IT.2.2.2S Secure Server Standard
Category: Information Security
Owner: Information Technology Services
Effective: August 21, 2012
Revision History: None
Review Date: August 20, 2015
Exposure of data due to a breach is not the only concern for secure servers. Servers must also be hardened against common vulnerabilities such as SQL-injection, Denial of Service, and Distributed Denial of Service attacks. Servers that are not secured can also be exploited as agents to attack other internal or external networks, such as a brute force entry via open SSH.
The purpose of this Standard is to establish minimum requirements for installing,
configuring, and maintaining secure servers at West Virginia University, West Virginia
University Institute of Technology, and Potomac State College of West Virginia
University (collectively the “University”). This Standard does not impose significant
additional burdens on server owners who wish to deploy devices on the University
network, instead, it follows best practices that should already be known by IT
This Standard applies to all faculty, staff, students, and third parties who store, use, transfer, transport, produce, or dispose of technology and data resources owned or managed by the University. Security considerations will be implemented from the initial planning stage at the beginning of the systems development life cycle to maximize security and minimize costs.
“Access Control” means an individual user or group rights to specific system objects such as programs, processes, or files.
“IT Assets and Computational Resources” means computing devices and associated peripherals (e.g., desktop PCs, printers, scanners, wireless devices) that are specifically different in operation than a server.
“Patch and Patch Management” means a piece of software designed to fix problems with or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs and improving the usability or performance.
“Virtualization” means the creation of a virtual version of something, such as a hardware platform, operating system, storage device, or network resource.
Server Deployment Planning
- Server IT Manager will notify the appropriate enterprise-level IP address granting
unit of the anticipated deployment of the new server and provide:
Expected server services provided and access requirements;
- IP address and subnet information; and,
- Information necessary to author and implement border Access Control lists.
- Servers will be deployed on appropriate VLAN segments designated to isolate servers from other IT assets and computational resources.
Server Operating System
- Patch and upgrade operating system (OS) by:
Creating, documenting, and implementing a patching process; and,
Installing permanent fixes for the server operating systems (patches, upgrades, etc.).
- Harden and securely configure the OS by following vendor best practices such as:
- Remove or disable unnecessary services, applications, and network protocols;
- Configure each network service to listen for client connections on only the necessary TCP and UDP ports, if possible;
- Remove all example or test files from the server, including sample content, scripts, and executable code; and,
- Configure OS user authentication which includes:
- Removing or disabling default accounts, where possible, according to operating system type;
- Disabling non-interactive accounts
- Removing default port access; and,
- Employing centralized WVU Login authentication of users.
- Anti-virus/anti-malware software;
- Host-based intrusion and prevention software and firewalls; and,
- Patch management of vulnerability management software.
The server application to a subset of the server total resources; and,
- Users through additional access controls enforced by the server, where more detailed levels of access control are required.
- Securely install all server applications.
- Apply any patches or upgrades to correct for known vulnerabilities in the server application.
- Review and retain log files according to:
Legal and regulatory requirements; and,
Organizational and operational requirements.
- Establish and maintain appropriate server data backup procedures according to:
Applicable laws and regulations; and,
Organizational and operational needs and requirements.
Information Security Services will conduct a vulnerability assessment of all servers prior to production. Appropriate patches and updates will be applied by the Server IT Manager/Server Owner to mitigate identifies high and medium vulnerabilities before the server is deployed to production.
- Periodic vulnerability assessments and penetration testing will be conducted post-deployment by ISS on a regular basis according to established University policies and standards.
Exceptions will be handled by using the ITS Exception request procedure.