Minimum Server Security Requirements

Want to set up a server on campus? In accordance with ISU policy, the server needs to meet the following minimum security requirements:

1. Check computing devices at least weekly for compliance with respect to all available operating system and application service packs, patches and hotfixes.

If the computing device requires an initial setup or installation, this must be done without the computing device having direct access to the Internet. Many computing devices can be compromised before they are fully installed and patched if they are connected directly to the Internet without some form of protection.

2. Whenever user accounts can be created as a means of granting access to a computing device, such accounts must be created; with a unique, non-generic account being given to each user needing access. Verify at least once each semester that all users (and especially those users with administrative rights) have strong passwords. Disable default anonymous or generic accounts.

This is often required by law if the system houses sensitive data.

3. Ensure that account permissions provide sufficient access to perform job functions and no more. Check at least once during each semester that users have only the access permissions they need to do their job.

If the computing device contains sensitive data that could be used for identity theft, this is required by law

4. Provide physical security:

Computing devices with sensitive information should be kept behind locked doors or in locked cabinets with access limited to only those individuals who have a legitimate need for access.

When there is no one working at or with a particular computing device, access to the device should be restricted by either locking the device away, logging out, or  "locking" access to the console and keyboard so that a password or key  is required to regain access.

The room where a computing device with sensitive data is used should be arranged in a way that unauthorized individuals cannot see how the device is accessed (combinations, passwords, etc.), nor is a screen easily viewed by unauthorized users in the event that sensitive data is being displayed

Written evidence of user ID's and passwords should not be left lying around.

5. Implement backup procedures:

Securely store all original installation media and license keys.

Create and maintain regular daily backup copies in encrypted format (see #9 below) of at least the data files on the computing device.

Include some form of secure storage of backup media at a location owned and maintained by Idaho State University but physically separate from the location where the computing device being backed up resides. 

Create and maintain a current emergency repair disk if possible.

Test your restore procedures at least weekly to verify that backups are valid and restorable.

6. Use and maintain up-to-date anti-virus software and daily virus definition updates.

7. Disable any unnecessary services.

Computing devices such as personal computers and servers often come with many default services enabled (such as e-mail). In many cases you do not need these services and they should be disabled.

Computing devices that can attach to a network also make use of communication “ports,” many of which could become the path used by an attacker to gain unauthorized access to your system. You should block access to unneeded ports on your computing device. The most common blocking method used is a local firewall.

 8. Enable security logging on all computing devices that provide logging capabilities. Scan the security logs on a daily basis looking for anomalies.

In certain cases (such as for systems containing sensitive information) this may be required by law.

9. Store all Private Sensitive Information in an encrypted format using at a minimum a key length of 16 bytes (128 bits).

This is often required in order to comply with various regulatory mandates.

AES is the recommended algorithm.