Standards for Connecting and Administering Servers to the University Network

Introduction

The purpose of this document is to introduce the set of standards that are required to adhere to for the operation within the University at Albany's network. This document is not designed to be all-encompassing, but provides general requirements.

Server Definition

A server can be virtual or physical, that offers services to other network systems. This includes networked printers, mobile devices, desktops, laptops, virtual machines, and Internet of Things (IoT). Each server must be actively administered by a system administrator who must adhere with these standards. Servers found to pose an active threat to University assets will be subject to remediation steps as determined by the Information Security Office (ISO).

Virtual System Definition and Standards

Virtual system has the same standards as the physical systems. The caveat here is that virtual systems need to have further considerations on risk management.

1. Access to the hypervisor is strictly restricted. Virtualization software, such as hypervisors, represents a layer of privileged software that can be attacked and therefore must be protected.

2. The potential loss of separation of duties for administrative tasks can lead to a breakdown of the defense in-depth approach. Role definition and separation of duties must be properly planned for in a virtual environment.

3. Patching, signature updates, and protection from tampering for production, as well as offline, VM and VM appliance images needs to be accounted for.

4. Virtualization can result in limited visibility into the host operating system and virtual network to find vulnerabilities and assess system configurations (e.g., file integrity checking, log inspection).

5. Likewise, virtualization can limit the view of inter-VM traffic for inspection by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

6. Security tools for virtual environments may not provide the same level of visibility and protection as they do for physical systems.

7. Business processes and policies must be applied when defining the organizational roles and responsibilities for processes and authorities within the virtualized environment.

UAlbany Network Server Standards

1. The server must be registered in the NetReg with ownership and contact information provided.  Servers must be labelled or identified as a server in Netreg.

2. The server must be managed by at least one system administrator.

3. The server must be running a supported operating system as well as the latest approved patch.

4. Patches must be evaluated and applied in a timely fashion by the system administrator.

5. The server must be configured in a secure manner. 

6. If the server holds Category 1 data, it must meet all applicable regulatory requirements. Learn more about the University's Data Classification Standard.

7. Only properly licensed software must be run on the server.

8. The server or service must not interfere with any UAlbany Enterprise services (e.g., DHCP, DNS).

9. The network services provided by the server must be configured to be accessible from the minimum set of systems and networks as determined by the server's business or academic requirements.

10. The system administrator must continuously monitor and remediate any security issues. The University provides Tenable Vulnerability Management as a solution. Learn more about the University's Vulnerability Management. For more information on vulnerability management, please contact the ITS Service Desk. 

Process of Requesting a Connection to the UAlbany Network

The process of requesting a connection to the UAlbany network usually involves submitting a ticket through footprints to the network services team. In this ticket you must specify what server and how many, the type of connections you need (one management copper, two data uplink fiber, DAC, etc). You also need to include the VLAN you need to be connected to for various connections.

Prepping a Server for the UAlbany Network

1. Verify that the computing needs are not already met by existing UAlbany ITS or departmental servers.

2. Assign a system administrator team to setup, maintain, and monitor the server.

3. Take appropriate precautions during the installation of a server and/or software.

4. Consider the physical environment and access of the server in regard to security.

5. Install a supported version of the OS and service(s).

6. Perform and validate backups and archives.

7. Enable logging for server(s) and service(s).

8. Disable default accounts and sample scripts; change any default passwords.

9. Only activate/operate needed services. Any unnecessary ports and services turned on by default must be disabled.

10. Restrict network access.

11. Setup secure methods of authentication.

12. Configure administrator level accounts to be compliant with the University's Privileged Access Standard.

13. Employ file integrity checks on system and configuration files.

14. Designate your server as a server system in NetReg by indicating it so in the comment box.

Prepping a Virtual System for the UAlbany Network

When considering virtualization, it's crucial to address risks associated with software layers like hypervisors and the nuances of virtual environments, such as patch management and visibility issues. The same number of steps are applied as if it was a physical server.

Maintaining UAlbany Server Services and Security

1. Review service logs and backup logs regularly.

2. Periodically review running services and evaluate the continued needs for those service(s) and server(s).

3. Keep abreast of security issues and patches of product. 

4. Apply vendor/community provided updates regularly for the OS and applications.

5. Regularly monitor and maintain all user accounts.

6. Maintain current registration information in NetReg.

7. Manage the server End-of-Life processes appropriately.