Medium Level Server Requirements

  1. All servers supporting the application must be protected by a firewall from the untrusted network.
  2. A file system that supports system access controls must be in use.
  3. The data must be stored on a different server than the webserver.
  4. The application and database server for the project must be in a more secure network zone than the web server.
  5. Servers must be updated regularly according to the system update policy.
  6. Physical security must be provided.
    1. Visitors must be escorted.
    2. The server room must be locked.
    3. A sign in/sign out procedure must exist.
    4. Facility access activity must be logged or recorded.
  7. A server hardening process must be in place. Including:
    1. Turning off all unnecessary services.
    2. Patching the system regularly with the latest patches.
    3. Configure file, directory, and registry settings to allow for appropriate minimum rights to the file system, directory services, and the registry. The application should have the minimum rights required.
    4. Configure logging to provide information about any security breaches or attacks.
    5. System security policies should be in place including auditing policies, system password, and account passwords including settings detailing minimum lengths, complexity rules, and change frequency.
    6. Installation of software necessary for use on the system including network protocols - minimum installation.
  8. The system must operate with antivirus software updated and running.
  9. The system must be backed up daily.
  10. The system must be tested at least once monthly to be sure recovery of lost data can be performed.
  11. All users on the system must have their own unique accounts and accounts may not be shared by users.
  12. The system must support password policies for password complexity, limit of bad logins, and account lockout policies.
  13. The system must be checked daily for hard drive space and server logs must be checked.
  14. User activities must be logged and reviewed on the system.
  15. Someone must be responsible for the security of the system.
  16. Host based intrusion detection must be installed and operating. Monitor the following areas:
    1. Log/event - Defines a process that watches system and application logs for significant security events.
    2. File integrity - A process that watches key system and application files for unauthorized changes made to them.
    3. Network traffic monitor - Monitors and controls network traffic coming into the protected hosts looking for traffic that violates security policies or represents a security incident.
    4. System monitor - Monitors the system for overall performance and stability. Watches for rogue unauthorized processes that an attacker might attempt to run.
    5. Policy compliance - Verifies system configuration to validate that it conforms to defined organizational policies and checks to make sure that changes that violate policy have not been performed on the system.
  17. A server auditing process to ensure security controls must be implemented, updates must be in place, and monitoring must be done properly.
  18. System and services configuration settings are reviewed by one or more peers at setup and periodically thereafter.