Server Management Technical and Security Standards and Procedures
June 02, 2010
Texas State server owners and administrators are responsible for ensuring that servers adhere to the standards and procedures described in this document. No server may connect to the Texas State network unless and until it complies with the following minimum technical and security standards.
Based upon risk assessment, servers should:
- All servers that deliver services across the university network must be approved by the Information Security Office. The Information Security Office will facilitate an information resources risk assessment to ensure compliance with the standards and best practices of the state and university.
The server owner/administrator shall repeat the risk assessment annually. The server owner/administrator must document a risk mitigation plan to address the risks identified. If the risk assessment reveals the absence of any standard controls, the plan must document the risk management decision that justifies the absence of those controls and, if applicable, the compensating controls employed to provide the same or better protection.
- Services that are not required for the server to meet its mission must be disabled whenever the server is connected to the university network.
- The following services are prohibited and must be disabled whenever the server is connected to the university network:
- Anonymous File Transfer Protocol (FTP)
- Domain Name Services (DNS). DNS is allowed only on the university’s centrally administered DNS servers
- Dynamic Host Configuration Protocol (DHCP). DHCP is allowed only on the university’s centrally administered DHCP servers
- Simple Mail Transport Protocol (SMTP). Applications that require email services (e.g., SMTP) must be configured to direct all outbound email through a designated, centrally administered, Texas State email gateway. Outbound email not configured in this manner may be blocked.
- Prior to connecting the server to the university network the system administrator shall:
- disable all default accounts except those required to provide necessary services
- change the default passwords for all enabled accounts, consistent with university password standards (see section 08.06 of UPPS 04.01.01, Security of Texas State Information Resources)
- terminate or disable all unnecessary user and support accounts
- establish a minimal number of user accounts with administration privileges
- apportion user accounts or groups to achieve proper separation of duties and to avoid the granting of excess privileges to any individual user or group
- use the local administrator account only to perform server management functions
- register the server with the Information Security Office and establish server protections through the university’s network edge protection mechanisms (e.g., perimeter firewall, etc.).
- The server must run an approved and appropriately licensed server operating system supported by Information Technology. Generally speaking, an approved server operating system is any version for which maintenance support and periodic updates are available from the vendor or another reputable third party.
- The server must employ intrusion protection measures appropriate to its operating system, such as virus protection software, an independent intrusion protection appliance, Linux IP tables, and/or a host-based firewall. The university provides anti-virus software, available from the Download Software page of the Technology Resources Web site.
- Vulnerability patches and updates must be applied regularly, normally within 72 hours of becoming available and vendor certified. If compliance with this standard will conflict with operation or support of any application(s) hosted on the server, the server administrator must contact the Information Security Office to identify alternative protective measures.
- System administrators must subscribe to notification and/or automated update services appropriate to the server hardware and software. System administrators must subscribe to university provided notification/update services (or equivalent) as those services become available (e.g., Texas State Server Administrators Listserv, SCCM – System Center Configuration Manager).
- Backups should be completed regularly based on a risk assessment of the data and services provided. Restoration of software and data from backups should be tested on a regular basis to assure viability in the event of a service disruption. If backup media contains sensitive, restricted and/or confidential data, the data on the backup media or the media itself must be encrypted. Depending on the level of risk, central IT may designate specific backup procedures. See the Server Backup and Recovery Guide.
- The server must authenticate all users other than local administrators, using the university’s centrally administered login service and identity management credentials (i.e., NetID and password) if the operating system or application permits. All communication of authentication credentials between the authenticating client and server must be encrypted. Authentication credentials must always be encrypted while in transit from a client or when at rest on the server. The server must enforce the Texas State password standards (located in section 08.06 of UPPS 04.01.01, Security of Texas State Information Resources).
- The server must capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes. The system administrator must review these logs for malicious activity on a regular basis and retain them for a period sufficient to address business requirements, document changes to access permissions, and provide an adequate history of transactions for audit requirements. Maintaining external copies of these logs is also recommended.
- To provide the means for authorized personnel to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or result in the release of confidential information;
- To maintain audit trails to establish accountability for updates to mission critical information, hardware and software, and automated security or access rules; and
- To maintain a sufficiently complete history of transactions to permit an audit of the server by logging and tracing the activities of individuals through the system.
- To the extent possible, the system administrator must configure the server operating system and resident applications, if applicable, to display a log-on banner to anyone requesting a connection to the server or application. The logon banner must meet the specification described in section 08.03 of UPPS 04.01.01, Security of Texas State Information Resources.
- The server must not be used for multiple purposes that would put its security or performance at risk. For example a server must not be used as a personal workstation or to host multiple applications, such as a Web server and a database accessible from that Web server. Questions about incompatible uses should be addressed to the Information Technology Assistance Center (ITAC 245-4822) or the Information Security Office (245-4225).
- Physical access to the server and backup media must be restricted to persons with a legitimate need for such access.
- The server must never be connected to any network other than the university network without prior authorization from Technology Resources.
- Access to the server from outside of the Texas State network should not be provisioned unless absolutely necessary. If remote access is necessary, the following restrictions apply:
- Remote access sessions must be encrypted using SSH, VPN, or similar technologies
- Remote access should be provisioned to the fewest number of IP addresses possible (preferably only one)
- Host-based intrusion detection should be installed
- System and application logging should be enhanced
- The server must not be administered remotely unless the remote access methodology has been specifically approved by the Information Security Office. At a minimum, information transmitted during remote administration sessions must be encrypted. The server should accept remote administration commands from the fewest number of predefined hosts. Vendor accounts used for this purpose must be inactive at all times except when the vendor is actively engaged in providing support services.
- Special provisions for off-site and externally constrained servers and services.
- Externally constrained servers and services include special instrumentation (such as mass spectrometers, electron microscopes, specialized medical equipment, etc.), application software that requires a specific service pack or patch level to operate properly and cannot be patched to current levels, project equipment specified by external sponsors or grant providers that cannot be altered without loss of the grant or sponsorship, and similar situations in which an external entity imposes constraints upon patch and vulnerability management.
- Owners of externally constrained servers and services must consult with ITAC before connecting the server to the campus network.
- Requirements to achieve compliance with externally imposed standards must be identified and addressed.
- Texas State security policies shall apply to all university information and accounts on externally constrained servers.
- The provisions of this document and the Texas State Server Management Policy (UPPS 04.01.09) apply, with exception requests addressed through the mechanism afforded in section 04.08 of that policy.