Device Security
If you have a personally-managed Windows, Mac, IOS or Android device that needs to comply with MSSND requirements, follow the step-by-step instructions below for how to configure your device to meet campus policy.
MSSND #1: Patching and Updates
Supported Operating System:
Upgrade your Windows or Mac desktop or laptop devices to the latest operating system version to take advantage of built-in security features.
Windows
Windows 8 and below is no longer supported and not receiving security updates without extended support.
Windows 10 is available to registered Students, Staff, and Faculty here: https://software.berkeley.edu/microsoft-operating-system
If you need help upgrading your operating system, contact IT Client Services or your departmental IT support for assistance.
Windows 10 releases feature updates twice a year.
-
Feature updates are not enabled by default and will need to be manually applied.
-
If a feature update is available for your device, it will appear separately on the Windows Update page. To install it, select Download and Install now.
-
Feature updates receive security patches for 18 to 30 months from the date of release. Once the feature version has reached its End of Life it will no longer receive the security patches and will need to be upgraded.
-
The release and End of Life schedule can be found here: https://docs.microsoft.com/en-us/windows/release-information/
To install the latest feature update:
Settings > Update & Security > Select Check for Updates > Install now
Download full instructions with screenshots of MSSND 1 Windows Part 1 (PDF).
Mac
Apple does not officially acknowledge the end of support for Mac OS X operating systems. Security updates addressing critical vulnerabilities are only released for the current and one previous version of Mac OS X.
Mac OS X users should plan on upgrading their operating systems regularly as Apple releases new versions. We recommend updating to either the latest version, or one previous version, no more than 90 days after a new version is released.
For more information, see https://security.berkeley.edu/faq/isp-security-notices/operating-system-unsupported
Make a backup before upgrading the OS, rolling back the OS is not supported by Apple, a full restore to a backup will be needed to roll back an update.
To install the latest OS upgrade:
System Preferences > Software Update > MacOS upgrade now
Download full instructions with screenshots MSSND 1 Mac Part 1 (PDF).
Updates:
Keep your Windows, Mac, Android and iOS mobile devices up-to-date.
Windows
Automatic updates should be enabled by default and should not need to be manually applied.
To manually check and apply updates
Settings > Update & Security > Select Check for Updates > Install now
Download full instructions with screenshots MSSND 1 Windows Part 2 (PDF).
Mac
System Preferences > Software Update > Automatically keep my Mac up to date > Advanced > Check all items
Download full instructions with screenshots MSSND 1 Mac part 2 (PDF).
Android
If a message says that an update is available, tap Install Now
To manually check for updates
Settings > System > Advanced > System Update > Check for update
Download full instructions with screenshots MSSND 1 Android (PDF).
iOS
Automatic Updates
If a message says that an update is available, tap Install Now
Manual Updates with wireless connection
-
Plug your device into power and connect to the Internet with Wi-Fi
-
Settings > General, then tap Software Update
-
Tap Download and Install
-
If asked, enter your passcode
Manual Updates without wireless connection
If you can’t update wirelessly on your device, you can update manually using a computer that you trust. If your computer is using a Personal Hotspot on the device that you’re updating, connect your computer to a different Wi-Fi or Ethernet network before you update.
-
On a Mac with macOS Catalina 10.15, open Finder. On a Mac with macOS Mojave 10.14 or earlier, or on a PC, open iTunes
-
Connect your device to your computer
-
Locate your device on your computer
-
Click General or Settings, then click Check for Update
-
Click Download and Update
-
If asked, enter your passcode
Download full instructions with screenshots MSSND 1 iOS (PDF).
Supported Software:
The software that is installed on your computing devices (e.g., Microsoft Office) must be actively receiving security updates from the vendor.
For Open Source applications, software must be actively maintained by developers with timely security release updates for any reported vulnerabilities.
Software such as Google Chrome, Firefox, Microsoft Office, Zoom should be kept up to date by following update prompts.
MSSND #2: Anti-malware Software
Enable built-in anti-malware features.
Windows
Confirm Windows Defender is turned on
Settings > Update & Security > Windows Security > All items should be turned onEnable real-time scanning
Settings > Update and Security > Windows Security > Virus and Threat Protection > Virus and Threat protection settings > Manage settings > All options should be turned onDownload full instructions with screenshots MSSND 2 Windows (PDF).
MSSND #3: Host-based Firewall Software
Turn on the built-in host-based firewall for your Windows or Mac desktop or laptop computing devices.
Enable Firewalls:
Windows
Settings > Update & Security > Windows Security > Firewall & network protection > Check if turned on > If not turned on, select a network profile > Under Microsoft Defender Firewall, switch the setting to On > Repeat for all network profiles
Download full instructions with screenshots MSSND 3 Windows Part 1 (PDF).
Mac
System Preferences > Security and Privacy > Firewall > Unlock with the lock in the lower left corner > Turn on Firewall > Firewall Options
- Block all incoming connections
- Enable stealth mode
- Others unchecked
Download full instructions with screenshots MSSND 3 Mac (PDF).
Log Firewall Activity:
Windows
Settings > Update and Security > Windows Security > Firewall and Network Protection > Advanced Settings > Windows Defender Firewall with Advanced Security > Action > Properties > For each Domain, Private, and Public profiles, click Logging > Customize > Log dropped packets: Yes, Log successful connections: Yes
Download full instructions with screenshots MSSND 3 Windows Part 2 (PDF).
MSSND #4: Use of Authentication
There are no actions needed for this requirement.
MSSND #5: Passphrase Requirements
-
Passphrases and PINs must be sufficiently complex. Guidelines can be found here.
-
Passphrases must be unique across all accounts, including personal accounts. (e.g. do not re-use your CalNet passphrase on your social media accounts).
-
Passphrases must not be shared.
-
Each individual on a system should have their own unique user account and passphrase.
-
Passphrases and associated data such as account recovery secrets should be stored securely using a Password Manager
-
LastPass premium is now available to students, staff, and faculty
-
-
Do not store passphrases unencrypted (e.g. in email, in a plain text file, or written on sticky note next to desk).
- For secure passphrases, ISO recommends setting Account Lockout Policies to prevent brute-force password login attacks.
MSSND #6: Device Lock-out
Set your devices to lock the screen after 15 minutes of inactivity.
Windows
Lock out
- Settings > Accounts > Sign-in options > Require sign-in > When PC wakes up from sleep
- Settings > System > Power and Sleep > When plugged in, PC goes to sleep after 15 minutes
Prevent brute-force password login attacks
Administrative Tools > Local Security Policy > Account Policies > Account Lockout Policies
- 3 minute lockout duration
- 3 invalid attempts
- 3 minute reset counter
Download full instructions with screenshots MSSND 6 Windows (PDF).
Mac
- System Preferences > Desktop & Screen Saver > Screen Saver > Start After 10 minutes
- Optional: Hot corners > Pick a corner and choose Lock Screen
- System Preferences > Security and Privacy > Require a password immediately after sleep or screen saver begins
Download full instructions with screenshots MSSND 6 Mac (PDF).
Android
Settings > Security > Screen Lock > Choose screen lock > Password
Download full instructions with screenshots MSSND 6 Android (PDF).
iOS
Settings > Passcode > Turn Passcode On and Require Passcode > Immediately
Download full instructions with screenshots MSSND 6 iOS (PDF).
MSSND #7: Unnecessary Services
There are no actions needed for this requirement.
MSSND #8: Remote Access Services
Remote desktop or terminal access from the public Internet to any campus IT Resource must use the Campus VPN or use an approved Remote Access Gateway Service such as the IST RD Gateway (for RDP).
MSSND #9: Privileged Accounts
Do not assign Administrator privileges to the login account that you use for day-to-day activity on your Windows or Mac devices. Create a separate Administrator account to be used only when elevated privileges are needed.
Add a non-administrator account:
Windows
Add a new account
New accounts are standard users by default.
Settings > Accounts > Family & other users > Add someone else to this PC
Change an administrator account to a standard user account
Change account type > Standard user
Download full instructions with screenshots MSSND 9 Windows (PDF).
Mac
System Preferences > Users and Groups > Unlock with the lock in the lower left corner > Click + button > Standard User
Download full instructions with screenshots MSSND 9 Mac (PDF).