Skip to Content

Server Management Technical and Security Standards and Procedures

November 1, 2019

Texas State server owners and administrators are responsible for ensuring that servers adhere to the standards and procedures described in this document. No server may connect to the Texas State network unless and until it complies with the following minimum technical and security standards.

Based upon risk assessment, servers should:

  1. All servers that deliver services across the university network must be approved by the Information Security Office. The Information Security Office will facilitate an information resources risk assessment to ensure compliance with the standards and best practices of the state and university.

  2. The server owner/administrator is required to re-submit the risk assessment annually. The server owner/administrator must document a risk mitigation plan to address the risks identified. If the risk assessment reveals the absence of one or more standard controls, the plan must document the risk management decision that justifies the absence of those controls and, if applicable, the compensating controls employed to provide the same or better protection. 

  3. Services that are not required for the server to meet its mission must be disabled.

  4. The following services are prohibited and must be disabled whenever the server is connected to the university network:

    • Telnet

    • Anonymous File Transfer Protocol (FTP)

    • Domain Name Services (DNS). DNS is allowed only on the university’s centrally administered DNS servers

    • Dynamic Host Configuration Protocol (DHCP). DHCP services may only be provided by the university’s centrally administered DHCP servers

    • Simple Mail Transport Protocol (SMTP). Applications that require email services (e.g., SMTP) must be configured to direct all outbound email through a designated, centrally administered, Texas State email gateway. Outbound email not configured in this manner may be blocked.

  5. Prior to connecting the server to the university network the system administrator shall:

    • disable all default accounts except those required to provide necessary services

    • change the default passwords for all enabled accounts, consistent with university password standards (see section 04.06 and 04.07 of UPPS 04.01.11, Risk Management of Information Resources)

    • terminate or disable all unnecessary user and support accounts

    • establish a minimal number of user accounts with administration privileges

    • apportion user accounts or groups to achieve proper separation of duties and to avoid the granting of excess privileges to any individual user or group

    • use the local administrator account only to perform server management functions

    • register the server with the Information Security Office and establish server protections through the university’s network edge protection mechanisms (e.g., perimeter firewall).

  6. The server must run an approved and appropriately licensed server operating system supported by Information Technology. 

  7. The server owner/administrator is responsible for auditing access to the server and services that it provides. They must endeavor to audit access on a periodic basis and remove users without delay when access to the server is no longer required.

  8. Administration of a server or service must be through a Super User account requested through

  9. Any interactive logon must be through an account tied to a user (Super User or regular NetID). Exceptions to this must be authorized by the Information Security Office.

    • An interactive logon is defined as the logging in through methods such as direct console, command line or remote desktop to interact with the operating system.

  10. Services that run as an individual's NetID or SU account are prohibited.

  11. The server must employ intrusion protection measures appropriate to its operating system, such as virus protection software, an independent intrusion protection appliance, Linux IP tables, and/or a host-based firewall. The university provides anti-virus software, available from the Download Software page of the Technology Resources Web site.

  12. Vulnerability patches and updates must be applied regularly, normally within 7 days of becoming available and vendor certified. If compliance with this standard will conflict with operation or support of any application(s) hosted on the server, the server administrator must contact the Information Security Office to identify alternative protective measures. Patches and updates that remedy particularly high-risk issues may require a forced installation sooner than the seven-day patching window. Failure to remediate high-risk issues may result in restricted connectivity to the university network.

  13. System administrators must subscribe to notification and/or automated update services appropriate to the server hardware and software. System administrators must subscribe to university provided notification/update services (or equivalent) as those services become available (e.g. Techbox).

  14. Backups shall be completed regularly based on a risk assessment of the data and services provided. Restoration of software and data from backups should be tested on a regular basis to assure viability in the event of a service disruption. If backup media contains sensitive, restricted and/or confidential data, the data on the backup media or the media itself must be encrypted. Depending on the level of risk, central IT may designate specific backup procedures. See the Server Backup and Recovery Guide.

  15. The server must authenticate all users other than local administrators, using the university’s centrally administered authentication service and identity management credentials (i.e., NetID and password) if the operating system or application permits. All communication of authentication credentials between the authenticating client and server must be encrypted. Authentication credentials must always be encrypted while in transit from a client or when at rest on the server. The server must enforce the Texas State password standards (see section 04.06 and 04.07 of UPPS 04.01.11, Risk Management of Information Resources).

  16. The server must capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes. The system administrator must review these logs for malicious activity on a regular basis and retain them for a period sufficient to address business requirements, document changes to access permissions, and provide an adequate history of transactions for audit requirements. Maintaining external copies of these logs is also recommended.

    • To provide the means for authorized personnel to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or result in the release of confidential information;

    • To maintain audit trails to establish accountability for updates to mission critical information, hardware and software, and automated security or access rules; and

    • To maintain a sufficiently complete history of transactions to permit an audit of the server by logging and tracing the activities of individuals through the system.

  17. To the extent possible, the system administrator must configure the server operating system and resident applications, if applicable, to display a log-on banner to anyone requesting a connection to the server or application. The logon banner must meet the specification described in section 04.03 of UPPS 04.01.11, Risk Management of Information Resources.

  18. The server must not be used for services that were not originally authorized by Technology Resources and the Information Security Office. Questions about incompatible uses should be addressed to the Information Technology Assistance Center (ITAC 245-4822) or the Information Security Office (245-4225).

  19. Physical access to the server and backup media must be restricted to persons with a legitimate need for such access.

  20. The server must never be connected to any network other than the university network without prior authorization from Technology Resources.

  21. Access to the server from outside of the Texas State network should not be provisioned unless absolutely necessary. If remote access is necessary, the following restrictions apply:

    • Remote access sessions must be encrypted using SSH, VPN, or similar technologies

    • Remote access should be provisioned to the fewest number of IP addresses possible (preferably only one)

    • Host-based intrusion detection should be installed

    • System and application logging should be enabled and configured to allow for access attribution (IP, Account, Action)

  22. The server must not be administered remotely unless the remote access methodology has been specifically authorized by the Information Security Office. At a minimum, information transmitted during remote administration sessions must be encrypted. The server should accept remote administration commands from the fewest number of predefined hosts.

  23. Special provisions for off-site and externally constrained servers and services.
    • Externally constrained servers and services include special instrumentation (such as mass spectrometers, electron microscopes, specialized medical equipment, etc.), application software that requires a specific service pack or patch level to operate properly and cannot be patched to current levels, project equipment specified by external sponsors or grant providers that cannot be altered without loss of the grant or sponsorship, and similar situations in which an external entity imposes constraints upon patch and vulnerability management.

    • Owners of externally constrained servers and services must consult with the Information Technology Assistance Center (ITAC) before connecting the server to the campus network.

    • Requirements to achieve compliance with externally imposed standards must be identified and addressed by Technology Resources and the Information Security Office.

    • Texas State security policies shall apply to all university information and accounts on externally constrained servers.

    • The Information Security Office must review and authorize an off-site or externally constrained system or service prior to installation.

    • Systems authorized for off-site use by the Information Security Office will have separate controls identified on a case-by-case basis through the data security plan evaluation.

    • The provisions of this document and the Texas State Server Management Policy (UPPS 04.01.09) apply, with exception requests addressed through the mechanism afforded in section 04.08 of that policy.