Information Security Policy Server Security

							EDINBURGH NAPIER UNIVERSITY
ELECTRONIC INFORMATION SECURITY POLICY
Server Policy

1. Introduction

Edinburgh Napier University’s policy is that information it manages shall be protected against the
consequences of breaches of confidentiality, failures of integrity or interruptions to the availability
of that information to authorised users. For information security to be effective it requires the
participation and support of all Edinburgh Napier University staff, student and other persons who
have access to its information technology.

Information security at the University is governed by its Electronic Information Security Policy
which consists of an Overall Policy and a number of subsidiary policies which can be found in the
following locations:

Staff: go to the “Information Security Policy” page within the C&IT Services section of the Staff
Intranet.

Students: go to the “Information Security Policy” page within the C&IT Services section of the
Student Portal.

This subsidiary policy covers the security of all servers in the University. It is the responsibility of
every information technology user to know these policies, and to conduct their activities
accordingly.


2. Scope

The purpose of this policy is to state clearly the University’s policy for the base configuration of
server equipment that is owned and/or operated by Edinburgh Napier University. Effective
implementation of this policy will minimise unauthorised access to the University information and
technology and to secure services from being subverted for use by unauthorised parties, possibly
for use in attacks on other servers at other sites.

This policy applies to server equipment owned and/or operated by the University, and to servers
registered under any University owned internal network domain. This policy is specifically for
equipment on the internal University network.




Document and State: Server Security Policy – draft version 1.5
Created by James Archbold
Last Modified 18/11/2010
3. Policy

Before connecting a server to the network, you must consider the following:

      Check with Edinburgh Napier University, C&IT Services to see if they already offer the
       services you need on existing infrastructure and host and manage the server on your behalf
       to save time and cost.
      Check you need a dedicated server for your particular requirements.
      To run this server yourself you will be required to carry out the following as a system
       administrator:
           o Ensure the server is fully protected and fully patched.
           o Anti virus/Anti spyware installed and up to date – All Windows servers must be
              registered by C&IT Services.
           o Back up the system regularly.
           o Systems logs maintained and baked up.
           o Run automated security checks.
           o Restrict access to only users who require the service.
           o Maintain software/hardware licences were required and keep all software up to date.

Management and Responsibilities

      All internal servers deployed at the University must be managed by a system administrator.
       Approval from the School/Director of service or equivalent must be obtained who will be
       responsible for the system administrator of the server.
      Approved server configuration guides must be established and maintained by each
       operational group, based on business needs.
      System administrators must monitor configuration compliance and implement an exception
       policy tailored to their environment. Each system administrator must establish a process for
       changing the configuration guides, which includes review and approval by C&IT.
      Servers not managed by C&IT Services must be registered with C&IT Services using the
       registration process available from C&IT Support. At a minimum, the following information
       is required to positively identify the point of contact:
            o Completed Server registration request form sent to C&IT Support.
            o System administrator contact and location, and a backup contact.
            o Hardware and Operating System/Version with license details.
            o Anti Virus/Anti Spyware implemented (licensed software available for Microsoft
               Windows servers).
            o Main functions and applications, if applicable.

System Configuration

      The system administrator must review the purpose or role of the server.
      Operating System configuration must be in accordance with approved C&IT Services
       guidelines.
      Remove or disable unnecessary services, applications, and sample content.
      Configure server user authentication and access controls.
      Access to services must be logged and/or protected through access-control methods.
      System administrators must provide relevant logfile extracts to C&IT staff when this is
       required in order to investigate incidents involving suspected misuse of the system.
Document and State: Server Security Policy – draft version 1.5
Created by James Archbold
Last Modified 18/11/2010
      The most recent security patches must be installed on the system as soon as practical by
       the systems administrator, the only exception being when immediate application would
       interfere with business requirements.
      Trust relationships between systems are a security risk, and their use must be avoided. Do
       not use a trust relationship when some other method of communication will do.
      Do not use default admin/root when a non-privileged account with minimum access as
       possible can be used.
      Test the security of the server application (and server content, if applicable).
      Ensure the department’s general Business Continuity Plan covers this server/service.
      Maintain backups and operational continuity
      Request a network-based vulnerability scan from C&IT Services.
      Report any security issues immediately to C&IT Services when necessary.
       All administrator accounts will be assigned a password of a minimum of 8 characters and
       be unique and conform to the password section of the User Policy:
       Staff: go to the “Information Security Policy” page within the C&IT Services section of the
       Staff Intranet.
       Students: go to the “Information Security Policy” page within the C&IT Services section of
       the Student Portal.
      Users possessing Admin/Administrator/root rights will be limited to trained members of the
       C&IT staff only or the department system administrator of the server.

C&IT Services support for system administrators:

      Advice on the selection of appropriate software and its configuration in order that a
       reasonably secure service may be provided.
      Advice on the procurement and installation of any update patches which may be required
       from time to time in order to keep the server operating securely. This may include the
       provision of a local repository of patches for common software products.
      Security auditing of individual servers at the request of the system administrator.
      Assistance on the investigation of any compromise of the server, and advice on the
       restoration of the service following a compromise.

Physical Security

      Servers must be located in secure area that is locked when not occupied at the very
       minimum. Access to physical consoles must be restricted to prevent interference with
       server configuration or software.
      Remote access to servers for the purposes of system administration must use only
       approved secure protocols.
      Servers providing public access services must be located in the campus computer room if
       possible, which provides a safeguarded mains power supply as well as a secure physical
       environment.

User Access Security

      All accounts must be setup to conform to the University Information Security Policy - User
       Policy. To view the User Policy:
       Staff: go to the “Information Security Policy” page within the C&IT Services section of the
       Staff Intranet.

Document and State: Server Security Policy – draft version 1.5
Created by James Archbold
Last Modified 18/11/2010
       Students: go to the “Information Security Policy” page within the C&IT Services section of
       the Student Portal.
      Assigning security equivalences that give one user the same access rights as another user
       will be avoided where possible.
      Users access to data and applications will be limited to those who require the service.
      Access for users will be done using the University centralised authentication process were
       possible.


4. Monitoring & Logging

Edinburgh Napier University will monitor network activity. C&IT Services will proactively consider
reports from JANET Computing Emergency Response Team (JANET CERT) and other security
sources and take action and/or make recommendations that maintain the security of Edinburgh
Napier University’s Information Security.

For full details on monitoring please refer to the Monitoring and Logging Policy which can be
found in the found in the following locations:

Staff: go to the “Information Security Policy” page within the C&IT Services section of the Staff
Intranet.

Students: go to the “Information Security Policy” page within the C&IT Services section of the
Student Portal.

5. Guidelines
For guidelines on information security check the Edinburgh Napier University intranet pages:

Staff: go to the “Information Security Policy” page within the C&IT Services section of the Staff
Intranet.

Students: go to the “Information Security Policy” page within the C&IT Services section of the
Student Portal.




Document and State: Server Security Policy – draft version 1.5
Created by James Archbold
Last Modified 18/11/2010