|
Security Best Practices
Introduction
Perimeter Best Practices
Server Best Practices
Personal Computer Best Practices
Introduction
This document presents the highest priority and most frequently
recommended security best practices for the WSU network perimeter,
servers, and personal computers. These practices address elements of
information security; policy, procedure, people, and technology, all of
which are necessary for deployment of a successful security process.
These best practices are a means, through a threat-management-based
approach, to ensuring the survivability and security of critical
information assets.
Information security is a responsibility of everyone in the university
community. Creating, enforcing, and regularly reviewing security best
practices and guidelines are the responsibilities of CaTS. Perimeter,
Server, and Personal Computer best practices will complement each other
to ensure comprehensive management of vulnerabilities and threats.
Perimeter Best Practices
Strategy
The overall position of perimeter security will be "deny all / allow only" for incoming traffic, i.e.; everything not explicitly permitted will be prohibited.
Security Architecture and Design
A layered security architecture approach, utilizing perimeter controls
and authentication in conjunction with controls on internal devices,
will be used to provide the most effective means of protection for
university resources.
The use of fault tolerant (redundant) devices and software are
recommended, whenever possible. This will result in configurations with
lower risk and higher reliability than those with single points of
failure at any level.
Services
Perimeter controls will restrict network services based on security
considerations and the role of the server, department, or zone.
All university servers will be registered with CaTS. Devices using
wireless or modem communications will not be permitted to provide server
functions.
Authorization
System administrator access will be as required. Only authorized system
administrators will have read/write accounts on perimeter devices; i.e.,
only system administrators will be allowed to schedule tasks, move or
delete logs, maintain software, or change configurations on perimeter
devices.
End user access to data within the perimeter will be permitted or denied
by applicable server-level controls.
System and Network Maintenance
Network topology documentation will be kept current and available to
authorized personnel. Access to this documentation will be restricted.
Proposed changes in perimeter device configuration, which is related the
security of the university, will be reviewed by the Security Team before
implementation.
Thorough change management practices, including but not limited to
documentation, impact assessment, advance scheduling, and communication
of outages, will be adhered to when changes are made to the perimeter
configuration.
Operating systems and system software on devices in the perimeter will
be kept current. Maintenance addressing security and functionality
upgrades will be applied in a timely manner and any planned outages will
be communicated, in advance, to the CaTS Help Desk.
Malicious Code
Perimeter devices will be protected from malicious code (viruses, worms,
Trojan horses, etc.) by the use of virus detection software, where
appropriate. As new vulnerabilities are identified, detection software
will be updated to address them as soon as possible.
The integrity of all installed software will be checked on a regular
basis. Unused, unsupported, or unauthorized software will be removed.
Audit/Logging
Appropriate system and networking logging, monitoring, filtering and
analysis tools will be used on perimeter devices to inspect and audit
overall network traffic and significant events.
Logging from perimeter devices will be written to a central server. Logs
will be reviewed regularly. Particular attention will be paid to
noteworthy events such as failed login attempts, unusual traffic, and
changes to configurations. Events that warrant action will be addressed
according to the university incident response process. Logs will be
retained in compliance with the university record retention policy.
Backup/Recovery
Backups of both software and data will be performed on a regular basis.
Backup copies will be stored on removable media or on remote hardware.
Restoration procedures will be tested periodically.
Data Security
Data encryption and virtual private network technologies will be used to
prevent unauthorized access to critical data in transit, particularly
that which is protected by law.
All data will be erased from the disks and memories of retired or
discarded systems prior to their disposal or transfer.
Authentication
Unique username/password combinations will be used to authenticate all
authorized users to perimeter devices. Passwords used to gain perimeter
access will adhere to all university password policies. Usernames and
passwords will be transmitted via secure protocol so that no clear-text
passwords are visible on any connection. System administrator usernames
and passwords will, at minimum, comply with all of the above.
Authentication will be validated by a trusted source.
Physical Security
Access to perimeter devices will be controlled with physical controls,
where required.
Back to Top
Server Best Practices
Definitions
The following definitions serve to clarify terms used throughout this document:
Server - the hardware platform upon which services run
Service - a computer program that awaits and fulfills requests from other programs
Client - a computer program that requests and awaits information from a service
Strategy
It is important to define the functionality of each server in order to
properly outline its security stance. Server security should be defined
by the provided services, the ports required by these services, and the
intended audience. The audience can be defined as a department, the
university as a whole, or even the entire Internet. Once the services,
ports, and audience are understood, functionality and access can be
limited according to those requirements.
Services
Many operating systems install a host of network services by default.
These network services should be pared down to only the services needed
for the server’s role as mentioned in the previous section. Once only
the needed services are running, access to the server should be limited
to just the ports used by said services.
A server that provides services to internal Wright State departments
should not be visible to the Internet as a whole.
Authorization
Server access should be limited according to the audience.
Administrative access to the operating system should be as limited as
possible. Remote administrative access should be limited to restricted
network addresses. Each system administrator should have their own
unique login. Administrative passwords should, at a minimum, adhere to
all university password policies.
Accounts of users who are not currently authorized university affiliates
should be disabled in a timely manner.
System Management
Operating system patches related to security issues should be applied in
a timely manner. Whenever possible, these patches should be applied in
the defined maintenance window. In some instances, a vulnerability with
a high likelihood of exploit may need immediate patching for protection.
In the case of these emergency patches, updates may be made outside of
the maintenance window.
Malicious Code
All servers should have virus detection installed. Whenever possible,
virus definitions should be automatically updated. Virus scanners should
provide both on-access and on-demand scanning. The use of additional
utilities is recommended to help system administrators identify if a
system has been compromised and what the intruder might have changed.
Audit/Logging
All administrative and end user logins should be logged on both success
and failure. All services (for example, httpd) should be logged. Logs
should include the IP address of the remote system connecting to each
server. Logs should be reviewed on a regular basis and should be
retained according to the record retention policy.
Backup/Recovery
All servers should be backed up on a daily basis so that the maximum
data loss, in the event of disaster, is limited to one day. Recovery
procedures will be tested on a regular basis.
Data Security
Protected data, such as student information or social security numbers,
is protected by legislation (FERPA, ECPA, etc.) and should be available
only to users with a valid need-to-know. To protect data from disclosure
in the event of unauthorized server access, further security measures
that obfuscate protected data are highly recommended.
Authentication
All usernames and passwords being used to authenticate administrative
and end users to servers should be sent using a secure channel so that
no plain-text passwords are visible on any connection. Passwords used to
gain server access should adhere to all university password policies.
Physical Security
Access to servers will be controlled with physical controls, where
necessary.
Back to Top
Personal Computer Best Practices
Definitions
The following definitions serve to clarify terms used throughout this
document:
User – any person making use of a system which interfaces with or is
attached to the Wright State University network.
System – any personal computer (laptop or desktop), PDA, appliance,
specialized equipment or any other device which interfaces with or is
attached to the Wright State University network.
Services
Do not use peer-to-peer networking on your machine. This includes
opening local shares utilizing the built-in networking of your operating
system as well as popular software such as Kazaa.
Do not enable server software on your computer such as a web server on
your system.
Any system service that is not necessary should be disabled or uninstalled.
Do not install or run any software unless you trust the source. This
includes scripts or macros, attachments in e-mail, as well as software
delivered via a web browser.
System Management
All modern operating systems and software packages require patches
and/or updates for security vulnerabilities, product flaws, etc. WSU
requires that any computer attached to its network be kept up to date
with patches/updates released. It is suggested that operating system
patching be automated to check for and install available patches at
least once a day. Users of advanced applications such as database
services should check for and install patches/updates at least weekly.
Any system found to be delinquent on patch/updates will be subject to
possible disconnection until the system is brought into compliance.
Before any new system is placed onto the WSU network it must be brought
up to date on operating system patches and updates.
Malicious Code
Systems must be protected against infection and/or compromise by a
worm/virus or other malicious software, installation of software
containing spy ware, or by hacker activities.
All systems connected to the WSU network should run an active, on-demand
virus scanning package that is scheduled to regularly update with the
most recent virus definitions.
Backup/Recovery
Wherever possible, data should be stored on the provided network storage
drives. All locally stored information should be regularly backed-up to
removable media and stored in a safe location.
Authentication
Username and passwords used to access Wright State University resources
should not be shared. It is also suggested that your WSU username and
password not be used for other sites/resources. Change your password
periodically.
Userid/password combinations should not be stored on (or “remembered”
by) your personal computer.
Local machine guest accounts should be disabled.
Physical Security
Systems should be physically secure. Offices should be locked when
necessary and systems should be powered down/logged off when
unsupervised. A screen-saver with a password challenge should be enabled.
Modems should not be installed on any system.
Back to Top
|
|
