Server Security

Requirement Statement

The College of Arts + Sciences has a diverse collection of research, teaching, administrative, and center-based servers, both physical and virtual, to support our vast research and administrative efforts. The school is committed to following all IU computing policies and industry best practices for server management, including:

• Guidelines in the IT-12 Security of Information Technology Resources and IT-28 Cyber Risk Mitigation Responsibilities will be followed on all systems
• An assessment of the nature of the data being stored on the server will be made and appropriate actions taken to secure all Institutional Data (Critical/Restricted/University-Internal) per IU regulations.
• Anti-virus software will be used on all servers for which appropriate tools are licensed by IU.
• Systems housing Institutional Data (Critical/Restricted/University-Internal) will be located at the Data Center (preferably as II VMs) and be subject to the UITS hardware firewall
• All systems will run host-based firewalls (eg. Windows Firewall, Linux iptables, etc) with as limited a scope (port and source IP addresses) as possible to accomplish the required task.
• Systems that allow logins from non-IU IP space will be configured to automatically deny all access from hosts that repeatedly attempt and fail to log in.
• Accounts and access will be limited based on required need, authentication will be against the IU AD Servers using IU passphrases, and accounts will be promptly disabled when people leave IU.
• Administrator/root accounts will never be used for daily tasks not requiring elevated access. All request for administrator privileges will be fully vetted and approved and permissions limited to the required tasks.
• Supported operating systems will be chosen for their reliability, maintainability, and security.
• Whenever possible, automated techniques (eg. SCCM for Windows, CASPER/JAMF for Apple and Kickstart for Linux) will be employed to allow for quick and uniform deployment of systems.
• Whenever possible, operating system patches will be managed and monitored from a single, central location using tools like SCCM (Windows), RHN (Linux), and Casper (Mac). Security-related software updates are applied as soon as is practicable (following the 24/48/72 hour standard outlined in IT-12 Security of Information Technology Resources).
• All system log data required by IT-12 Security of Information Technology Resources will be collected, stored centrally, reported, and reviewed.
• Authentication will only be allowed using mechanisms that encrypt user credentials.
• The transmission of any critical data over the network will be done via encrypted channels (eg. SMB v3 with encryption for Windows file servers)
• Professional College IT Staff will be properly trained in both industry best practices and IU policies.

In addition, server management is guided by these other Luddy IT policies:

• External vulnerability scanning will be performed and problems mitigated per College IT Requirement: Vulnerability Scans
• System logging will be performed per College IT Requirement: Server Logging
• Systems will be inventoried and tracked per College IT Requirement: Hardware and System Inventory
• Appropriate server platforms will be selected per College IT Requirement: Virtual Machines and Physical Servers
• An assessment will be made of the most secure IP addressing per College IT Requirement: Public IP Addresses
• Systems will be disposed of in a secure manner per College IT Requirement: System and Media Disposal
• Any security breaches will be handled appropriately per College IT Requirement: Incident Response
• Backups will be performed per College IT Requirement: Backups
• Hosted web services will be managed per College IT Requirement: Web (Pending Content)
• Any system not being managed by the College IT Research, Infrastructure, and Support will be managed per College IT Requirement: Administrator Access and Co-Support
• Disaster recovery and business continuity plans will be maintained per College IT Requirement: Disaster Recovery and College IT Requirement: Business Continuity

Exceptions to Requirement

None