it.ucsf.edu

Servers

Policy Type

Best Practice

Properly securing a server requires an understanding of many components as different servers have different functions. They may contain different information, provide different services, have diverse networking environments, etc.  Here are some guidelines for strengthening overall server security.

Ways to strengthen server security

  1. Patch the operating system, applications, and any additional features (add-ins) with the most recent patches.
  2. Install and regularly update anti-virus software.
  3. Monitor the server for change.
  4. Understand what applications are running.  Research proper installation, common mistakes, common vulnerability problems, and if possible subscribe to the vendor or developer email list to keep on top of changes.
  5. Network Services
  6. Users and passwords
    • Do not allow generic userIDs on the server, such as user, anonymous, and administrator. If the accounts are needed rename them if possible.
    • Change administrator passwords regularly.
    • Each administrator should have their own userID.  The administrator account should only be used when absolutely needed
    • Require a password for any and all userIDs.
    • Remove or disable default user accounts.
    • Set and enforce password standards (if not using the centralized UCSF authentication service).
  7. Encourage users to log off of the (server) application if they no longer need access, or will be away from their workstation for prolonged periods of time.  If possible and appropriate set the user session to either log out or force re-authentication after the session has been idle for a while.
  8. Protect files on the server with appropriate permissions.
  9. Maintain an audit log of all server activity. Review the log on a weekly basis.
  10. Backupthe server daily. For those servers with high transaction activity, also take incremental backups on a regular basis during the day.
  11. Physical Security
    • Secure the server so that it cannot be physically damaged.
    • Locate critical servers in a locked room with card access entry, if possible.
    • Lock the server/desktop screen when unattended.
    • Set a screen saver to automatically turn on and lock the server screen in case someone forgets to do it manually.
  12. When a third party works on the server, always monitor the work being done.
  13. Setup and utilize two factor authentication on systems that have or use the restricted information such as (but not limited to) PHI, PII, PCI, FERPAIntellectual Property, Confidential Security Information, etc. For more information, contact the IAM team at IAM-Team@ucsf.edu
  14. Request a vulnerability scan from ITS Security & policy (S&P).
  15. When you suspect there is a security issue, contact ITS Security & policy (S&P).

Resources:

Connecting Web Servers to the Internet

Information Security Checklist