirelessly on your device, you can update manually using a computer that you trust. If your computer is using a Personal Hotspot on the device that you’re updating, connect your computer to a different Wi-Fi or Ethernet network before you update.

  1. On a Mac with macOS Catalina 10.15, open Finder. On a Mac with macOS Mojave 10.14 or earlier, or on a PC, open iTunes

  2. Connect your device to your computer

  3. Locate your device on your computer

  4. Click General or Settings, then click Check for Update

  5. Click Download and Update

  6. If asked, enter your passcode

Download full instructions with screenshots MSSND 1 iOS (PDF).

Supported Software:

The software that is installed on your computing devices (e.g., Microsoft Office) must be actively receiving security updates from the vendor.

For Open Source applications, software must be actively maintained by developers with timely security release updates for any reported vulnerabilities.

Software such as Google Chrome, Firefox, Microsoft Office, Zoom should be kept up to date by following update prompts.


MSSND #2: Anti-malware Software

Enable built-in anti-malware features.

Windows

Confirm Windows Defender is turned on 

Settings > Update & Security > Windows Security > All items should be turned on 

Enable real-time scanning

Settings > Update and Security > Windows Security > Virus and Threat Protection > Virus and Threat protection settings > Manage settings > All options should be turned on  

Download full instructions with screenshots MSSND 2 Windows (PDF).


MSSND #3: Host-based Firewall Software

Turn on the built-in host-based firewall for your Windows or Mac desktop or laptop computing devices. 

Enable Firewalls:

Windows

Settings  > Update & Security  > Windows Security > Firewall & network protection > Check if turned on > If not turned on, select a network profile > Under Microsoft Defender Firewall, switch the setting to On > Repeat for all network profiles 

Download full instructions with screenshots MSSND 3 Windows Part 1 (PDF).

Mac

System Preferences > Security and Privacy > Firewall > Unlock with the lock in the lower left corner > Turn on Firewall > Firewall Options 

  • Block all incoming connections
  • Enable stealth mode
  • Others unchecked

Download full instructions with screenshots MSSND 3 Mac (PDF).

Log Firewall Activity:

Windows

Settings > Update and Security > Windows Security > Firewall and Network Protection > Advanced Settings >  Windows Defender Firewall with Advanced Security > Action > Properties > For each Domain, Private, and Public profiles, click Logging > Customize > Log dropped packets: Yes, Log successful connections: Yes 

Download full instructions with screenshots MSSND 3 Windows Part 2 (PDF).


MSSND #4: Use of Authentication

There are no actions needed for this requirement. 


MSSND #5: Passphrase Requirements

  • Passphrases and PINs must be sufficiently complex. Guidelines can be found here

  • Passphrases must be unique across all accounts, including personal accounts. (e.g. do not re-use your CalNet passphrase on your social media accounts).

  • Passphrases must not be shared.

  • Each individual on a system should have their own unique user account and passphrase. 

  • Passphrases and associated data such as account recovery secrets should be stored securely using a Password Manager 

  • Do not store passphrases unencrypted (e.g. in email, in a plain text file, or written on sticky note next to desk).

  • For secure passphrases, ISO recommends setting Account Lockout Policies to prevent brute-force password login attacks. 

MSSND #6: Device Lock-out

Set your devices to lock the screen after 15 minutes of inactivity. 

Windows

Lock out 

  1. Settings > Accounts > Sign-in options > Require sign-in > When PC wakes up from sleep
  2. Settings > System > Power and Sleep > When plugged in, PC goes to sleep after 15 minutes


Prevent brute-force password login attacks

Administrative Tools > Local Security Policy > Account Policies > Account Lockout Policies

  • 3 minute lockout duration
  • 3 invalid attempts
  • 3 minute reset counter

Download full instructions with screenshots MSSND 6 Windows (PDF).

Mac

  1. System Preferences > Desktop & Screen Saver > Screen Saver > Start After 10 minutes
    1. Optional: Hot corners > Pick a corner and choose Lock Screen
  2. System Preferences > Security and Privacy > Require a password immediately after sleep or screen saver begins

Download full instructions with screenshots MSSND 6 Mac (PDF).

Android

Settings > Security > Screen Lock > Choose screen lock > Password 

Download full instructions with screenshots MSSND 6 Android (PDF).

iOS

Settings > Passcode > Turn Passcode On and Require Passcode > Immediately

Download full instructions with screenshots MSSND 6 iOS (PDF).


MSSND #7: Unnecessary Services

There are no actions needed for this requirement. 


MSSND #8: Remote Access Services

Remote desktop or terminal access from the public Internet to any campus IT Resource must use the Campus VPN or use an approved Remote Access Gateway Service such as the IST RD Gateway (for RDP).  


MSSND #9: Privileged Accounts

Do not assign Administrator privileges to the login account that you use for day-to-day activity on your Windows or Mac devices.  Create a separate Administrator account to be used only when elevated privileges are needed.

Add a non-administrator account:

Windows

Add a new account

New accounts are standard users by default. 

Settings > Accounts > Family & other users > Add someone else to this PC

Change an administrator account to a standard user account
Change account type > Standard user

Download full instructions with screenshots MSSND 9 Windows (PDF).

Mac

System Preferences > Users and Groups > Unlock with the lock in the lower left corner > Click + button > Standard User

Download full instructions with screenshots MSSND 9 Mac (PDF).