Guidelines for Servers
Servers must be designed with security in mind, and security considerations must be a part of all contract and bidding language. Efforts must be made to confirm servers are not duplicating services. The Information Security Office maintains a database of services offered on campus and can be contacted for a consultation on this topic. If the server you are designing will be offering a new service to campus, please contact the Information Security Office regarding the security design of the system. A Security Assessment should be started at this time. While all procedures and guidelines are recommended as a best practice it is important to determine the level of value and risk and apply the appropriate controls. Systems with level 1 data and critical systems must take all reasonable steps to meet these procedures and guidelines.
Ownership and Responsibilities
All servers must be managed by an individual or operational group that is responsible for system administration. System administrators are responsible for following the configuration and administration guidelines contained in this document and for auditing and reporting security events.
System Owners are ultimately responsible for the security of the servers. All changes to the server that impact its security posture must be approved by the System Owner or designee and reported to the Information Security Office. Material changes that require Information Security Office involvement are outlined in the Security Assessment.
- Servers must be registered with Information Security Office. At a minimum, the following information is required:
- Department name
- Server administrator contact name, location, phone numbers, and e-mail address
- Alternate server administrator contact name, location, phone numbers, and e-mail address
- Application administrator name, phone numbers, and e-mail address
- Server owner name, phone numbers, and e-mail address
- Server physical location
- Server MAC address and corresponding IP address
- Operating system/version
- Main functions and applications
- The server registry must be kept up-to-date.
- If the server contains confidential student, faculty, health, or financial data, it must be reported. Refer to the Data Classification Standard to determine the level of data on the server.
- Configuration changes for production servers must follow appropriate change management procedures and general configuration and administration guidelines.
General Configuration and Administration Guidelines Patches
- A patching procedure must be created to address how and when patches are installed to minimize down time and avoid negative effects of patching.
- The most recent service packs and security patches must be installed on the system as soon as practical. All non-critical updates for appropriate patches must be reviewed.
- A procedure must be in place to document patches that have not been installed.
- All patches must be verified after installation using an appropriate utility such as MS baseline security analyzer, RH Network or campus vulnerability scanner.
Configure and Minimize Services
- Services not specifically required must be disabled or removed where practical.
- Needed services must be secured and communicate over defined port(s) and IP(s).
- All ports not required for services offered must be disabled or blocked.
- Any service used for authentication, administration, or handling of confidential data must be performed over secure channels, (e.g., encrypted network connections using SSH, IPSec, or HTTPS).
- Where applicable, kernel parameters must be tuned to minimize impacts of denial of service attacks.
- Access to the kernel is restricted to System Administrators.
- All system access must be logged and reviewed as appropriate. Security, system, and application logs should be retained for at least six months.
- Servers containing sensitive and/or confidential data should export their authentication logs to a central log host.
File / Directory Permissions / Access
- All disk partitions must support a system secure format.
- Access Control Lists (ACLs) on system files and folders must restrict access to only those in need of rights.
- Security of file shares must be ensured. File and print sharing must be disabled if not required. The number of shares must be minimized where possible.
- Any shares that aren't currently being used must be removed. Use the Access Control List on shares that are needed to ensure only validated and appropriate users are able to access.
- Access to services must be protected through acceptable access-control methods such as TCP/IP filters and host based firewalls, if possible.
- Remote registry access must be limited to only members of the administrators group.
System Access, Authentication, and Authorization
- Standard security principles of least required access to perform a function must always be used.
- Strong passwords for administrative accounts must be used; where possible rename admin accounts, keep number of administrative accounts to a minimum.
- Any "guest" accounts on all servers must be disabled and renamed.
- Anonymous access to systems must be restricted.
- A root or administrative privileged account must not be used when a non-privileged account will do.
- Trust relationships between systems are a security risk, and their use must be avoided. Do not use a trust relationship when some other method of communication will do.
- Applications and programs not specifically required must be disabled or removed.
- Needed applications and programs must be secured.
User Accounts and Environment
- A procedure must be created to grant access to confidential data. The process must include the signing of an access agreement and approval by the Data Owner.
- A procedure must be created to grant and remove access to users.
- Accounts must be reviewed at least annually and any accounts that aren't essential disabled or removed.
- Strong passwords must be required of all users.
- Where possible generic accounts are to be renamed.
- The number of administrative or elevated privilege accounts is kept to a minimum.
- User accounts are unique to a defined user. Accounts are not shared.
Key Security Tools installed
- An appropriate tool to enable lockout protection on administrative accounts must be used.
- Tools to enforce password policies must be used.
- Backup media should be stored in an access-controlled environment.
- Backups containing sensitive and/or confidential data should be stored encrypted.
- Anti-virus protection software must be installed and scheduled to scan for, and automatically update, new signature files at least weekly (daily is better).
Physical and Network Environment
- Servers must not be used as workstations except by the administrator for purposes of server administration or in exceptional situations.
- Servers must be located behind a well-defined host firewall.
- Servers must be accessed through a secure and well-defined access process when performing administrative duties. Management and Vendor VPN Groups are available to comply with this best practice.
- Servers must be physically located in an access-controlled environment.
Auditing and Reporting
- All security-related events on servers must be logged and audit trails saved. These events must be reviewed regularly by the system administrator.
- Security-related events must be reported to the Information Security Office (x82266). The events will be reviewed and corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
- Port-scan attacks
- Evidence of unauthorized access
- Anomalous occurrences that are not related to specific applications on the host.
- Theft of computing equipment.
- The Information Security Office reserves the right to perform audits.
- The Information Security Office reserves the right to block servers from the networks that are performing malicious, harmful, or suspicious activities.
- The Information Security Office will filter findings not related to a specific operational group and present them to the appropriate support staff for remediation or justification.
- Every effort will be made to prevent audits from causing operational failures or disruptions.
Machines found not to be compliant with these procedures and guidelines may be removed from the network.
Use of network resources is a privilege, not a right. Network connectivity may be terminated if network integrity is threatened or use of the server results in a degradation of CSU, Sacramento network resources.
Every effort will be made to provide advance notification of removal or network connectivity termination.