PURPOSE
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by the Mont Alto campus. Effective implementation of this policy will minimize the risk of unauthorized access to campus and university proprietary information and technology.
SCOPE
This policy applies to server equipment owned and/or operated by all agents of the Mont Alto campus.
This policy is specifically for equipment on the internal Mont Alto data network including administrative systems as well as faculty and student research or test systems.
DEFINITIONS
Server - For the purposes of this policy, this is defined as a server hosted on the Penn State Mont Alto data network providing services approved by Information Technology Services. Desktop computer and lab computer systems are not germane to the scope of this policy.
Denial of service attack - An attack designed to prevent a system from providing services to its users.
Dictionary attack - The automated use of a ‘dictionary’ of potential passwords used to attempt the compromise an account or a series of accounts.
POLICY
Ownership and Responsibilities
All internal servers deployed at the Mont Alto campus must be owned by the campus. The system administrator responsible for each server must sign and agree to the “End-User Computing Agreement.” The signed policy must be provided to the Director of Information Technology and kept on file for the lifespan of the server. The installation of a new proposed server must be approved by the department head and Director of Information Technology. A decision will be made based on business needs and final approval will be granted by the campus Chancellor. Configuration Guidelines must be monitored for compliance.
Server Configuration Requirements
- Operating System configurations should be in accordance with approved campus guidelines to ensure a significant level of security against unauthorized access.
- Services and applications that will not be used must be disabled, where practical.
- Access to services should be logged and/or protected through access-control methods such as TCP Wrappers or other security mechanisms.
- The most recent security patches must be installed on the system within one-week of release. The only exception being when immediate application would interfere with business requirements.
- Trust relationships between systems are a security risk; their use should be avoided. Do not use a trust relationship when some other method of communication will suffice.
- Always use standard security principles of least required access to perform a function.
- If a methodology for secure channel connection is available and technically feasible, privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).
- Servers must be physically located in an access-controlled environment.
- Servers are specifically prohibited from operating in areas accessible to persons other than the intended system administrators.
- Anti-virus software must be installed when applicable and set to update virus definitions automatically.
- Servers hosting services available to an external network (outside of the campus) or the Internet (e.g. www/ftp/sftp/ssh/smtp/pop/imap, etc.) must be placed on the campus Demilitarized Network Zone (DMZ) to assure segregation of network traffic and best security practices.
- No firewall rule exceptions for inbound traffic, will be allowed for a server(s) if the server is hosting or storing sensitive university data.
Monitoring
- All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
- All security related logs will be kept online for a minimum of 1 week.
- Archived logs will be retained for a minimum of six months.
- Security-related events will be reported to the Director of Information Technology, who may review logs and report incidents to the University Security Office. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
- Dictionary attacks
- Unauthorized network scanning
- Denial of service attacks
- Evidence of unauthorized access to privileged accounts
- Anomalous occurrences that are not related to specific applications on the host.
Compliance
- Audits will be performed on a regular and random basis by authorized ITS staff.
- Audits will be managed by the University Security Office or campus ITS Staff, in accordance with the Incident and Disaster Tolerance / Response Policy. The campus will present pertinent findings to the appropriate system administrator for remediation or justification.
- Every effort will be made to prevent audits from causing operational failures or disruptions.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action by their administrative unit, the campus, or the University. Systems involved with severe security breaches may be confiscated for forensic analysis.
CROSS REFERENCE
Other policies that should also be referenced:
AD20 – Computer and Network Security
PSU-MA-ITS-000 - End-User Computing Agreement
PSU-MA-ITS-004 - Technology Acceptable Use Policy (AUP)
PSU-MA-ITS-005 – Password Policy
PSU-MA-ITS-006 – Anti-Virus Policy
PSU-MA-ITS-009 – Firewall rule and Exception Policy
PSU-MA-ITS-012 – Data Backup and Retention Policy
PSU-MA-ITS-013 - Incident and Disaster Tolerance / Response Policy
POLICY HISTORY
Ratified June 5, 2009