This document provides a set of best practices to help ensure an acceptable level of security across campus in terms of confidentiality, integrity, availability, and mutual authentication.
Throughout this document the term "server" is used to mean a combination of the hardware, operating system, network service, application software, and network connection.
Learn about your system
- Read appropriate security bulletins available from the vendors
- Subscribe for security bulletins from vendors and security advisories
- Understand each security issue with relevance to your configuration and environment
- Routinely monitor the IT website for updates and announcements
Define critical hosts
A critical host is a machine which, if compromised, could significantly harm the University including, but not limited to: reputation damage, interruption of a critical task, disclosure of confidential information, and legal liability. For example, any machine that may contain confidential data, medical records, payroll information, students transcripts, social security numbers, etc. "What are you trying to protect?" is a good question to ask before defining critical hosts.
Update anti-virus software
Anti-virus software is available to University faculty, staff, and students at no cost. It is important to develop appropriate virus detection and eliminate the threat for servers.
Automatic updates to anti-virus software is essential to ensure new viruses are caught in a timely systematic fashion. It is a systems administrator's responsibility to ensure anti-virus definitions are up to date.
ePolicy Orchestrator (ePO) is a tool from McAfee allowing centralized management of antivirus software. Antivirus packages for desktops and servers can be installed and updated remotely, virus definition files updated on demand, routine or emergency virus scans scheduled, and security settings adjusted from a single location. ePO works with the McAfee corporate antivirus packages as well as those from Symantec. A small software package is installed on client machines, and those clients then contact an ePO server for antivirus software and updates.
IT Services maintains a central ePO server on campus. Departments can request access to that server, and use it to maintain antivirus packages on their department-owned machines. There is no charge for this service at this time. Alternatively, the ePO software is available to departments through the Iowa State/McAfee site license.
For more information on ePolicy Orchestrator, including setting up a departmental site on the IT Services ePO server, contact firstname.lastname@example.org.
- Use lengthy smart passwords (minimum length enforced)
- Make it for you to remember and hard for others to guess
- Use non-dictionary words
- Never store password as plain text or write it down on a paper
- Configure password-aging feature
- Use shadow password feature
Configure only essential services
- Maintain your servers with the minimum necessary services and packages
- Install only essential components, which are required for running the services and applications
- Remove any extra service running on your server
- Offer only essential network services and operating system services on the server machine
- Close unused TCP/UDP ports
- "Deny first, then allow"
- Remove old accounts
- Do not provide more access to system resources than the user needs
Update your systems
- Patch, patch and re-patch
- Learn about the patches before applying them
- Remember to patch after a rebuild
- Apply the latest service packs
- Install latest updates and vulnerability hotfixes
- Make sure to update applications, not only operating systems
Protect your systems from spyware
Spyware and adware pose security, privacy and productivity risks. It is important to keep your system protected from such malicious programs and protect your servers (where possible) with appropriate anti-spyware tools.
Use a firewall
A firewall is considered a high-risk network device. It helps you govern the network traffic to and from your network, needs monitoring in real time, and serves as a primary line of defense against external threats. Make sure to document any change made to the firewall configuration.
Define secure access policy
- Configure computers for user authentication
- Configure servers with appropriate object, device and file access controls
- Configure server for secure remote administration (VPN providing encryption and secure authentication)
Physically protect your servers
- Allow only appropriate physical access to computers
- Do not leave console logged in at any point of time
- Configure "time out" feature on your console system
- When you are away, system administrator console should be locked
Ensure data security and integrity
- Encrypt sensitive data where possible and needed
- Replace insecure programs with secure ones
- Avoid storing clear text passwords and private keys
- Securely remove data from storage media
Monitor your system
- Read your log files (hackers read them too)
- Use Log Analyzer
- Scan your systems periodically using appropriate tools (scan, evaluate, update, correct, and re-scan)
- Enforce access control rules for users / user restrictions
- Remove old accounts from machines
Document configurations and disaster recovery
- Document any changes in the system configuration
- Document (in steps) a disaster recovery plan and share it with your IT staff
Have a backup plan
- Make sure you have a tested backup strategy
- Keep your plan up to date by at least annual evaluation
- Train operators that work with you (if any)
- Plan for the worst, this should be part of disaster recovery plan
- Test the backup media, replace it if it needs replacement and don't take risks
- Identify what data needs to be backed-up (prioritize the data)
- Data should be backed up at least once a day, other data might need more frequent back-ups per day
- Backup media should be kept in a secure locked storage to prevent theft or tampering with stored data