Information Technology Policies and Procedures
Server Configuration Security Policy
The purpose of this policy is to establish standards for the base configuration of server equipment that is owned or operated by the University. Effective implementation of this policy will minimize Unauthorized Use of the University Information Technology Network or other access to the University’s Proprietary Information and technology.
This policy applies to server equipment owned or operated by the University, and to servers registered under any University-owned internal Network domain.
This policy applies specifically to equipment connected to the internal University Information Technology Network. For secure configuration of equipment external to the University on the “De-Militarized Zone” (DMZ), refer to the University ”De-Militarized Zone” Equipment Policy documentation.
Ownership and Responsibilities
All internal servers deployed at the University must be the responsibility of an Operational Group that is responsible for system administration. Approved server configuration standards must be established and maintained by each Operational Group, based on business needs. Operational Groups must monitor configuration compliance and request special approval for any noted exceptions. Each Operational Group must establish a process for changing the configuration standards, which includes review and approval by Information Security personnel.
- Servers must be registered within the University Security Management System. At a minimum, the following information is required to positively identify the point of contact:
- Server contact(s) and location, as well as a backup contact
- Hardware and Operating System (OS) version numbers
- Main functions and applications, if applicable
- Information in the University Security Management System must be kept current.
- Configuration changes made by Authorized Users for production servers must comply with the Change Management Policy documentation.
General Configuration Standards
- OS configuration must be in accordance with approved Information Security Standards.
- Services and applications that are unused must be disabled where practical. Exceptions must be noted and approved by Information Security personnel.
- Access to Services must be logged or protected through appropriate Access Control methods (e.g. TCP wrappers), if possible.
- The most recent Security Patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
- Trust Relationships between systems are a Security risk, and their use should be avoided. Do not use a Trust Relationship when some other method of communication will do.
- Authorized Users must always use the standard Security principle of Least Required Access to perform a function.
- If a methodology for Secure Channel connection is available (i.e. technically feasible), privileged access must be performed over Secure Channels (e.g. encrypted Network connections using IPSec or Secure Shell).
- All servers must be physically located in an access-controlled environment.
- Authorized Users are specifically prohibited from operating servers in uncontrolled office areas.
- All Security-related events on critical or sensitive systems must be logged by Information Security personnel and audit trails saved as follows:
- All Security-related Logs must be kept online as required in the specific server standards document.
- Daily incremental tape Backups must be retained as required in the specific server standards document.
- Weekly full tape Backups of Logs must be retained as required in the specific server standards document.
- Monthly full Backups must be retained as required in the specific server standards document.
- Security-related events must be reported by Authorized Users to Information Security personnel, who review Logs and report incidents to management-level personnel in the Information Technology Services department. Corrective measures are prescribed as needed. Security-related events include, but are not limited to:
- Port scan attacks
- Evidence of unauthorized access to privileged accounts or data
- Anomalous occurrences that are not related to specific applications on the Host
- Audits must be performed on a regular basis by authorized parties within the University.
- Audits must be managed by the internal audit group or Information Security personnel, in accordance with the Audit Policy documentation. Findings not related to a specific Operational Group are filtered by Information Security personnel, and then presented to the appropriate Information Technology Services staff for remediation or justification.
- Every effort will be made to prevent audits from causing operational failures or disruptions.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
Back to Contents