The following recommendations are meant as a guide to secure servers (a server being either a physical or virtual instance of an autonomous software system intended to connect with and provide services to other computers). Each and every recommendation will not be applicable to every server; therefore the system administrator should exercise their own judgment in conjunction with their department's own requirements and business needs. Deviations from the recommended guidelines should be documented according to each department's own procedures. The end goal is a secure server that meets the functional and business needs of each department.
Note that if a department is required to comply with PCI (Payment Card Industry) regulations, the specific recommendation has been labeled with "PCI/DSS" so that it may be employed. These are requirements for PCI certification, and therefore not recommendations, if you are subject to the PCI requirements. Also, the sections "Installation" and "Configuration" refer to those recommendations aimed at system administrators. The "Hosting" section is specific to data centers or those hosting a server and "Ongoing" is meant to apply to those individuals/departments maintaining servers.
Specific sections for the most common operating systems at Northwestern have been included (Windows, RedHat Linux, OS X and Solaris). Other operating systems (ie Debian, OpenBSD, etc) are addressed by the more general recommendations that would apply to the respective operating system regardless and further augmented by the hardening guidelines from CIS (Center for Internet Security).
Audience:
Department and group information technology support and information technology security staff.
Policy Statement:
Windows Server Security Recommendations
- Installation
- Configuration
- Networking
- Hosting
- Ongoing
Installation
| Number | Recommendation/Description | |
|---|---|---|
| 1 | Disable system restore (if applicable to the version of Windows) | |
| 2 | Systems (servers) with a NetID password feed may not be used for multiple purposes. Exceptions require approval of NUIT-ISS/C. | |
| 3 | (PCI/DSS) Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)* |
Configuration
| Number | Recommendation/Description | |
|---|---|---|
| 1 | Remove, disable or change password of default accounts | |
| 2 | Guest accounts disabled | |
| 3 | All local and domain accounts with privileges above normal user level should have a minimum 15 character passphrase and must be changed at least once every quarter. To facilitate remembering such a password, wallet-sized cards may be created and carried by system administrators for reference. | |
| 4 | Audit the use of all privileged accounts. This auditing should include the read and write access performed by these accounts. | |
| 5 | Machines may not be connected to the network until they have had the latest OS and application updates applied, anti-viral software installed and activated, firewall enabled, AND a strong passphrase enabled on all accounts. | |
| 6 | OS that is not older than one minor release, or service pack, from the current release, if business needs allow for it. | |
| 7 | Software and OS patches installed as soon as practical for your environment. | |
| 8 | (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. | |
| 9 | (PCI/DSS) Deploy anti-virus software on all systems commonly affected by viruses, ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. | |
| 10 | (PCI/DSS) Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. | |
| 11 | Hosts should either automatically disable local accounts or attacking hosts for a period of not less than two minutes after 15 authentication failures in a rolling five minute window. | |
| 12 | Unused services should be disabled | |
| 13 | Remove LM Hash | |
| 14 | Clock must be automatically synchronized to a recognized time server (time.northwestern.edu). | |
| 15 | Departments must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. | |
| 16 | Departments must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. | |
| 17 | Departments must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. |
Networking
| Number | Recommendation/Description | |
|---|---|---|
| 1 | Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance. | |
| 2 | (PCI/DSS) Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. | |
| 3 | (PCI/DSS) Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). | |
| 4 | No open, non-authenticated, file sharing may be enabled. | |
| 5 | (PCI/DSS) Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. | |
| 6 | Remote access software must be disabled or restricted to specific IP addresses by default. It can be temporarily enabled on a case by case basis by authorized personnel. Only software that supports end to end encryption should be used for this purpose. |
Hosting
| Number | Recommendation/Description | |
|---|---|---|
| 1 | Port Reporter or similar system installed and active. | |
| 2 | Encrypted backups should be taken regularly, and all on/off site storage should be physically secure. | |
| 3 | (PCI/DSS) – Clocks must be synchronized to two (2) internally hosted time servers (time.northwestern.edu) * | |
| 4 | Housed at University data center or similar setup. |
Ongoing
| Number | Recommendation/Description | |
|---|---|---|
| 1 | Mandatory audit log monitoring program or procedure by personnel of the department owning the logs or an approved subcontractor/vendor. | |
| 2 | (PCI/DSS) Logs must be reviewed, or aggregated and then reviewed, daily. | |
| 3 | (PCI/DSS) Logs must be available online (electronically) for three months, available on tape (or other removable media) for one year. | |
| 4 | (PCI/DSS) Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. | |
| 5 | (PCI/DSS) Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues. | |
| 6 | Encrypt sensitive data (Recommendations currently in development). | |
| 7 | Defined process for approval, acceptable use, and removal of system privileges. | |
| 8 | (PCI/DSS) Follow change control procedures for all system and software configuration changes. | |
| 9 | (PCI/DSS) Identify all users with a unique user name with at least one authentication method (passphrase, token device and/or biometrics). | |
| 10 | (PCI/DSS) Immediately revoke access for any terminated users. | |
| 11 | Remove inactive user accounts at least every 90 days. | |
| 12 | (PCI/DSS) Set first-time passwords to a unique value for each user and change immediately after the first use |
Posts
0 comments:
Post a Comment