California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Transcription

1 California State Polytechnic University, Pomona Server and Network Security Standard and Guidelines Version 1.7 April 4, 2008

2 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM NETWORK AND SERVER SECURITY STANDARD...3 ROLES AND RESPONSIBILITIES...3 TERMS AND DEFINITIONS...4 GUIDELINES...5 ADDITIONAL RESOURCES REFERENCES /4/2008 Page 2 of 11

3 Overview California State Polytechnic University, Pomona (CPP) servers, networks, and the information that resides on them are critical assets for the university. These critical assets need to be protected to ensure their availability, confidentiality, and integrity. This document is intended to provide a minimum-security standard and a set of guidelines for the installation and support of servers that are part of the CPP network. Audience The audiences for this document are technical support personnel who support CPP owned servers or networking devices. Minimum Network and Server Security Standard The following security controls must be applied to servers that connect directly to the CPP network Anti-virus software must be running and up-to-date. Exceptions may be made for servers where installation of anti-virus software might compromise the usability of a critical application. Servers must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. Host-based firewall software must be running and configured, according to the guidelines section on configuring host-based firewalls. While the use of departmental firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls. Unauthorized physical access to a server can result in harmful or fraudulent modification of data, fraudulent use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. Roles and Responsibilities This section identifies the roles and responsibilities for implementation and compliance of the minimum-security standard and guidelines. Information Security Officer (ISO) issues security standards based on threats and the needs of the University for protection. The ISO champions implementation efforts, offers acceptable alternatives, and provides exceptions as appropriate. Campus Technical Support Person ensures that all existing CPP owned servers or networking devices are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided. System Administrators Are members of organizational units that support 4/4/2008 Page 3 of 11

4 enterprise, division, or department level IT services. System administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures in conformance with campus information security standards and guidelines. Security Analyst Advises on best practices to secure applications, systems, networks, and servers. Terms and Definitions Confidential Information - Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal Poly Pomona, its students, or employees (e.g. social security numbers, dates of birth, medical records, credit card or bank account information). Financial loss, damage to Cal Poly Pomona s reputation, and possible legal action could also occur. Level 1 data is intended solely for use within Cal Poly Pomona and limited to those with a business need-to-know. Statutes, regulation, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information. 4/4/2008 Page 4 of 11

5 Guidelines For every operating system, it is important to follow the general guidelines below. The actual details used to implement these guidelines may vary, but the concepts are the same regardless of the operating system. Protecting a server from compromise involves hardening the underlying OS, the server application(s), and the network to prevent malicious entities from directly attacking the server. Before you connect the server to the CPP network for the first time or upgrade to a new operating system, please complete the following steps: 1. Review the purpose or role of the server 2. Determine server authentication requirements 3. Determine secure access control requirements 4. Install only required software and keep operating system current 5. Run the minimum number of services/features on the server 6. Install and configure filters or host-based firewall 7. Setup and review system computer logs 8. Install and configure security related software 9. Maintain physical security of the server 10. Maintain backups and operational continuity 11. Identify the computer for security event notification 12. Request a network-based vulnerability scan 13. If you have questions, contact the Information Security Department Review the purpose or the role of the server 1. Determine the purpose or role the server will play within the organization Will the server act as a... a. Database repository (Oracle, MySQL, MS-SQL) b. Application server (WebLogic, Apache Tomcat, etc) c. Web server (Apache HTTP, IIS) d. File server e. Host for a shared business application f. Some combination of these functions 2. The services the server provides should entirely be dictated by its role within the organization and by the type of information (i.e., protected vs. public ) that flows through it Recommendations on server setup 3. Ensure that the latest campus-supported stable version of the operating system is running a. Refer to the Operating Systems Guidelines document for information on the latest campus-supported stable version of operating systems 4. Harden the operating system (Windows, Unix, MAC OS, etc.) 4/4/2008 Page 5 of 11

6 a. Eliminate unnecessary services, applications, protocols, and ports 5. Harden each application (Apache HTTP,IIS, MS-SQL, etc) a. Eliminate unnecessary services, drivers, protocols, and ports 6. When setting up the operating system (OS), look for specific OS configuration options that will enhance the security of the server in this role Determine authentication requirements 1. Use the campus identity management system a. CPP has established a campus identity management system, a unified directory service and authentication infrastructure. It is intended to provide campus departments with a centralized means by which departments can validate users who need or wish to access departmental applications, as well as to obtain authoritative information about users. The infrastructure can be used by applications for public directory service, lookups, authorization, and authentication. 2. All accounts should have strong passwords 3. Local accounts (as opposed to accounts from LDAP or Active Directory) are strongly discouraged due to the difficulty of managing such accounts centrally a. To determine whether a local account is necessary, ask yourself these questions i. What access/purpose does the local account provide that the centrally administered account cannot? ii. Is the intended use of the account application or service specific (e.g., Oracle DBA administrator account)? 4. Assign a unique administrative account and unique password to each individual to better distinguish activities between multiple administrators a. Shared accounts on servers should not be allowed 5. Disable or rename the vendor default administrator accounts 6. Require authentication for access by individuals to the server 7. Require re-authentication by users after idle periods, if user accessing machine locally (console access). Secure access control 1. Restrict the number of accounts and privileges to only those who need access to perform their job function a. Give each user the minimum required amount of access to perform their work 2. Be sure to have a plan and process for securing administrator and root passwords that allows appropriate access to the server in case of illness, turnover, or unforeseen circumstances 3. On an ongoing basis, an administrator should regularly review the access list or log for users (e.g., root, and groups) a. Look for unexpected rights or changes 4/4/2008 Page 6 of 11

7 b. Disable or delete old or unused accounts that belong to people who no longer need access Install only required software and keep operating system current 1. Run software that is current. The operating system and other installed software should be supported for the latest security patches 2. When installing software, make sure to only install software that is required, making sure to install the latest versions of all software including all recommended security patches that are available. 3. All patches to servers should be reviewed before being applied, 4. Desktop application should not be installed and run on a server (e.g., Microsoft Office) 5. Web browsers should not be used to browse external web sites or to download patches directly to a server Download application patches to another computer and put on them on a CD or a network share that the server can access 6. After installation, all computers should be routinely maintained and updated This includes the installation of operating system patches and new versions of installed software. Run minimum number of services 1. Each computer should only provide services needed for its role or function in the organization 2. Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled a. Any user not in the Administrators group should not have access to filesharing unless the server specifically needs it b. If the server does not need to use to send administrative-related messages, disable related services c. If the server is not used to transmit data, disable file transfer related services 3. Use secure protocols (e.g. SSL/SSH/Kerberos) for accessing all servers and services that require and/or support authentication a. Disable Telnet and FTP use SSH instead of telnet, and SFTP or SCP instead of FTP b. Use RDP to connect to Windows servers it is encrypted 4. Unless using network management tools, turn off SNMP. If SNMP is enabled, change the default community name and set permissions. Be sure to delete the public community string if the software allows you to do this, or at least change the default settings Install filters or host based firewall 4/4/2008 Page 7 of 11

8 1. Install and configure a packet filtering utility such as iptables or a host-based firewall to protect individual services a. The rules should reflect the acceptable use and security policies that have been defined for the computer b. To meet the minimum standard the host based firewall must i. Be running at all times ii. Block inbound traffic to ports that are not running necessary services iii. Be capable of logging inbound and outbound blocked packets for troubleshooting purposes 2. Operating system filters that deny or permit certain traffic should be used if available (e.g., most Unix and current Windows versions) 3. Periodically review the filters for inappropriate or unneeded access 4. Restrict access to services to only CPP IP addresses, where prudent a. Limit access to databases to specific static IP addresses or ranges. Set up and review logs 1. Configure all services so that they log all connections and authentication information a. Forward all of these logs to a highly secure computer if possible 2. Enable local and domain auditing (if applicable) of security events a. Changes to user account and permissions b. Failed attempts to logon c. Failed attempt to access resources d. Changes to systems files e. Unsuccessful attempts to connect through the firewall 3. Someone should be assigned the responsibility of monitoring/reviewing and as appropriate following up on possible security violations identified in the system logs typically these should be reviewed at a minimum on a monthly basis; weekly if possible a. For important servers this should be as often as daily Install security related software 1. Install security related software on each computer, as appropriate to the level of security needed (e.g., encryption, configuration management) a. Install anti-virus or other virus filtering software with daily updating for the latest virus definitions. Validate that antivirus definitions and engines are being updated (at a minimum daily) b. Encryption 2. Run security analyzer software on servers, such as MSBA from Microsoft 3. SSH, RDP, or other encrypted and secure method of access should be installed if remote access or remote administration services are needed 4/4/2008 Page 8 of 11

9 o SSH improves the security of user accounts by encrypting all login sessions and allowing the forwarding of X11 and other arbitrary network traffic 4. Use the Campus VPN encrypted tunnel, if use of SSH not applicable or when clear text is a security risk o CPP s VPN provides an encrypted tunnel to the University from the Internet (e.g., connection at home or on the road) Maintain physical security 1. Place the server in a secure location with documentation of who has physical access 2. Use Uninterruptible Power Supply (UPS) for servers and other essential peripheral equipment (e.g., monitors, KVM switches, etc.) 3. Locate servers in a climate-controlled environment (e.g., dedicated air conditioning with in-room temperature controls) 4. Consider basic fire suppression services/options (e.g., extinguishers, sprinklers, etc.) 5. Utilize keyboard locking software or password protected screen savers to prevent keyboard activity Maintain backups and operational continuity 1. Run back-ups regularly and periodically store off-site 2. Test the restore capability periodically 3. Review backup history periodically 4. Use a secure deletion program to erase data from hard disks and media after done using and prior to transfer or disposal of hardware storing confidential information (See CPP Information Classification and Handling Standard for more information on what qualifies as confidential information) 5. Develop business continuity plan for server Identify the computer for security event notification 1. Identify critical servers by sending the name, IP address and contact information of responsible individual(s) to the Information Security department at infosecurity@csupomona.edu Request a network-based vulnerability scan 1. Request a network-based vulnerability scan from the Information Security department to look for common vulnerabilities - these scans are highly recommended for important servers a. Send requests to infosecurity@csupomona.edu 2. Review and correct vulnerabilities found or implement a risk-mitigation strategy, concentrating first on the items marked as high 4/4/2008 Page 9 of 11

10 Where to go for help If you have questions or concerns about the security of the data you store locally, on departmental, college, or university servers, please contact the Information Security department at extension The Information Security department can make arrangements for security tests to be run on critical servers or desktop machines to identify potential security risks. We can also schedule meetings with departmental IT personnel to talk with security analysts to help them improve the security of the systems they support. 4/4/2008 Page 10 of 11

11 Additional Resources These websites and publications have more information on protecting a server from compromise. National Institute of Standards and Technology (NIST) s Computer Security Resource Center A number of guidelines can be found here: Risk Management Guide for Information Technology Systems Guidelines on Securing Public Web Servers SANS (SysAdmin, Audit, Network, Security) Institute s Twenty Most Critical Internet Security Vulnerabilities United States Computer Emergency Readiness Team (US-CERT) Center for Internet Security (CIS) A compilation of security configuration actions and settings to "harden" the operating system can be found here: Windows XP SP 2 Windows Server 2003 Windows 2000 Professional/ Server Mac OS X Solaris 10 Red Hat Linux 1.0 Debian OnGuard Online IT Compliance Institute References The standard was developed using resources from the above sites and the Office Information Technology at the University of Minnesota. 4/4/2008 Page 11 of 11