8.01.01 Recommended Practices for Server Security

I. Purpose

This procedure documents recommended practices when securing servers.

Policy Supported

Supports 8.01 Operating System Security

II. Description

Computing Services can help you with security and securing services you support.

Follow industry standard guidelines regarding security.

Keep up with security news, attacks, exploits, etc. Resources include:

Following are recommended practices at various layers.

System Layer:

  • Protect server from hostile network traffic until the operating system is installed and hardened. NSA hardening guides are available: http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml.
  • Change default passwords.
  • Remove or disable unneeded network protocols, applications and services.
  • Utilize automated patching notification if available. Test and apply patches in a timely manner or employ total automatic patching.
  • Only allow specific, trusted subnets or hosts to manage.
  • Install and enable antivirus software including automatic virus definition updates on Windows OS.
  • Install host-based intrusion detection.
  • Each task or process should be allowed the minimum rights required. Run services as unprivileged users if possible.
  • Ensure that logging is enabled. Ensure that logs are reviewed on a regular basis and follow data retention policies.
  • Refer to policy 3.01, Server Physical Access Security.
  • The console should be locked when not in use. In order to prevent unauthorized access, a timed, password-protected screen lock should be in place.
  • Restrict authentication methods.

Local Network Layer:

  • Enable firewall protection.
  • Create a security policy. Only allow ports, trusted subnets or hosts in the policy and deny everything else.
  • Run firewalls at all layers (i.e. network, OS and application).

Application Layer:

  • Encrypt anything that you wouldn’t want everyone to know (passwords, SSNs, credit card numbers, etc.).
  • When writing software, add security from the beginning.
  • Follow OWASP guidelines.

User Layer:

  • Please use Computing Services authentication systems (CAS, LDAP, BUnetID) whenever possible.
  • Configure user permissions and file permissions to be as secure as possible.
  • Each user should be allowed the minimum rights required.
  • Change default passwords.
  • Utilize strong passwords for all users.
  • User accounts that are not being utilized should be disabled or uninstalled.
  • Do not enable guest accounts.

III. Scope

This procedure pertains to all servers on campus.

Date Approved      
       
Dates Revised      
       
Dates Reviewed