Networked Server Security Guidelines
Effective Date: January 27, 2005
The objective of this document is to provide a guide of best practices for any department or user who has a server on the IU South Bend network. The Internet has become a very malicious environment which, in turn, necessitates stringent security measures to safeguard IU resources and potentially sensitive information. In the event any server is found to be compromised or configured in such a way as to adversely affect the network, IT will disable that server’s connection to the network in order to protect remaining resources. If a server is found to be vulnerable, the server administrator will be given an opportunity to patch/reconfigure the server. This document is an additional resource and does not supersede IU’s policies regarding computing resources.
A server is any computer which processes requests for data or services from another networked computer. These services include, but are not limited to, HTML, print sharing, file sharing, database, application serving and so forth. Workstation operating systems such as NT or Unix/Linux can be configured in such a way as to act as a server. Users may be unaware of the potential risks of the configuration of the computers they are managing/using yet still be affected by IU and IU South Bend computing resource policies.
A server should be secured in a locked room with access limited to authorized personnel. The most effective security mechanism for a room housing a server would be an alarm system with individually- assigned pass codes and logging capabilities. If the room can be accessed by anyone other than the system administrator, the console should remain locked when not in use. (Keep in mind that besides having administrative access if the server were physically stolen the thief would have access to whatever data reside on the system.)
While not a security concern, a room housing a server should have environment controls such as temperature, humidity and power conditioning/backup systems.
A server should be configured with unique user accounts for each administrator as opposed to a single account which is shared by all administrators. Passwords should use a combination of ASCII character types and be of ample length to protect against the abundance of password cracking utilities available today. Password entry should be encrypted. (See password selection guidelines noted below.)
Remote administration should be done only with secure session software such as SSH. All unnecessary software services should be disabled on the server. The greater the number of services running on a server, the more open it is to attack. Security patches should be kept up to date.
IT’s security and systems personnel should be notified anytime a server is brought online, or changed IP address, or whenever a known or suspected system compromise has occurred. These notifications should be emailed to firstname.lastname@example.org.
Password selection guidelines can be found here:
Various IU policies regarding institutional computing resources can be found here: