Server Security

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Sunday, May 1, 2005

Authority: 


Objective: 

This Practice Directive defines the baseline configuration standards for all servers owned by SF State


Statement: 

Purpose and Scope

This Practice Directive defines the baseline configuration standards for all servers owned by San Francisco State University. Effective implementation of this Practice Directive will minimize the risk of server vulnerabilities that can result in system unavailability, data corruption, unauthorized access, information and resource misuse and service disruption.

Practice Directive

The following are the baseline requirements for server security at San Francisco State University. All exceptions to these requirements must be documented and may be subject to disconnection from the campus network.

Ownership and Responsibilities

  1. All servers that deliver services across the university network must be registered with the Division of Information Technology.  At a minimum, the following information is required:
    • Primary & secondary system administrator contact information and individuals responsible for patches.
    • Physical location of server
    • Hardware (make/model) and operating system version
    • Server name and IP number
    • Primary services provided

Physical Security

  1. Physical access to the server and its console must be restricted to persons with a legitimate need for such access and with appropriate administrator approval.
  2. Servers should be physically located in an access-controlled location.
    • Servers are specifically prohibited from operating in uncontrolled areas (cubicles, public spaces, etc.).
    • A list of authorized personnel with access to this controlled location and a log (name, date, and purpose) of all non-authorized personnel must be maintained.
  3. Local and remote access to any server console must be properly secured (encrypt the session, require strong passwords, lock the session and log out when unattended).
  4. Remote administrative access must be restricted by source IP address and/or require the use of a Virtual Private Network (VPN) connection.  Exceptions must be documented.
  5. Server VLAN networks must be contained within an access controlled location so that direct access to the server VLAN cannot be obtained from public network access locations. Exceptions must be documented.
  6. Server rooms for critical servers should have sufficient and adequate environmental controls that include, but are not limited to security alarm, fire/water detection and air conditioning. Exceptions must be documented.

Accounts and Administrative Access

  1. Use the least privileged account necessary to accomplish the defined task. Do not use administrative accounts (root, administrator) when a non-privileged account will suffice. Authorization of privileged access should follow the Practice Directive for Administrative Account Access Control
  2. Prior to connecting the server to the university network the system administrator shall:
    • Disable/lock/delete all accounts except those required to provide necessary services
    • Change the default passwords for all enabled accounts
  3. For all servers, the systems administrator shall:
    • Limit the number of administrative accounts to only those who have operational need and have been authorized.
    • Authorize and document all administrative accounts.
  4. Passwords or other sensitive data must be encrypted while in transit over the network. Passwords must follow current campus password Practice Directives. Review additional password implementation guidelines for various platforms. Servers that authenticate users must do so over encrypted protocols such as HTTPS or SSL.
  5. Sensitive or protected data must be encrypted when at rest (stored) on the computer.

Systems Configuration and Maintenance

  1. All servers must run an operating system that is currently supported for protection against security vulnerabilities.
  2. Only required services should be running on the server. Services that are not required for the server to meet its mission must be disabled or uninstalled.
  3. Connections to servers should be established using protocols that are appropriately secure for the data being served.
  4. Applications that require e-mail services (e.g., SMTP) must be configured to direct all outbound email through a designated, centrally administered SF State e-mail gateway.
  5. Regular backups should be completed based on a risk assessment of the data and services provided. Restoration of data from backups should be tested on a regular basis to assure viability.
  6. The server must not be used for multiple purposes that would put its security or performance at risk. For example, a server must not also be used as a personal workstation.
  7. Vendors' and contractors' access to servers should be sponsored and maintained by authorized SF State management and be revoked when no longer necessary.
  8. Access to the server and services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible.
  9. All servers connected to the campus network are subject to network and local audits.
  10. Servers must be patched and hardened before attaching them to the network. The most recent security patches must be installed on the system as soon as practical following the required change control procedures.

Monitoring

  1. The server must capture and archive critical user, network, system, and security event logs to enable review of system data for forensic and recovery purposes per Logging and Threat Management
  2. Security-related events must be reviewed and investigated. Events include, but are not limited to:
    • Port-scan attacks
    • Evidence of unauthorized access to privileged accounts
    • Anomalous occurrences that are not related to specific applications on the server
  3. Security incidents must be reported to the Information Security Officer following the Practice Directives: Reporting a Security Incident or Vulnerability