Server Security

skip to section links

Skip to page content

TU Home
About TU
Administration & Finance Division
OTS
Getting Connected
Information Security & Viruses
Guidelines & Standards

Desktop Security

Firewall Management

Network Security

Server Security

HIPAA Security Standards

Password Management Standards

OFFICE OF TECHNOLOGY SERVICES

Guidelines and Standards

The following are the minimum set of security standards required for all servers on the Towson University (TU) campus network.

General Obligations

Users and system administrators of servers are subject to the Guidelines for Responsible Computing published on the campus web site.

Antivirus Software

All servers at TU must be running the latest version of anti-virus software. Systems administrators will ensure that:

Software runs at startup
Updates are installed automatically as they are made available
System scan for viruses is run at least once a month

Passwords

Utilize strong passwords to ensure that only authorized users can access the system. Passwords must be changed when someone leaves that has access to servers. All passwords must follow:

Minimum eight characters in length
Not be a dictionary work
Must not be related to the individual such as spouse or kids names or dates
Do not write passwords down anywhere
Change passwords every 45 days or less
Do not include passwords in any electronic mail message

Change passwords immediately if you suspect someone else may have guessed it.

Physical Security

All servers must be secured at all times to prevent theft and loss of critical data. They must be protected behind rooms that require access using biometrics or card swipe device. Room keys may be temporary used until one of the approved methods mentioned is obtained. Keys to servers must be secured and stored away from server to prevent unauthorized personnel from tampering with device. Physical access to servers must be limited to system administrators or those with the responsibility to maintain the server.

Remote Access

Remote Dial-in facility to servers at TU is disabled and not authorized. Use of remote access software like PCAnyware is not authorized on servers systems. Access to servers is limited to encrypted remote logins using VPN. No Telnet access is allowed.

System Logging and Monitoring

System Activity logging is enabled on all servers. All syslog information will be sent to a centralized syslog server and monitored by information security personnel. Nagios may be used by server administrators to monitor server systems.

Server Accounts

Lock or remove all unnecessary accounts. All servers should authenticate all system users. Guest accounts on servers must be disabled. System administrators must use complex passwords and must change their password frequently.

Banners

A banner text must be displayed at all server system authentication points where initial user logon occurs.

Encrypted Authentication

All servers should use only encrypted authentication mechanisms. Services such as FTP, SNMP, POP and IMAP must be replaced by their encrypted equivalents.

Confidential Information

All sensitive data used or stored on a server must be protected. Be sure to follow the following:

Encrypt sensitive and confidential information where appropriate.
Monitor printers used to produce sensitive and confidential information.
Overwrite sensitive files on fixed disks, floppy disks, or cartridges.

Software

Software is protected by copyright law. Unauthorized copying is a violation of University Copyright policy. Anyone who uses software should understand and comply with the license requirements of the software. The university is subject to random license audits by software vendors. Personal software may not be installed on any server.

Print and File Sharing

Allowing shared print and file sharing can pass on viruses. Turn off all file and print sharing capability to prevent viruses. Use only dedicated files servers for shared data storage. Use only dedicated print servers for shared print services.

Software Patching and Updates

All security patches and updates must be automatically installed as made available from the vendor. All server patches and updates should be reviewed by system administrators prior to installation.

User Accounts

All computers utilizing the TU campus network must be authenticated. To login on any computer on campus a username and a password is required. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device. All university-affiliated passwords shall meet or exceed password requirements. Guest accounts will be disabled on all servers.

Host-based Firewall/Intrusion Prevention Systems (HIPS)

For best protection, recommend use of host-based firewall and intrusion prevention systems. The current McAfee product under MEEC comes with a limited firewall and IPS capability. The use of HIPS technology will reduce need to patch servers.

Unnecessary Services

Servers must run only necessary services. All non-critical services must be disabled and vulnerabilities eliminated.

Backups

All servers must be backed up at least weekly to tape and the copies stored off-campus. Additional copies may be stored at another campus location for quick retrieval.

Information Security Office
Office of Technology Services
Cook Library, 4
Hours: Monday - Friday, 8:30 a.m. to 4:00 p.m.
E-mail: infosec@towson.edu

Administration and Finance Questions

Nearly 40 percent of victims do not report computer intrusions.
(CSI/FBI Computer Crime and Security Survey, 2005)

	© 2012 • Towson University	Last Updated: Friday, June 24, 2011
	Towson University • 8000 York Road • Towson, Maryland • 21252-0001 • 410-704-2000	Copyright Information \| Privacy Statement \| Clery Report \| Contact Us