Medium Level Server Controls
Are all servers supporting the application protected by a firewall from the untrusted network? If no, the server has low level security controls and this must be remedied.
What filesystem type is being used (FAT, NTFS, EXT2)? The file system must support system access controls or the server has low level security controls and this must be remedied. FAT file systems have no security controls.
Is the data stored on a different server than the webserver? If no, the server has low level security controls.
Is the application and database server for the project in a more secure network zone than the web server? If no, the server has low level security controls.
Are servers regularly updated according to the system update policy? If no, the server has low level security controls.
What physical security is provided? Visitors must be escorted and access must be logged or the server has low level security controls.
Are visitors escorted?
Is the server room locked?
Does a sign in/sign out procedure exist?
Is facility access activity logged or recorded?
Do you have a server hardening process in place? Includes:
Turning off all unnecessary services.
Patching the system regularly and is it currently including the latest patches?
Configure file, directory, and registry settings to allow for appropriate minimum rights to the file system, directory services, and the registry. The application should have the minimum rights required.
Configure logging to provide information about any security breaches or attacks.
System security policies should be in place including auditing policies, system password, and account passwords including settings detailing minimum lengths, complexity rules, and change frequency.
Installation of software necessary for use on the system including network protocols - minimum installation.
If no, the server has low level security controls.
Is the system operating with antivirus software updated and running?
The system is backed up daily?
The system is tested at least once monthly to be sure recovery of lost data can be performed.
All users on the system have their own unique accounts and accounts are not shared by users.
The system supports password policies for password complexity, limit of bad logins, and account lockout policies.
The system is checked daily for hard drive space and server logs are checked.
Are user activities logged and reviewed on the system?
Someone is responsible for the security of the system.
Is host based intrusion detection installed and operating? Monitor the following areas:
Log/event - Defines a process that watches system and application logs for significant security events.
File integrity - A process that watches key system and application files for unauthorized changes made to them.
Network traffic monitor - Monitors and controls network traffic coming into the protected hosts looking for traffic that violates security policies or represents a security incident.
System monitor - Monitors the system for overall performance and stability. Watches for rogue unauthorized processes that an attacker might attempt to run.
Policy compliance - Verifies system configuration to validate that it conforms to defined organizational policies and checks to make sure that changes that violate policy have not been performed on the system.
Is there a server auditing process to ensure security controls are implemented, updates are in place, and monitoring is done properly?
Are system and services configuration settings reviewed by one or more peers at setup and periodically thereafter?