Scribd
Upload
55 views4 pages

University of New England General Server Security Guidelines

The document outlines general server security guidelines for the University of New England. It defines servers and hardening, and establishes policies around server ownership, registration, guidelines, monitoring, compliance, and enforcement. Servers must be registered with IT and follow configuration guides approved by both the operational group and ITD. Guidelines include hardening the OS, applying patches, access controls, physical security, and event logging. Audits will monitor compliance and incidents will be reported.

Uploaded by

ayalewtesfaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
55 views4 pages

University of New England General Server Security Guidelines

The document outlines general server security guidelines for the University of New England. It defines servers and hardening, and establishes policies around server ownership, registration, guidelines, monitoring, compliance, and enforcement. Servers must be registered with IT and follow configuration guides approved by both the operational group and ITD. Guidelines include hardening the OS, applying patches, access controls, physical security, and event logging. Audits will monitor compliance and incidents will be reported.

Uploaded by

ayalewtesfaw
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

University of New England

General Server Security Guidelines


Document data:

Document type: Guidelines


Administering entity: ITD
Records management system number: D11/30641
Date approved: 14 November 2011
Approved by: Vice-Chancellor
Indicative time for review: 3 years.
Responsibility for review: Information Technology Directorate
Related policies or other documents: UNE Risk Management Policy, Rules for the Use of
Information and Communications Facilities and Services, IT Security Policy, Audit Vulnerability Scan
Policy, IT Security Objectives and Framework, General Password Policy, P2P File Sharing Policy,
Personal Mobile Computing Policy, Standards and Guidelines for all Users of University Computing
and Network Facilities, Standards and Guidelines for Desktop Computers, Standards and Guidelines
for Non-Strategic Systems, Standards and Guidelines for Strategic Systems

1. Rationale and Scope


The purpose of this policy is to establish standards for ITD staff and for any other
operational group responsible for server administration for the base configuration of
internal server equipment that is owned and/or operated by UNE. Effective
implementation of this policy will minimize unauthorized access to UNE proprietary
information and technology.
This policy applies to server equipment owned and/or operated by UNE, and to
servers registered under any UNE-owned internal network domain.
This policy is specifically for equipment on the internal UNE network.

2. Definitions
Term Definition
Server For purposes of this policy, a Server is defined as an internal UNE
Server. Desktop machines and Lab equipment are not within the scope
of this policy.
Hardening The process of securing a system by reduce vulnerability of attack
including the removal of unnecessary software, unnecessary usernames
or logins and the disabling or removal of unnecessary services.

General Server Security Guidelines


Page 2 of 4

3. Policy

3.1. Ownership and Responsibilities


All internal servers deployed at UNE must be owned by an operational group that is
responsible for system administration. Server configuration guides must be
established and maintained by suitably qualified IT personnel, articulate how the
server fulfils business requirements and be approved by ITD.
Operational groups should monitor configuration compliance and implement an
exception policy tailored to their environment. Each operational group must establish
a process for changing the configuration guides, which includes review and approval
by ITD.

Servers must be registered with ITD. At a minimum, the following information is


required to positively identify the point of contact:
1. Custodian contact(s) and location, and a backup contact(s)
2. Hardware and Operating System/Version, MAC address, IP and DNS
information.
3. Main functions and applications, if applicable
4. Information held with IT must be kept up-to-date.
5. Configuration changes for production servers must follow the appropriate
change management procedures.
6. Servers must fit a specific business requirement and should comply with all
other IT policies. In the case of new servers, if an existing service is already
provided by IT and fits the requirements, this system should be used instead
(e.g. web servers).
Encryption technologies such as SSL certificates must be used to protect Web based
login forms to protect the username and password from being intercepted by a third
party on the LAN and WAN. They must use at least 256bit SSL single root certificate
from a well known registered Certificate Authority. Please check with ITD for a list
of currently accepted certificate issuers.
3.2. Guidelines

Operating System configuration should be in accordance with approved IT guidelines.


This includes hardening of the Operating System using guidelines published by IT.
• Services and applications running on the server, which will not be used, must
be disabled where practical.
• Access to services should be logged and/or protected through best practice IT
access-control methods

General Server Security Guidelines


Page 3 of 4

• The most recent security patches must be installed on the system as soon as
practical, the only exception being when immediate application would
interfere with business requirements.
• Always use standard security principles of least required access to perform a
function.
• Do not use root/Administrator when a non-privileged account will do.
• If a methodology for secure channel connection is available (i.e., technically
feasible), privileged access must be performed over secure channels, (e.g.,
encrypted network connections using SSL, SSH, VPN or IPSec).
• Servers should be physically located in an access-controlled environment:
• Premises must be physically strong and free from unacceptable risk from
flooding, vibration, dust, etc.
• There must not be an inordinate amount of combustible material (e.g. paper)
stored in the same room as the computer system.
• Air temperature and humidity must be controlled to within acceptable limits at
all times.
• Servers are specifically prohibited from operating in uncontrolled
cubicle/office areas.
• The Operating system must be server based i.e. Windows 2003 server,
Windows 2008 server, Linux server.
• Windows XP pro/home or workstation versions of other Operating systems are
not valid server platforms for production environments and as such they do not
meet the IT guidelines for server platforms.

Computing equipment should be electrically powered via UPS to provide the


following:
• Minimum of 15 minutes’ operation in the event of a power blackout.
• Adequate protection from surges and sags.
• Trigger an orderly system shutdown when deemed necessary.

3.3. Monitoring
All security-related events on critical or sensitive systems must be logged and audit
trails saved as follows:
• All security related logs will be kept online for a minimum of 1 week.
• Daily tape backups will be retained for at least 1 week.
• Weekly full tape backups of logs will be retained for at least 1 month.

General Server Security Guidelines


Page 4 of 4

• Monthly full backups will be retained for a minimum of 1 year.


Security-related events will be reported to IT, who will review logs and report
incidents to IT management. Corrective measures will be prescribed as needed.
Security-related events include, but are not limited to:
• Port-scan attacks
• Evidence of unauthorized access to privileged accounts
• Anomalous occurrences that are not related to specific applications on the
host.

3.4. Compliance
Audits will be performed on a regular basis by authorized Staff within IT.
Audits will be managed by the internal audit group or IT, in accordance with the
University’s Audit Policy and Procedures. IT will filter findings not related to a
specific operational group and then present the findings to the appropriate support
staff for remediation or justification.
Every effort will be made to prevent audits from causing operational failures or
disruptions.

3.5. Enforcement
Any employee found to have violated this policy might be subject to disciplinary
action, up to and including termination of employment.

Approval signature

Vice-Chancellor

General Server Security Guidelines

You might also like