Skip to end of metadata
Go to start of metadata

ITS Standards

Introduction

The purpose of this document is to identify a set of standards that server systems must meet in order to operate on the University at Albany's Network. This document is not intended to impart all knowledge required to operate or secure a server, but rather identify topics of concern common to most if not all System Administrators and the server systems they manage.

What is a Server?

Any machine which intentionally has services open to other computers is considered a server. It is also presumed that each server will be actively administered by a system administrator, who should ensure that the server complies with the University at Albany Server Standards outlined below. Please note that any services which are open on a computer create potential security problems and in general, should only be run on a designated server system.

Virtual Systems
All the standards initially developed for physical systems apply with equal force to virtual systems. Additionally, there are two additional requirements unique to virtual machines that system administrators must comply with. System administrators who decide to employ virtualization should acquaint themselves with the key areas related to risk management which are identified in the section entitled: Preparing a Virtual Server for the UAlbany Network.

UAlbany Network Server Standards

In order to run a server system on the UAlbany Network the following standards must be met:

1. The server must be accounted for in NetReg with ownership and contact information clearly indicated.
2. The server must be managed by at least one system administrator(1).
3. The server should be running a current(2) operating system as well as a current version of the service.
4. Patches(3) should be evaluated and applied in a timely fashion by the system administrator.
5. The server should be configured in a secure manner (4) .
6.The server owner must respond to Server Inventory notices and indicate whether the system holds protected data(5)).
7. If the server holds protected data,(5), it must meet all applicable regulatory requirements.
8. Only properly licensed software should be run on the server.
9. The server or service must not interfere with any UAlbany Enterprise services (e.g., DHCP and Wi-UAlbany).
10. Virtual Systems: If different data sensitivities are involved, protection applicable for the highest sensitivity must be applied to all processes on the server.
11. Virtual Systems: Access to the hypervisor environment should be isolated from regular production access and be strictly limited in terms of network ports, source systems, and personnel, employing a range of safeguards to prevent unauthorized intrusion.

Preparing a Server for the UAlbany Network

Procedures for running a server on the UAlbany Network
1.1 Verify that your computing needs are not already met by existing UAlbany ITS or departmental servers.
1.2 Assign a system administrator to setup, maintain, and monitor the machine.
1.3 Take appropriate precautions during the installation of a server and/or software.
1.4 Check environmental and physical controls.
1.5 Install a current version of the OS and service(s).
1.6 Perform and validate backups and archives.
1.7 Turn on logging.
1.8 Disable default accounts and sample scripts.
1.9 Only activate/operate needed services.
1.10 Restrict network access.
1.11 Setup only secure methods of authentication.
1.12 Use strong pass phrases for administrator-level accounts.
1.13 Employ vulnerability scanning and file integrity checks.
1.14 Designate your server as a server system in NetReg.
1.15 Certify compliance with these Standards in the Campus Server Inventory.

Preparing a Virtual Server for the Albany Network

The following key areas relating to risk management should be taken into account when considering virtualization.
1.16 Virtualization software, such as hypervisors, represents a new layer of privileged software that will be attacked and therefore must be protected.
1.17 The potential loss of separation of duties for administrative tasks can lead to a breakdown of the defense in-depth approach. Role definition and separation of duties must be properly planned for in a virtual environment.
1.18 Patching, signature updates, and protection from tampering for production, as well as offline, VM and VM appliance images needs to be accounted for.
1.19 Virtualization can result in limited visibility into the host operating system and virtual network to find vulnerabilities and assess system configurations (e.g., file integrity checking, log inspection).
1.20 Likewise, virtualization can limit the view of inter-VM traffic for inspection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
1.21 At present, security and management tools for virtual environments are considered Immature and incomplete.
1.22 Business processes and policies should be applied when defining the organizational roles and responsibilities for processes and authorities within the virtualized environment.

Maintaining Services & Security on a UAlbany Server

Staying Connected, Ongoing Maintenance
2.1 Review service logs and backup logs regularly.
2.2 Periodically review running services and evaluate the continued need for those services/server(s).
2.3 Apply vendor/community provided updates regularly for both the OS and applications.
2.4 Regularly monitor and maintain all user accounts.
2.5 Maintain current registration information in NetReg.

Additional Information:

Below you will find links to various sites containing information about secure configurations, scanning tools, patches and updates for various operating systems and software. Some patches and updates may only be available if you have a support contract.

Microsoft Products

 

Microsoft Windows OS and Software

http://www.microsoft.com/security

UNIX Operating Systems

 

Mac OS X

http://www.apple.com/swupdates

Solaris

http://sunsolve.sun.com/

AIX

http://ibm.com/security

FreeBSD

http://www.freebsd.org/security/

NetBSD

http://netbsd.org/Security/

OpenBSD

http://openbsd.com/security.html

Linux Operating Systems

 

Debian

http://www.us.debian.org/security

Gentoo

http://www.gentoo.org/security/en/index.xml

Red Hat

http://www.redhat.com/security

Slackware

http://slackware.com/security/

SuSE

http://www.suse.com/security

Ubuntu

http://www.ubuntu.com/usn

Virtual Systems

 

Centre for Protection of Nat'l Infrastructure: Security Considerations for Server Virtualization

http://www.cpni.gov.uk/Docs/tn-01-09-security-server-virtualisation.pdf

Scanning Tools

 

Nmap - Free Security Scanner For Network Exploration & Security Audits

http://insecure.org/nmap/

Nessus - Vulnerability Scanner

http://www.nessus.org/

Security Standards and Information

 

The Center for Internet Security

http://www.cisecurity.org/

NYS Office for Technology

http://www.oft.state.ny.us/policy/

US-CERT

http://www.us-cert.gov/

National Security Agency

http://www.nsa.gov/snac

SANS Institute: Top 20 Vulnerabilities

http://www.sans.org/

Preparing a Server for the UAlbany Network: Details

1.1 Verify that your computing needs are not already met by UAlbany ITS or departmental servers.

Before you decide to undertake the task of installing, configuring, securing, and operating your own server on the UAlbany network, check that the services you require are not already being serviced by Information Technology Services, or your own department's server systems. Your department's Technology Coordinator should be able to assist you in this.

1.2 Assign an administrator to the machine

In today's quickly changing world of Information Technology, someone must be assigned to properly manage a server. Their responsibilities include keeping up to date with security issues and assuring the system's availability and reliability. This individual must be responsible for keeping the system up to date and taking any precautions necessary to maintain a secure system, otherwise the system may quickly fall victim to some form of attack.

1.3 Take appropriate precautions during the installation of a server and/or software

Unfortunately in today's computing environment, by the time installation media reaches you from the manufacturer, it may already be vulnerable to a known and available exploit. As such, we suggest that when setting up a new server you do so in a protected environment. This will allow you to download patches but it does not expose you to would-be hackers looking for your machine. Consider the use of a hardware firewall, automated installation using patched media, or installation of the server system and/or software and any required patches "off-line."

1.4 Check Environmental and Physical controls

When configuring a server system, it is important to consider the location of the server. A server must have a location which will not only provide the appropriate power and cooling, but provide a means for physically securing the server. In order to ensure the security of the data contained on the server, the machine itself must be secured. This can best be accomplished by housing servers in a separate “server room” with restricted access by key or id-card. Otherwise potential attackers who may have physical access can simply walk away with your sensitive data. Generally any machines which are in public areas should not be considered physically secure.

1.5 Install a current version of the OS and service(s)

If you are using an operating system or software which is no longer supported by a vendor or community effort, your servers may have several known and un-patched exploits and vulnerabilities.

If you absolutely need to run an old OS or software for some reason, virtualization, a private IP address, or a hardware firewall may be the best solution.

Icon

If a server is found to be exploited due to the use of an old OS or Software, the machine will not be allowed back onto the network until the OS and/or software is upgraded and/or the device is logically or physically isolated from the public network.

1.6 Perform and check backups and archives

No server system can be complete without backups. Not only are they good as a matter of practice but they can be vital in restoring the security and data integrity of a damaged or compromised server system. In the event that a machine is compromised you may have no choice but to revert to previously backed up copies of various data. As such it is important that each server have a backup schedule and that backups are tested on a regular basis to ensure the process is successful.

1.7 Turn on logging

In order to effectively monitor the security and integrity of your server, you should enable reasonable logging of events. Logging of server activity, including but not limited to Internet traffic, can show patterns of activity and identify abusers of your server, allowing you to take action to deny service to those abusers. Additionally, once you have a baseline for "normal" events, you can identify anomalies which could be linked to a compromise of your server.

1.8 Disable default accounts and sample scripts

Any account you have on your system is a potential doorway for intruders to walk right in. Default accounts give the attacker the advantage of knowing where the door is. Disabling default accounts gives you a little extra security and is a good precaution. Most modern operating systems do not install default exploitable accounts, however, several software packages do. An example is Oracle, a database product that installs several default accounts and passwords which must be changed before the server is exposed to the Internet. Also note that software may contain sample scripts or test configurations which are not designed for production use. These should be disabled and/or removed before the server's configuration is complete.

1.9 Only activate/operate needed services

Every service you run on a server is another administrative layer that carries its own potential vulnerabilities and security issues. If you are not using a running service, you are unnecessarily exposing the machine and increasing your workload. The last thing you want is to have your server hacked because of a service you weren't even using. Keep an eye out for default services which may be running on a newly installed system, or come with newly installed software. Often these services need to be configured so that only the appropriate personnel are using them.

1.10 Restrict network access

Consider the use of a firewall or host-based filtering software. A vendor provided firewall provides you with an extra level of security by allowing you to restrict access to those ports you open. Similarly, host-based filtering software such as ipfilter and tcpwrappers can assist in ensuring that only those machines that have legitimate reasons for connecting to the server will be given access.

1.11 Setup only secure methods of authentication

Currently, authentication comes in many flavors: something you know (e.g., password), something you have (e.g., RSA token), or something you are (e.g., fingerprint). Systems that employ more than one of these use multi-factor authentication. No matter which one you choose, make sure that you use it securely. Even secure authentication needs to be maintained or it ceases to be effective.

Passwords:
The most common type of authentication, passwords offer the advantages of being free and easy to set up. However, in order for passwords to be secure they should follow these guidelines:

· They should not be used over insecure protocols (e.g., telnet, FTP, HTTP). If you use passwords over these protocols, they are not secure. The passwords are sent in plain text over the network to reach their destination. Use secure protocols for password authentication such as ssh.

· You should use complex passwords or long pass phrases for all accounts. Simple passwords are vulnerable to guessing and dictionary attacks.

· Keep your password confidential. The only value your password has is its confidentiality; once that is compromised, it is worthless.

ID-Card/SmartCard:
Cards which contain integrated circuits capable of authentication can be purchased from various security companies. As with biometric identification, the cost and use of such systems should be weighted against the need for security.

Biometric Identification:
Various biometric identification systems are available which use a variety of methods to authenticate an individual.

1.12 Strong pass phrases for administrator level accounts

In order to keep your services secure, you have to be certain that only those authorized have access to administrator accounts. Administrator accounts have access to anything on the server and if an administrator account is compromised it is very serious.

The use of a pass phrase is suggested where possible*. This is due to the simple fact that the longer your authentication credential is, the more difficult it is to crack. A pass phrase is a set of words at least 20 characters in length. Titles, lyrics, lines from a poem, these examples all work as pass phrases.

The advantage to a pass phrase is its length. It can be made even more secure by using special characters, numbers, and capitalized letters. The end result is a pass phrase that is easy to remember and has better security features by virtue of its length than a shorter, complex password.

*Some systems truncate passwords/pass phrases at eight characters, reducing the security of the password/pass-phrase, so verify that the system you are using supports pass phrases if you plan on using them or recommending them to your users.

1.13 Vulnerability scanning and file integrity checks

In today's connected environment, routinely scanning your servers helps you to better understand running services and potential problems that they may present. There are many tools available for scanning a server. Two popular Administrator tools for the network scanning of your server are NMAP and Nessus. Both allow you to identify open ports/running services so that you can audit those running services and be aware of what should be running on your server. Nessus goes one step further in that it is a penetration testing utility that attempts to identify vulnerabilities and offers information on closing those vulnerabilities. (You can find links for these tools in the “Where to go for more information” section of this document.)

In addition to network scans you should also consider the use of file-integrity checking software. There are several products in this arena and each Administrator will have to find one that suits their needs. It is vital that one regularly check the integrity of system data as even the most well-managed machine may one day be exploited. Depending on the nature of the attack, file integrity checks may be the only way to detect the intrusion. Examples of such software include but are not limited to:
Tripwire - http://www.tripwire.com/
Veracity - http://www.rocksoft.com/veracity/

1.14 Designate your server as a server in Net-Reg and

Designating your system as a server allows us to take the extra steps necessary in notifying you of a problem if your system is ever exploited. This will allow us to more quickly get in touch with you to resolve the situation, minimizing exposure and disruption of services.

1.15 Certify Compliance with the these Standards in the Server Inventory

You MUST certify that you are compliant with these standards in the campus Server Inventory. Failure to do so will result in your system being removed from the University's network.

Maintaining Services & Security on a UAlbany Server: Details

2.1 Review service and backup logs regularly

Unless system and backup logs are reviewed regularly they have no value as a detective control. Additionally, if you review your service logs regularly, you may be able to stave off an attack or notice a weak point in your security before it becomes a problem. Making sure that your backups are completed successfully is vital to assuring that you have the ability to restore any critical data.

2.2 Periodically review running services and evaluate the need for those services/server

It is vital that you periodically evaluate the actual need for running services and/or servers. If a service is no longer being used and you cannot see a reason for that service to be running, stop it. It will be one less thing to worry about and one less point of attack on your server system. If a server is no longer required, shut it down. It is natural to neglect a server that no users are actively utilizing. Unfortunately, this makes your server a prime target for hackers seeking to exploit un-patched and unattended machines.

2.3 Apply vendor/community provided updates regularly

Installing a current OS is great, but if you do not keep up with vendor/community provided updates, your system will quickly become insecure again. Most vendors and on-line-communities provide methods to install updates. Please see your vendor/community's documentation for details.

2.4 Regularly monitor and maintain all user accounts

A crucial part of maintaining a server's security is maintaining its accounts. Once an account is no longer needed it should be removed or disabled so that it does not provide an access point into the server. Additionally, it is also helpful to regularly audit users on the machine to see if there are accounts that were never authorized as this could be a sign of a security breach.

2.5 Maintain current NetReg registration information

NetReg requires an annual renewal of a system's UAlbany network registration. Keeping the information up-to-date ensures that we have the right contact listed for the server you are maintaining. It also ensures that you will be contacted as soon as possible if we detect a possible problem.

1) A system administrator in this context is defined as an individual who is in charge of the setup, maintenance and ongoing operation of a computer or other networked server.
2) The term "current" is used to define an Operating System and/or Service which is maintained by either a vendor or community to ensure that identified vulnerabilities or performance issues are dealt with in a timely manner.
3) Patches refer to any updates available for the Operating System and Software installed on the server system.
4) "Secure manner" refers to the procedures outlined in the "Preparing a Server on the U. Albany Network" section.
5) "Protected data" refers to any data which falls under regulatory requirements such as, but not limited to; HIPAA, FERPA, GLBA, and the NYS Information Security Breach & Notification Law.

Icon

Last Review: February 2010