Server Security

  • Pocedure Type: Information Technologies
  • Pocedure Title:  Server Security
  • Pocedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technologies & Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy, all servers owned or managed by Oakland Community College must be adequately protected to ensure confidentiality, integrity, availability, and accountability of such systems.

Physical Location
Servers must be located in rooms that meet the applicable minimum standards defined in the Procedure for Server Rooms.

Hardware
Servers should utilize server-class hardware and be installed in standard racks when possible. Serverclass hardware is typically characterized by redundant power supplies, RAID disk array, rack mountable, and remote management functions. Use of workstation-class hardware to deliver the services of a
server is not recommended.

Operating System
Operating system software must be licensed and supported to ensure availability of software updates to address known vulnerabilities. For Linux and UNIX, any commercially supported or actively maintained version is recommended.

Naming Conventions
The Server name will include at least the location ID and functional description.

Server and DNS Registration
All servers must be recorded with the IT to ensure accurate inventory is available in the event a security
incident is detected.

All computers must be registered with the Directory Name Service (DNS) network addressing system in order to properly identify devices on the OCC wired network. Servers should use a static address reservation or static address assignment to promote consistent records. Operation of a server on the wireless network is not recommended.

For systems that are Internet-accessible, system owners must file a request for an external IP address with the IT, documenting the open ports necessary the duration of time the access will be needed and the classification of the data being accessed/recorded. Requests are subject to periodic review and renewal if still justified.

Domain Membership
Participation in the Microsoft Windows Active Directory (AD) domain (occnt.ad) allows convenient access to shared resources, ease of authentication, and automated policy settings. When feasible, servers should be joined to the domain. Servers not joined to the domain must have the following
comparable controls applied manually:

  • Operating System (OS) Patch Updates: Automatic installation of the latest patch updates on a monthly basis must be enabled.
  • Access Control: Built-in system accounts, such as Administrator and Guest, should be disabled if not used and must not have blank or default passwords. All users must gain access with unique login credentials and passwords should meet complexity requirements comparable to those required for OCC’s Active Directory.
  • System Logon Banner: The computer must be configured with the College logon banner, as follows:
Use of OCC Information Systems is subject to the OCC Information Security and Acceptable Use Policy. Pursuant to Michigan and Federal law: (1) Unauthorized use is prohibited; (2) Usage may be subject to security testing and monitoring; (3) Misuse is subject to criminal prosecution; and (4) Users have no expectation of privacy except as otherwise provided by applicable privacy laws.
  • Screensaver Lock: The server must be configured with an automatic screensaver lock that requires re-authentication after no more than 15 minutes of inactivity. For systems without a graphical user interface (GUI), an automatic logoff is required after no more than 15 minutes of inactivity.
  • Log Retention: The system must be configured to retain logs for a minimum of 90 days to facilitate troubleshooting and investigations. Logging to a centralized server is recommended to allow event correlation and reduce the local storage burden.
  • Time Synchronization: NTP or similar protocol must be configured to ensure accurate timestamps. The College-provided NTP server is cwtime.occnt.ad.

Software Agents
Servers must run the following agents where compatible:

  • Avamar
  • Windows Server Update Services (WSUS), for simplified patching including 3rd party applications where possible
  • Microsoft System Center Configuration Manager (SCCM) may be used in addition

Software-Based Firewall
Servers should have host-based firewall functionality enabled for additional protection. This firewall should be configured to allow all traffic from OCC monitoring devices and any necessary traffic from internal hosts.

Protocols
Unnecessary network services must be disabled.

Vulnerability Assessment
All servers are subject to periodic vulnerability scans. System owners are responsible for timely remediation of identified vulnerabilities. 

Backups
All servers should be configured for automated backups consistent with the business requirements of recovery time objective (length of time the system can be offline) and recovery point objective (amount of data at risk since the most recent backup, replication, or other data protection event). Stored backups must also meet security protections comparable to the source server. Backup media shipped outside of a physically secure data center must be protected by additional controls such as encryption and lockboxes.

Incident Management
System owners are required to report any suspicious activity to the IT for investigation.

Business Continuity Planning / Disaster Recovery
All mission-critical servers should have a Disaster Recovery (DR) plan for recovery within a timeframe consistent with requirements in the Business Continuity Plan (BCP).

Exemptions
In the event that compliance with this desktop and laptop procedure cannot be met, please contact itsecurity@oaklandcc.edu to submit an exemption request that will be approved or denied by IT. Denied exemption requests may be appealed to the CIO for final decision

Change Log

  • 07-01-2018  Effective date

OCC Logo