MSSND: How to Secure Devices

Device Security

If you have a personally-managed Windows, Mac, IOS, or Android device that needs to comply with MSSND requirements, follow the step-by-step instructions below for how to configure your device to meet campus policy.

MSSND #1: Patching and Updates

We also provide optional guidance to assist with achieving the “Patching and Updates” Requirements.

Supported Operating System:

Upgrade your Windows or Mac desktop or laptop devices to the latest operating system version to take advantage of built-in security features.

Windows

Windows 8 and below are no longer supported and not receiving security updates without extended support. 

Windows 10 is available to registered Students, Staff, and Faculty here:  https://software.berkeley.edu/microsoft-operating-system

If you need help upgrading your operating system, contact IT Client Services or your departmental IT support for assistance.

Windows 10 releases feature updates twice a year. 

  • Feature updates are not enabled by default and will need to be manually applied. 

  • If a feature update is available for your device, it will appear separately on the Windows Update page. To install it, select Download and Install now

  • Feature updates receive security patches for 18 to 30 months from the date of release. Once the feature version has reached its End of Life it will no longer receive the security patches and will need to be upgraded. 

  • The release and End of Life schedule can be found here: https://docs.microsoft.com/en-us/windows/release-information/

To install the latest feature update:  

Settings > Update & Security > Select Check for Updates > Install now

Download full instructions with screenshots of MSSND 1 Windows Part 1 (PDF).

Mac

Apple does not officially acknowledge the end of support for Mac OS X operating systems. Security updates addressing critical vulnerabilities are only released for the current and one previous version of Mac OS X. 

Mac OS X users should plan on upgrading their operating systems regularly as Apple releases new versions. We recommend updating to either the latest version or one previous version, no more than 90 days after a new version is released.

For more information, see https://security.berkeley.edu/faq/isp-security-notices/operating-system-unsupported

Make a backup before upgrading the OS, rolling back the OS is not supported by Apple, a full restore to a backup will be needed to roll back an update. 

To install the latest OS upgrade:

System Preferences > Software Update > MacOS upgrade now 

Download full instructions with screenshots MSSND 1 Mac Part 1 (PDF).

Updates:

Keep your Windows, Mac, Android, and iOS mobile devices up to date.

Windows

Automatic updates should be enabled by default and should not need to be manually applied. 

To manually check and apply updates 

Settings > Update & Security > Select Check for Updates > Install now 

Download full instructions with screenshots MSSND 1 Windows Part 2 (PDF).

Mac

System Preferences > Software Update > Automatically keep my Mac up to date  > Advanced > Check all items

Download full instructions with screenshots MSSND 1 Mac part 2 (PDF).

Android

If a message says that an update is available, tap Install Now

To manually check for updates

Settings > System > Advanced > System Update > Check for update

Download full instructions with screenshots MSSND 1 Android (PDF).

iOS

Automatic Updates 

If a message says that an update is available, tap Install Now

Manual Updates with wireless connection 

  1. Plug your device into power and connect to the Internet with Wi-Fi

  2. Settings > General, then tap Software Update

  3. Tap Download and Install

  4. If asked, enter your passcode

Manual Updates without a wireless connection 

If you can’t update wirelessly on your device, you can update manually using a computer that you trust. If your computer is using a Personal Hotspot on the device that you’re updating, connect your computer to a different Wi-Fi or Ethernet network before you update.

  1. On a Mac with macOS Catalina 10.15, open Finder. On a Mac with macOS Mojave 10.14 or earlier, or on a PC, open iTunes

  2. Connect your device to your computer

  3. Locate your device on your computer

  4. Click General or Settings, then click Check for Update

  5. Click Download and Update

  6. If asked, enter your passcode

Download full instructions with screenshots MSSND 1 iOS (PDF).

Supported Software:

The software that is installed on your computing devices (e.g., Microsoft Office) must be actively receiving security updates from the vendor.

For Open Source applications, software must be actively maintained by developers with timely security release updates for any reported vulnerabilities.

Software such as Google Chrome, Firefox, Microsoft Office, Zoom should be kept up to date by following update prompts.

MSSND #2: Anti-malware Software

We also provide optional guidance to assist with achieving the “Anti-malware Software” Requirements.

Enable built-in anti-malware features.

Windows

Confirm Windows Defender is turned on 

Settings > Update & Security > Windows Security > All items should be turned on 

Enable real-time scanning

Settings > Update and Security > Windows Security > Virus and Threat Protection > Virus and Threat protection settings > Manage settings > All options should be turned on  

Download full instructions with screenshots MSSND 2 Windows (PDF).

MSSND #3: Host-based Firewall Software

We also provide optional guidance to assist with achieving the “Host-based Firewall Software” Requirements.

Turn on the built-in host-based firewall for your Windows or Mac desktop or laptop computing devices. 

Enable Firewalls:

Windows

Settings  > Update & Security  > Windows Security > Firewall & network protection > Check if turned on > If not turned on, select a network profile > Under Microsoft Defender Firewall, switch the setting to On > Repeat for all network profiles 

Download full instructions with screenshots MSSND 3 Windows Part 1 (PDF).

Mac

System Preferences > Security and Privacy > Firewall > Unlock with the lock in the lower-left corner > Turn on Firewall > Firewall Options 

  • Block all incoming connections
  • Enable stealth mode
  • Others unchecked

Download full instructions with screenshots MSSND 3 Mac (PDF).

Log Firewall Activity:

Windows

Settings > Update and Security > Windows Security > Firewall and Network Protection > Advanced Settings >  Windows Defender Firewall with Advanced Security > Action > Properties > For each Domain, Private, and Public profiles, click Logging > Customize > Log dropped packets: Yes, Log successful connections: Yes 

Download full instructions with screenshots MSSND 3 Windows Part 2 (PDF).

MSSND #4: Use of Authentication

We also provide optional guidance to assist with achieving the “Use of Authentication” Requirements.

Multi-factor authentication

Multi-factor authentication (MFA) is recommended to keep your accounts safe. MFA adds an extra step during authentication; you log into your account with a password and then verify your identity with a physical device, such as your phone or a USB token. Your account will remain secure even if your password is stolen or hacked as long as you have your physical device. UC Berkeley CalNet uses Duo two-step MFA for all bConnected accounts. If you use services or applications for school, work, or research that don't use CalNet and Duo two-step MFA, check with the Service Provider to see if MFA is available – and turn it on if it is.

You can also add MFA to many types of personal accounts, such as a personal Gmail account, your bank, online retailers where you store your credit card information (like Amazon), or social media accounts that have your personal information (like Facebook). This is an important way to protect your personal accounts. 

Web Browsers

Check for HTTPS

Always be certain that HTTPS is being used for the authentication session (look for a lock in the URL field); otherwise, credentials will be exchanged unencrypted and exposed to potential attackers.

Protecting your online accounts

Authentication helps keep unauthorized people from using your online accounts. However, once you have signed into online accounts on a web browser, you might remain signed in even after you are done using the browser. If someone gets access to your device, they can then access your accounts through stored credentials in the web browser.

Download full instructions with screenshots MSSND 4 Chrome (PDF).

Download full instructions with screenshots MSSND 4 Firefox (PDF).

MSSND #5: Passphrase Requirements

We also provide optional guidance to assist with achieving the “Passphrase Requirements” Requirements.

  • Passphrases and PINs must be sufficiently complex. Guidelines can be found here

  • Passphrases must be unique across all accounts, including personal accounts. (e.g. do not re-use your CalNet passphrase on your social media accounts).

  • Passphrases must not be shared.

  • Each individual on a system should have their own unique user account and passphrase. 

  • Passphrases and associated data such as account recovery secrets should be stored securely using a Password Manager 

  • Do not store passphrases unencrypted (e.g. in email, in a plain text file, or written on a sticky note next to the desk).

  • For secure passphrases, ISO recommends setting Account Lockout Policies to prevent brute-force password login attacks. 

MSSND #6: Device Lock-out

We also provide optional guidance to assist with achieving the “Device Lock-out” Requirements.

Set your devices to lock the screen after 15 minutes of inactivity max; shorter is better. Also prevent brute force login attempts where possible.

Windows

Lockout 

  1. Settings > Accounts > Sign-in options > Require sign-in > When PC wakes up from sleep
  2. Settings > System > Power and Sleep > When plugged in, PC goes to sleep after 15 minutes


Prevent brute-force password login attacks

Administrative Tools > Local Security Policy > Account Policies > Account Lockout Policies

  • 3-minute lockout duration
  • 3 invalid attempts
  • 3 minute reset counter

Download full instructions with screenshots MSSND 6 Windows (PDF).

Mac

  1. System Preferences > Desktop & Screen Saver > Screen Saver > Start After 10 minutes
    1. Optional: Hot corners > Pick a corner and choose Lock Screen
  2. System Preferences > Security and Privacy > Require a password immediately after sleep or screen saver begins

Download full instructions with screenshots MSSND 6 Mac (PDF).

Prevent brute-force password login attacks

Apple automatically imposes escalating time delays after the entry of an invalid passcode, password, or PIN on modern Apple devices. See "How escalating time delays discourage brute-force attacks" on Apple's Platform Security webpage for details.

Android

Settings > Security > Screen Lock > Choose screen lock > Password 

Download full instructions with screenshots MSSND 6 Android (PDF).

iOS

Settings > Passcode > Turn Passcode On and Require Passcode > Immediately

Download full instructions with screenshots MSSND 6 iOS (PDF).

Prevent brute-force password login attacks

Apple automatically imposes escalating time delays after the entry of an invalid passcode, password, or PIN on modern Apple devices. See "How escalating time delays discourage brute-force attacks" on Apple's Platform Security webpage for details.

MSSND #7: Unnecessary Services

We also provide optional guidance to assist with achieving the “Unnecessary Services” Requirements.

It is important to review the software, apps, and extensions you have installed on your device, and uninstall or disable them if they are insecure or if you no longer need them. Insecure or unnecessary programs may expose your device to network attacks or have excessive permissions enabled.

Steps you can take:

  • Review your browser extensions and add ons and delete anything you don’t use.
  • Evaluate browser extensions for ones you might want to disable when not in use.
    • If you are not actively using an extension and you do not want to delete it, disable it from your Extension Manager in Chrome (chrome://extensions/) or Firefox (about: addons) and enable it only for the period of time you need to use it.
    • This is particularly important for browser extensions that require broad permissions to work (such as “Allow this extension to read and change all your data on websites you visit” or “Access your data for all websites”).
  • Review and uninstall programs and apps on your different devices. 

Windows 

  1. Settings > Apps 
  2. Review the list of installed programs. Click the program name to see the version number and to modify or uninstall the program. 

Download full instructions with screenshots MSSND 7 Windows (PDF).

Mac

  1. Finder > Applications folder 
  2.  Right-click the program name to move the application to the trash. Empty the Trash to delete the application.

Download full instructions with screenshots MSSND 7 Mac (PDF).

Android

  1. Settings > Apps 
  2. Review the list of installed programs. Click the checkbox next to the program name to uninstall the program.

Download full instructions with screenshots MSSND 7 Android (PDF).

iOS

  1. Click and hold the app icon > Remove App

Download full instructions with screenshots MSSND 7 iOS (PDF).

MSSND #8: Remote Access Services

We also provide optional guidance to assist with achieving the “Remote Access Services” Requirements.

If you need remote access to your system from off-campus, use an Approved Campus Remote Access Service or use Unit-approved Remote Access Services that meet the MSSND #8 Guidelines

MSSND #9: Privileged Accounts

We also provide optional guidance to assist with achieving the “Privileged Accounts” Requirements.

Do not assign Administrator privileges to the login account that you use for day-to-day activity on your Windows or Mac devices.  Create a separate Administrator account to be used only when elevated privileges are needed.

Add a non-administrator account:

Windows

Add a new account

New accounts are standard users by default. 

Settings > Accounts > Family & other users > Add someone else to this PC

Change an administrator account to a standard user account
Change account type > Standard user

Download full instructions with screenshots MSSND 9 Windows (PDF).

Mac

System Preferences > Users and Groups > Unlock with the lock in the lower left corner > Click + button > Standard User

Download full instructions with screenshots MSSND 9 Mac (PDF).

Topics

On This Page