Server Security Policy
|Version: 1.00||Issue Date: 12/23/2014|
This Server Security Policy is required to provide basic standards for servers and network equipment to keep them secure. The use of this policy will help prevent security incidents, compromise of data, and possible damage to the organization.
Server Security is a very important part of organizational computer security. Most data resides on servers which could be compromised if servers are not properly configured, updated, and monitored. Network access is controlled by various networking equipment so this is also very important to the security of the organization.
This Server Security Policy is intended to provide basic and minimum standards of configuration and control for servers and network equipment.
This Server Security Policy applies to all computer servers and similar equipment owned by the organization or on organizational premises. It covers all servers including DNS servers, file servers, communications servers, mail servers, web servers, DHCP servers, login servers, directory servers, FTP servers, print servers, and any computer that provides services to users. This Server Security Policy also covers networking equipment including but not limited to routers, hardware firewalls, and switches. This policy is effective as of the issue date and does not expire unless superceded by another policy.
All equipment covered by this policy must have administrators to manage the equipment and must therefore have a group that owns or operates the equipment. When a new server is put into service, it must be registered in the Asset Tracking Database according to the Asset Control Policy. There must be a primary and secondary person to contact who can make decisions about the server and perform administrative tasks on the server.
5.0 Other Policies
Policies related to this policy, covering server security, setup, configuration, and mainitenance, that must be followed include:
Account Management Policy
Asset Control Policy
Backup and Recovery Policy
Equipment and Media Disposal Policy
Equipment Purchase Failure Prevention Policy
Software Licensing Policy
Software Tracking Policy
Audit Trail Policy
Computer Naming Policy
Patch Management Policy
Server Documentation Policy
Server Monitoring Policy
System Lockdown Policy
Virus Protection Policy
Change Management Policy
Security Incident Response Policy
Development Life Cycle Policy - Provides for proper server configuration, implementation of security controls, and testing as part of project life cycles including server hardening.
6.0 Setup Requirements
The system lockdown policy and associated procedures must be used.
A list of applications operating on each server including the operating system type and version along with the contact information for the administrators, business owners, and managers of each server must be maintained and it may be maintained in the Asset Tracking Database. All servers must be documented according to the Server Documentation Policy.
Servers must be located in a physically secure environment where access to the facility is logged and unauthorized personnel do not have access. Servers are not allowed to be operated in office areas but must operate in approved areas designated for servers.
All systems must operate current virus protection according to the Virus Protection Policy.
The system must be setup and configured to require login credentials or a secure and current method to identify a user and a valid and secure way to determine user authentication to access the system and it must be protected against unauthorized access.
7.0 Configuration Guidelines
Changes in configuration must comply with the Change Management Policy.
All servers must be hardened and locked down so minimum services are operating according to the System Lockdown Policy.
Servers must be patched for security and other relevant fixes according to the Patch Management Policy and the Change Management Policy.
All systems shall operate current anti-virus programs with regular updates according to the Virus Protection Policy.
All servers must be monitored according to the Server Monitoring Policy.
Ability to access specific servers should be limited to only the server or subnetwork requiring access for each specific service that access is required. For example, a database server may be accessed by two web servers. The database servers should only allow the two webservers to access the database and no other servers or workstations should be able to access the database.
Service accounts and other accounts should be given the least privileges required to perform the necessary function as specified in the Account Management Policy. Use of full administrative access should not be given unless absolutely required. Administrators should only use accounts with minimum access required to perform their duties and only use their full administrative accounts when necessary.
Avoid use of trust relationships between more than one system since compromise of one system could allow compromise of the trusting system.
Encryption or a secure channel should be used if possible when administrative or privileged access is used to manage systems. In all cases account ID and password must be encyrpted using approved current encryption methods and protocols.
Logical access controls are in place to prevent the unauthorized installation of software on any servers. If installation of unauthorized software occurs, it will be possible to determine without a doubt who performed the installation. Therefore the ability to install software and modify the server logs should not be possessed by a single account.
8.0 Logging and Monitoring
Logs must be configured according to the Audit Trail Policy. Events to be logged must ensure that attacks, breaches, and inappropriate use can be detected.
Systems must be monitored according to the Server Monitoring Policy. Any security events must be reported to management, reported and acted upon according to the Security Incident Response Policy. Events to be reported should include evidence of unauthorized access to accounts or servers, serious abnormalities or performance issues on servers, port scan attacks that are excessive or appear threatening in some way (there are too many to effectively report all).
Logs with security events must be kept for a minimum of six months and may be kept on backup media in a secure location.
Monthly backups of servers must be kept for at least three years or longer if laws apply that require it. When new backup devices and media are purchased, a method to restore old backups must be considered.
Auditing by objective persons shall be performed regularly, at a minimum of yearly, to ensure that servers are kept in compliance with this policy especially considering server hardening, virus protection, monitoring, patching, and backups.
Since server security is important for maintaining the security of the organization and preventing damage to the organization and individuals, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
12.0 Other Requirements
Refer to the Asset Control Policy for requirements for putting equipment into service.
Determine, establish, document, and publish minimum security requirements for all hardware and software including communications, servers, and workstations. Consider hardware security, operating system security, and application programs security. Consider vendor standards and guidelines.
Determine testing to ensure compliance with minimum requirements.
Systems that do not meet minimum security requirements must be approved to be configured in a different manner after assessing the security impact and requiring compensating controls to adjust for any security shortfall.
Access controls should ensure separation of duties in the various server environments (development, QA, production) so operations teams (server administrators) and developers cannot perform each other's duties.
Management must determine how often to use external resources to evaluate the internal controls in the organization.
Approved by:__________________________ Signature:_____________________ Date:_______________