California State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines

Similar documents
90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

SECURITY & PRIVACY DOCUMENTATION

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Education Network Security

Minimum Security Standards for Networked Devices

IMPLEMENTATION POLICY AND PROCEDURES FOR SECURING NETWORKED DEVICES

Total Security Management PCI DSS Compliance Guide

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Checklist: Credit Union Information Security and Privacy Policies

Information Security Policy

Google Cloud Platform: Customer Responsibility Matrix. April 2017

ISO27001 Preparing your business with Snare

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Windows Server Security Best Practices

CoreMax Consulting s Cyber Security Roadmap

7.16 INFORMATION TECHNOLOGY SECURITY

Employee Security Awareness Training Program

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Juniper Vendor Security Requirements

Acceptable Use Policy

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

epldt Web Builder Security March 2017

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

SERVER HARDENING CHECKLIST

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

ISSP Network Security Plan

Attachment 3 (B); Security Exhibit. As of March 29, 2016

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Oracle Data Cloud ( ODC ) Inbound Security Policies

VMware vcloud Air SOC 1 Control Matrix

Trust Services Principles and Criteria

PCI DSS Compliance. White Paper Parallels Remote Application Server

Locking down a Hitachi ID Suite server

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Acceptable Use Policy

PCI DSS and VNC Connect

A (sample) computerized system for publishing the daily currency exchange rates

Insurance Industry - PCI DSS

University of Sunderland Business Assurance PCI Security Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Advanced Security Measures for Clients and Servers

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Standard for Security of Information Technology Resources

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

edocument Delivery Agreement

Web Cash Fraud Prevention Best Practices

Rev.1 Solution Brief

Table of Contents Chapter 1: Migrating NIMS to OMS... 3 Index... 17

Acceptable Use Policy

Security Standards for Information Systems

Security Architecture

Message Networking 5.2 Administration print guide

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Subject: University Information Technology Resource Security Policy: OUTDATED

Data Security Policy for Research Projects

Simple and Powerful Security for PCI DSS

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Oracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E

Best Practices Guide to Electronic Banking

Duke University Standard: Server Security [1] Author. Authority. Definition. 1 of 10 17/04/23, 9:59 AM

General Information System Controls Review

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

The Common Controls Framework BY ADOBE

Security Fundamentals for your Privileged Account Security Deployment

Information Security Controls Policy

Security of Information Technology Resources IT-12

SECURITY PRACTICES OVERVIEW

Network Security Policy

HikCentral V1.3 for Windows Hardening Guide

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

DRAFT 2012 UC Davis Cyber-Safety Survey

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Information Technology General Control Review

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Daxko s PCI DSS Responsibilities

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cloud Security Whitepaper

Data Security and Privacy Principles IBM Cloud Services

Annual Report on the Status of the Information Security Program

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Client Computing Security Standard (CCSS)

Computing at MIT: Basics

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

University Network Policies

IC32E - Pre-Instructional Survey

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Information Security Data Classification Procedure

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Security Principles for Stratos. Part no. 667/UE/31701/004

QuickBooks Online Security White Paper July 2017

Transcription:

California State Polytechnic University, Pomona Server and Network Security Standard and Guidelines Version 1.7 April 4, 2008

Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM NETWORK AND SERVER SECURITY STANDARD...3 ROLES AND RESPONSIBILITIES...3 TERMS AND DEFINITIONS...4 GUIDELINES...5 ADDITIONAL RESOURCES... 11 REFERENCES... 11 4/4/2008 Page 2 of 11

Overview California State Polytechnic University, Pomona (CPP) servers, networks, and the information that resides on them are critical assets for the university. These critical assets need to be protected to ensure their availability, confidentiality, and integrity. This document is intended to provide a minimum-security standard and a set of guidelines for the installation and support of servers that are part of the CPP network. Audience The audiences for this document are technical support personnel who support CPP owned servers or networking devices. Minimum Network and Server Security Standard The following security controls must be applied to servers that connect directly to the CPP network Anti-virus software must be running and up-to-date. Exceptions may be made for servers where installation of anti-virus software might compromise the usability of a critical application. Servers must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. Host-based firewall software must be running and configured, according to the guidelines section on configuring host-based firewalls. While the use of departmental firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls. Unauthorized physical access to a server can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. Roles and Responsibilities This section identifies the roles and responsibilities for implementation and compliance of the minimum-security standard and guidelines. Information Security Officer (ISO) issues security standards based on threats and the needs of the University for protection. The ISO champions implementation efforts, offers acceptable alternatives, and provides exceptions as appropriate. Campus Technical Support Person ensures that all existing CPP owned servers or networking devices are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided. System Administrators Are members of organizational units that support 4/4/2008 Page 3 of 11

enterprise, division, or department level IT services. System administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures in conformance with campus information security standards and guidelines. Security Analyst Advises on best practices to secure applications, systems, networks, and servers. Terms and Definitions Confidential Information - Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized disclosure, compromise or destruction would result in severe damage to Cal Poly Pomona, its students, or employees (e.g. social security numbers, dates of birth, medical records, credit card or bank account information). Financial loss, damage to Cal Poly Pomona s reputation, and possible legal action could also occur. Level 1 data is intended solely for use within Cal Poly Pomona and limited to those with a business need-to-know. Statutes, regulation, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information. 4/4/2008 Page 4 of 11

Guidelines For every operating system, it is important to follow the general guidelines below. The actual details used to implement these guidelines may vary, but the concepts are the same regardless of the operating system. Protecting a server from compromise involves hardening the underlying OS, the server application(s), and the network to prevent malicious entities from directly attacking the server. Before you connect the server to the CPP network for the first time or upgrade to a new operating system, please complete the following steps: 1. Review the purpose or role of the server 2. Determine server authentication requirements 3. Determine secure access control requirements 4. Install only required software and keep operating system current 5. Run the minimum number of services/features on the server 6. Install and configure filters or host-based firewall 7. Setup and review system computer logs 8. Install and configure security related software 9. Maintain physical security of the server 10. Maintain backups and operational continuity 11. Identify the computer for security event notification 12. Request a network-based vulnerability scan 13. If you have questions, contact the Information Security Department Review the purpose or the role of the server 1. Determine the purpose or role the server will play within the organization Will the server act as a... a. Database repository (Oracle, MySQL, MS-SQL) b. Application server (WebLogic, Apache Tomcat, etc) c. Web server (Apache HTTP, IIS) d. File server e. Host for a shared business application f. Some combination of these functions 2. The services the server provides should entirely be dictated by its role within the organization and by the type of information (i.e., protected vs. public ) that flows through it Recommendations on server setup 3. Ensure that the latest campus-supported stable version of the operating system is running a. Refer to the Operating Systems Guidelines document for information on the latest campus-supported stable version of operating systems 4. Harden the operating system (Windows, Unix, MAC OS, etc.) 4/4/2008 Page 5 of 11

a. Eliminate unnecessary services, applications, protocols, and ports 5. Harden each application (Apache HTTP,IIS, MS-SQL, etc) a. Eliminate unnecessary services, drivers, protocols, and ports 6. When setting up the operating system (OS), look for specific OS configuration options that will enhance the security of the server in this role Determine authentication requirements 1. Use the campus identity management system a. CPP has established a campus identity management system, a unified directory service and authentication infrastructure. It is intended to provide campus departments with a centralized means by which departments can validate users who need or wish to access departmental applications, as well as to obtain authoritative information about users. The infrastructure can be used by applications for public directory service, lookups, authorization, and authentication. 2. All accounts should have strong passwords 3. Local accounts (as opposed to accounts from LDAP or Active Directory) are strongly discouraged due to the difficulty of managing such accounts centrally a. To determine whether a local account is necessary, ask yourself these questions i. What access/purpose does the local account provide that the centrally administered account cannot? ii. Is the intended use of the account application or service specific (e.g., Oracle DBA administrator account)? 4. Assign a unique administrative account and unique password to each individual to better distinguish activities between multiple administrators a. Shared accounts on servers should not be allowed 5. Disable or rename the vendor default administrator accounts 6. Require authentication for access by individuals to the server 7. Require re-authentication by users after idle periods, if user accessing machine locally (console access). Secure access control 1. Restrict the number of accounts and privileges to only those who need access to perform their job function a. Give each user the minimum required amount of access to perform their work 2. Be sure to have a plan and process for securing administrator and root passwords that allows appropriate access to the server in case of illness, turnover, or unforeseen circumstances 3. On an ongoing basis, an administrator should regularly review the access list or log for users (e.g., root, and groups) a. Look for unexpected rights or changes 4/4/2008 Page 6 of 11

b. Disable or delete old or unused accounts that belong to people who no longer need access Install only required software and keep operating system current 1. Run software that is current. The operating system and other installed software should be supported for the latest security patches 2. When installing software, make sure to only install software that is required, making sure to install the latest versions of all software including all recommended security patches that are available. 3. All patches to servers should be reviewed before being applied, 4. Desktop application should not be installed and run on a server (e.g., Microsoft Office) 5. Web browsers should not be used to browse external web sites or to download patches directly to a server Download application patches to another computer and put on them on a CD or a network share that the server can access 6. After installation, all computers should be routinely maintained and updated This includes the installation of operating system patches and new versions of installed software. Run minimum number of services 1. Each computer should only provide services needed for its role or function in the organization 2. Make sure to configure all installed software, disable all unused features and be sure to limit the availability of any features that are enabled a. Any user not in the Administrators group should not have access to filesharing unless the server specifically needs it b. If the server does not need to use email to send administrative-related messages, disable email related services c. If the server is not used to transmit data, disable file transfer related services 3. Use secure protocols (e.g. SSL/SSH/Kerberos) for accessing all servers and services that require and/or support authentication a. Disable Telnet and FTP use SSH instead of telnet, and SFTP or SCP instead of FTP b. Use RDP to connect to Windows servers it is encrypted 4. Unless using network management tools, turn off SNMP. If SNMP is enabled, change the default community name and set permissions. Be sure to delete the public community string if the software allows you to do this, or at least change the default settings Install filters or host based firewall 4/4/2008 Page 7 of 11

1. Install and configure a packet filtering utility such as iptables or a host-based firewall to protect individual services a. The rules should reflect the acceptable use and security policies that have been defined for the computer b. To meet the minimum standard the host based firewall must i. Be running at all times ii. Block inbound traffic to ports that are not running necessary services iii. Be capable of logging inbound and outbound blocked packets for troubleshooting purposes 2. Operating system filters that deny or permit certain traffic should be used if available (e.g., most Unix and current Windows versions) 3. Periodically review the filters for inappropriate or unneeded access 4. Restrict access to services to only CPP IP addresses, where prudent a. Limit access to databases to specific static IP addresses or ranges. Set up and review logs 1. Configure all services so that they log all connections and authentication information a. Forward all of these logs to a highly secure computer if possible 2. Enable local and domain auditing (if applicable) of security events a. Changes to user account and permissions b. Failed attempts to logon c. Failed attempt to access resources d. Changes to systems files e. Unsuccessful attempts to connect through the firewall 3. Someone should be assigned the responsibility of monitoring/reviewing and as appropriate following up on possible security violations identified in the system logs typically these should be reviewed at a minimum on a monthly basis; weekly if possible a. For important servers this should be as often as daily Install security related software 1. Install security related software on each computer, as appropriate to the level of security needed (e.g., encryption, configuration management) a. Install anti-virus or other virus filtering software with daily updating for the latest virus definitions. Validate that antivirus definitions and engines are being updated (at a minimum daily) b. Encryption 2. Run security analyzer software on servers, such as MSBA from Microsoft 3. SSH, RDP, or other encrypted and secure method of access should be installed if remote access or remote administration services are needed 4/4/2008 Page 8 of 11

o SSH improves the security of user accounts by encrypting all login sessions and allowing the forwarding of X11 and other arbitrary network traffic 4. Use the Campus VPN encrypted tunnel, if use of SSH not applicable or when clear text is a security risk o CPP s VPN provides an encrypted tunnel to the University from the Internet (e.g., connection at home or on the road) Maintain physical security 1. Place the server in a secure location with documentation of who has physical access 2. Use Uninterruptible Power Supply (UPS) for servers and other essential peripheral equipment (e.g., monitors, KVM switches, etc.) 3. Locate servers in a climate-controlled environment (e.g., dedicated air conditioning with in-room temperature controls) 4. Consider basic fire suppression services/options (e.g., extinguishers, sprinklers, etc.) 5. Utilize keyboard locking software or password protected screen savers to prevent keyboard activity Maintain backups and operational continuity 1. Run back-ups regularly and periodically store off-site 2. Test the restore capability periodically 3. Review backup history periodically 4. Use a secure deletion program to erase data from hard disks and media after done using and prior to transfer or disposal of hardware storing confidential information (See CPP Information Classification and Handling Standard for more information on what qualifies as confidential information) 5. Develop business continuity plan for server Identify the computer for security event notification 1. Identify critical servers by sending the name, IP address and contact information of responsible individual(s) to the Information Security department at infosecurity@csupomona.edu Request a network-based vulnerability scan 1. Request a network-based vulnerability scan from the Information Security department to look for common vulnerabilities - these scans are highly recommended for important servers a. Send requests to infosecurity@csupomona.edu 2. Review and correct vulnerabilities found or implement a risk-mitigation strategy, concentrating first on the items marked as high 4/4/2008 Page 9 of 11

Where to go for help If you have questions or concerns about the security of the data you store locally, on departmental, college, or university servers, please contact the Information Security department at extension 6449. The Information Security department can make arrangements for security tests to be run on critical servers or desktop machines to identify potential security risks. We can also schedule meetings with departmental IT personnel to talk with security analysts to help them improve the security of the systems they support. 4/4/2008 Page 10 of 11

Additional Resources These websites and publications have more information on protecting a server from compromise. National Institute of Standards and Technology (NIST) s Computer Security Resource Center www.csrc.nist.gov A number of guidelines can be found here: Risk Management Guide for Information Technology Systems www.csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Guidelines on Securing Public Web Servers http://csrc.nist.gov/publications/nistpubs/800-44-ver2/sp800-44v2.pdf SANS (SysAdmin, Audit, Network, Security) Institute s Twenty Most Critical Internet Security Vulnerabilities www.sans.org/top20 United States Computer Emergency Readiness Team (US-CERT) www.us-cert.gov Center for Internet Security (CIS) www.cisecurity.org A compilation of security configuration actions and settings to "harden" the operating system can be found here: Windows XP SP 2 Windows Server 2003 Windows 2000 Professional/ Server Mac OS X Solaris 10 Red Hat Linux 1.0 Debian OnGuard Online www.onguardonline.gov IT Compliance Institute http://www.itcinstitute.com/index.aspx References The standard was developed using resources from the above sites and the Office Information Technology at the University of Minnesota. 4/4/2008 Page 11 of 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback