Information Security Standards

SERVER HARDENING

GENERAL

Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.

APPLICABILITY

This procedure applies to all University information resources that store or process mission critical and/or confidential information. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with server hardening. The intended audience includes, but is not limited to, system managers and administrators, who manage University information resources that store or process mission critical and/or confidential information.

PROCEDURES

1. Systems administrators will test security patches prior to implementation.

2. System administrators shall ensure that vendor supplied patches are routinely acquired, systematically tested, and installed promptly (Usually within 2 weeks of its release).

3. System administrators shall remove unnecessary software, system services, and drivers.

4. System administrators shall enable security features included in vendor supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections (see University Information Security Standard Administrative Procedure, Malicious Code). Audit logging shall also be enabled. User privileges shall be set utilizing the least privileges concept of providing the minimum amount of access required to perform job functions. The use of passwords shall be enabled in accordance with the University Special/Administrator Access procedure.

5. System administrators shall disable or change the password of default accounts.

6. Servers, especially, shall be tested for known vulnerabilities when new vulnerabilities are announced, and shall seek and implement best practices for securing their particular system platform(s).

7. Additional guides specific to operating systems and standard configurations should be created by systems administrators and systems security officers, and published appropriately.

HISTORY

Last Updated March 31, 2014