Best Practices: Servers
The purpose of this document is to provide guidelines for best security practices when installing new servers (or reconfiguring old servers) on the UT Dallas campus network. This document is "OS-agnostic". In other words, the specifics of HOW to implement these practices on a particular Operating System (OS) are left to the technicians responsible for those servers and operating systems. The appendix provides links to off-site documentation which can provide many of the implementation details needed to accomplish the tasks described within this document.
It is not the purpose of this document to provide the information necessary to correctly administer a server. It is assumed that the technicians responsible for implementing these practices are knowledgeable of the operating system they have chosen, the hardware on which it runs and any applications that they intend to install on it. The technician is expected to already have that expertise or to obtain it before administering servers on the UT Dallas network.
The first thing that must be understood about security is that it is not a destination at which you arrive. It is an ongoing, repeatable process that requires attention and expertise. The most highly secured server in the world can become insecure in a matter of weeks if attention to details is not a part of the daily practice of its administrator.
No server should be connected to the UT Dallas network until the following items have been accomplished:
- The OS has been selected and all security patches for that OS have been acquired (either copied to Compact Disk (CD) or available through a local connection that does not require an Internet Protocol (IP) address - Universal Serial Bus (USB) hard drive, zip drive, etc.).
- All documentation should be in place (licenses, vendor-supplied documents, etc.) and you should consider securing it in a plastic, lockable bag attached to the server.
- The OS has been properly installed and configured and all relevant security patches have been applied. See the section below on off-site or vendor controlled machines for proper procedures for those special cases.
- All "network application" services not essential to the prime function of the server have been disabled - Hypertext Transfer Protocol (HTTP), telnet, File Transfer Protocol (FTP), Simple Main Transfer Protocol (SMTP), Domain Name Server (DNS), etc. No services should be enabled unless they have been patched to current levels.
- A secure location has been identified for the server. Servers should never be physically accessible to anyone but the "owners". They should either be in designated server rooms or in locked offices which can only be accessed by the "owners".
- A viable plan has been designed to maintain the server properly, including consistent regular patching of the OS and all applications.
- All passwords must include numbers and special characters and must not be accessible to anyone but the password's owner.
- Servers should not be used as workstations.
Connecting to the Network
- Every server must be registered in the UT Dallas Server Registry.
- Every server must provide information regarding mission criticality, data classification and risk classification in the Server Registry.
- Every server must complete the External IP Request form if seeking a public IP address.
- You should supply accurate contact information to UT Dallas Information Resources for emergencies such as power outages and server break-ins, together with a general description of the server, its purpose and any special requirements or configuration. No server should be connected to the UT Dallas network unless it has virus protection in place or it has been determined that it is not necessary for that server.
- Every server should be plugged in to an Uninterruptible Power Supply (UPS).
- Every server should have an appropriate name and a fixed IP address.
- No server should be connected to the UT Dallas network unless qualified personnel are in place to administer the server.
- Only those services necessary to accomplish the task assigned to a server should be enabled. In practice this will mean disabling many services which are enabled by default. The specifics of any particular server are left to the technician to determine but, for example, a web server may need ftp enabled although it should not allow telnet access (use ssh instead), any unencrypted remote services, rpc services, snmp services, etc.
- No servers are allowed to run Lightweight Directory Access Protocol (LDAP), Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP), Network Information System (NIS+) or a Windows Domain Controller without prior coordination with Information Resources.
- Those services that are enabled should have been patched fully and secured properly before being enabled. Consult the vendor's documentation for proper security procedures for the application in question.
- If the OS provides a stateful firewall (such as ipchains, iptables, ipfw, etc.), it should be enabled and only those ports necessary to allow the server to function should be open. If the OS does not provide a stateful firewall, consider purchasing one.
- Services which should be restricted, such as Secure Shell (SSH), should also have tcpwrappers or a similar program enabled to limit access to authorized personnel only.
- ALL default passwords should be changed immediately. The technician should be thoroughly familiar with the OS and all applications and what the password parameters are for each of them. Consult vendor documentation for the details.
- Passwords should not be written down anywhere. Consider keeping a Pretty Good Protection (PGP) encrypted list of all passwords on a separate, secure machine.
- Access to administrator passwords should be limited to the smallest number of people necessary to properly maintain the server and access it in case of emergencies.
- Administrator passwords must be changed on a regular basis, meet the password complexity requirements and be changed when administrator personnel changes occur.
- All servers should have access logging enabled.
- Logs should be checked regularly (at least weekly) for unusual access attempts.
- Remote logging (sometimes called syslogging) should be enabled. Consult with Information Resources for the correct hostnames and input parameters.
- Consider obtaining log "sentry" software which notifies the administrator of unusual events by email.
Remote Access to Servers
- If it is determined to be necessary, remote access to servers should be highly restricted.
- The use of encryption for remote access is not optional. SSH and Virtual Private Network (VPN) should be used.
- Remote host access should be limited by single IP or by the smallest IP range possible.
- Special attention must be given to remotely accessible machines. Host-based intrusion detection should be installed, logging should be increased, accounts on the server should be limited to responsible administrators only and the server should be syslogged.
Off-site and Vendor-Controlled Equipment
- Vendor controlled equipment includes special instrumentation (such as mass spectrometers, electron microscopes, specialized medical equipment, etc.), application software that requires a certain Service Pack or patch level and cannot be patched to current levels, Food & Drug Administration (FDA) approved equipment which cannot be altered in any way without losing FDA approval and similar types of equipment where the vendor or some other non-UT Dallas entity controls what patching may be done to a server.
- Owners of vendor controlled equipment should consult with UT Dallas Information Resources regarding their special needs before connecting to the network.
- Consideration should be given to both internal and external threats to the server, especially for equipment that falls under the guidelines of Health Insurance Portability and Accountability Act (HIPAA) or T.A.C. §202.
- UT Dallas Information Resources should be notified if students, staff or faculty will need to gain access to these types of equipment using their NetID accounts.
- Compliance with all Federal and State guidelines affecting equipment used for research funded by grants must be determined and verified.
- UT Dallas password policies should be maintained for any accounts on the server.
- Best practices for both the operating system and the applications on the server should be followed as much as is practical, within the constraints the vendor has defined.
Below are links to suggested reading:
Operating System Best Practices
- Automated Security Self Assessment Tool
- CERT Guidelines for Unix Configuration
- Microsoft Security Tools
- Mac OS X Server Administration Guide
- NIPC - Password Protection 101
- NIPC - Seven Simple Computer Security Tips
- RedHat Enterprise System Administration Guide
- SANS - Top 20 Vulnerabilities
- SANS - Information Security Knowledgebase
- Solaris 10 System Administration Collection
- UrlScan Security Tool For IIS