Standard for ALL servers:
- Keep your version of the operating system up to date; you should be running the most recent stable version.
- Install the all the latest security patches for your system and applications.
- Make sure that the server has a firewall running all the time.
- Protect traffic coming in AND going out (ingress and egress protection); it can stop both incoming and outgoing attacks even when you're not aware of it.
- Keep track of what ports are open and why.
- Know how to block and unblock an IP.
Control Access to Server:
- Remove, disable or change passwords to default accounts.
- All passwords should be strong passwords; they should also be unique, and changed periodically.
- Disable "guest" accounts/access.
- For data center-hosted servers, all administrative accounts must be SUNet ID accounts.
- Review user accounts quarterly and remove inactive accounts.
- Keep a complete list of everyone who has access to the server, and make sure you know who has which read/write privileges.
- No open file-sharing is allowed.
- All remote access should be restricted to specific IP addresses, and encrypted from end to end (via VPN).
Review Processes and Remove Extra Software
- Know everything that runs on the server, why, and which users have access.
- Disable any and all unused services.
- Install anti-virus software and make sure it stays current, is running actively, and is generating logs.
Lock /tmp, /var/tmp, and /dev/shm partitions (linux/Unix)
- Since /tmp, /var/tmp and /dev/shm are world writable directories, if left unlocked anyone can read/write/execute anything from these directories and it becomes a major security concern.
- With /etc/fstab you can limit what can be done in these partitions: if you see 'defaults' beside the /tmp line, remove it and replace it with 'noexec,nosuid'. This will stop any executables from being allowed to run.
- Do the same for /dev/shm and make /var/tmp a shortcut (symbolic link) to /tmp.
Lock down Your Software: PHP, Apache, etc.
- Lock down all applications per the vendor's best practices.
- Use change management and version control procedures for all your software; document all changes to applications and archive previous versions, just in case.
Monitor your Server's Performance
- Keep regular track of the server's normal running speed and bandwidth usage, so you can spot abnormalities.
Watch Out for Unusual Activity
If, while monitoring any of the above, you notice any unusual activity, the server might be compromised. If you're suspicious, check these other ways to tell if a server has been compromised.
Additional Requirements for High And Moderate Risk:
- If the server or its applications and data are classified High or Moderate Risk, you MUST locate the server in a data center.
- Forward logs to a remote log server. University IT Splunk service recommended.
- Monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within 7 days and severity 3 vulnerabilities within 90 days of discovery.
- Deploy Carbon Black [Cb] (formerly Bit9) in high enforcement mode. Review alerts as they are received.
Intrusion Detection/Monitor Activity:
- Intrusion detection software can help identify vulnerabilities, and help establish a timeline in the event of a security incident. OSSEC or Carbon Black [Cb] should be installed.
- Check logs regularly, both automated and manually, to find out about any unusual system activity.
Secure Software Development
- Include security as a design requirement of your applications. Review all code and correct identified security flaws before deployment. Use of static code analysis tools recommended.
Back Up Your Data
- Make regular (at least weekly) encrypted backups of all data; make sure onsite AND offsite backups are kept in a physically secure environment.
Extra Requirements for High Risk:
Dedicated Admin Workstation
- Access administrative accounts only via a Privileged Access Workstation (PAW). This workstation should be dedicated for administrative access to High Risk servers and cannot be used for the same activities as a standard endpoint. Please see the UIT site on Privileged Access Workstations for additional information on PAWs.
- Request a Data Risk Assessment of your data and server needs, and implement recommendations before deployment of any application or server that will access or store High Risk data.
Regulated Data Security Controls
- Data is considered High Risk if it is required by law to be protected. Implement PCI DSS, HIPAA, or export controls as applicable.