Security of data on MLS computers

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
wdoctor-p40
New Member
Posts: 2
Joined: Wed Jan 02, 2008 9:22 pm

Security of data on MLS computers

#1

Post by wdoctor-p40 »

Our ward is located in a stake building that has public internet access, and the MLS system has been migrated from the dialup line to share this public internet (all approved VPN/Wireless etc. as I have been told). The last time I was using the system I noticed that the previous user had left the web browser open... and a quick check of the browser history shows the MLS system is getting a significant amount of personal public internet time (folks reading personal email, facebook, etc.).

I understand how a family history library would require fairly broad access for research, however it would see that the MLS systems that contain members private data would be much more limited in where it can go and what it can access. I am responsible for these systems at my place of employment, and I appreciate what I assume is installed on the other end of the VPN (firewall/IDS/proxy servers etc.), but it only takes a single click on the wrong email or web page to install something nasty, and as we all know anti-virus etc. will never keep pace with the malware race wars. Given the limiations of managing windows computers on this scale, not joined to a domain to enforce policy/sofware, shared logins are required, and every user has admin rights for MLS to run, wouldn't it be more effective to isoloate the MLS systems in a bubble so that the are only able to communicate with the central members/finance systems to protect members personal information? There doers not appear to be any layering of this security, those most sensitive/personal information system is not isolated, and the same computer can be used to catch up on the news/sports.

MLS holds everything needed for identify fraud, anything we can do to protect this confidential data would be greatly appreciated.
User avatar
opee
Member
Posts: 338
Joined: Mon Jun 25, 2007 3:00 am
Location: Sunnyvale, CA

#2

Post by opee »

I understand your concern for security, but to limit access to personal email would be a setback in my opinion. The clerks in our Stake (ward and stake clerks) that have Internet access have been much more efficient being able to do their clerk work at the church and answering the questions that come to them via their personal email.

We use a Code of Conduct in our Stake when users are given access to the computers that explains what they can and can't with the MLS computer. One of those items could be not to leave their email open when they are away from the computer...
User avatar
childsdj
Member
Posts: 258
Joined: Wed Feb 07, 2007 9:51 am

#3

Post by childsdj »

If the Internet connection is Church approved, then it should be using a Church approved firewall. This firewall does create a VPN tunnel that sends browsing requests through a content filter. This does not eliminate access to many public sites. It is hard to say how much we should lock down access. Local units could be using this Internet access for many different purposes (online missionary applications, LDS Family Services, LDS Catalaog, etc.) If the policy for local unit computers is adhered to, people should not have access to the clerk machine to browse facebook, email, etc.
User avatar
mkmurray
Senior Member
Posts: 3266
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

#4

Post by mkmurray »

Obviously Facebook and the like are unnecessary for the calling...
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#5

Post by Mikerowaved »

mkmurray wrote:Obviously Facebook and the like are unnecessary for the calling...
True, but the fact that it CAN happen is disturbing. IMO, there should be a strict whitelist of sites these PCs are allowed to browse to. Sites like facebook are probably not as appealing to the clerking staff as they are to the youth, and it doesn't take very long for things like "login password" and "the best time to get in" to circulate among them.

Also, wdoctor brings up another valid point that hasn't been addressed...
wdoctor wrote:...and every user has admin rights...
Being an IT consultant myself, I can't stress enough the danger of this with an internet connected PC. Unfortunately, Symantec wont protect the PC from every possible threat. I spend many hours a week removing malware from PCs and it's not something the church should have to be involved with.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#6

Post by russellhltn »

The first thing that needs to be addressed is physical security. If the youth are getting access to the computer to check out Facebook, then clearly the ward is failing at this level.

To quote the Immutable Laws of Security #3, If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

If the problems come from members with valid need to access the computer, then you've got other problems.

I too would like to see stronger security on the clerk computers, but this is still the starting point.

One possibility is to make some additions to the HOSTS file that repoints things like Facebook to something that will trigger the church firewall.
cannona-p40
Member
Posts: 79
Joined: Sat May 19, 2007 2:32 pm
Location: Iowa City, IA

#7

Post by cannona-p40 »

Another thing which might be considered is to completely disable everything in the browser except cookies and javascript. No flash, no java, nothing. Of course, this might negatively impact some sites, so things should be evaluated frequently, and security should be loosened based on what is needed. It is also possible to create a default security policy which is extremely restrictive, but less-so for trusted sites.

As a side note, I believe facebook and myspace is blocked at Church HQ.

Aaron
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#8

Post by russellhltn »

mkmurray wrote:Obviously Facebook and the like are unnecessary for the calling...
Oh? What if you need to locate a member who has moved so you can forward their records and someone tells you they are on Facebook? ;)
User avatar
mkmurray
Senior Member
Posts: 3266
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

#9

Post by mkmurray »

RussellHltn wrote:Oh? What if you need to locate a member who has moved so you can forward their records and someone tells you they are on Facebook? ;)
Then you may go home and look at Facebook to find the info you need... :)

Plus, unless you were actually friends before hand, I doubt someone would accept the friend invitation out of nowhere from their old Ward Clerk.
jsfriedman
New Member
Posts: 20
Joined: Thu Jan 03, 2008 4:51 pm
Location: Seal Beach, California, USA

#10

Post by jsfriedman »

Our FHC in the Stake Center is also setup with wireless, but it is setup with a WPA-PSK password for only FHC staff use. Have so recently wired the Stake clerk's office, Chapel and cultural hall with wireless access points. Also wired the ward clerk's offices. All on separate subnet from FHC and using Church PIX firewall. Clerks like using their laptops for email. Also used to make presentations. Have not put MLS on Internet yet. Have not received premission or know who to ask.
Post Reply

Return to “Clerk Computers”