Security Best Practices - System Administration

  1. Document and understand the system, application, and technical environment for which you are responsible. Without proper documentation it is not possible to properly assess security requirements. 
    1. An example of technical information that should be documented:
      1. Server name and IP address
      2. The operating system
      3. Hardware Vendor
      4. Purpose
      5. Services running
      6. Application software
      7. Data classification and security requirements
    2. Utilize Security and Analysis tools or baseline security tools
      1. Run the Windows Security Configuration and Analysis tool using the security template for the role the server will play, i.e., Domain Controller you would use securedc.inf.
      2. In lieu of baseline analyzers, or other security tools, utilize baseline reference documents such as those provided at Center for Internet Security - 
      3. CaTS also maintains security baselines for several supported operating system types that should be considered/applied. 
    3. Apply vendor-supplied fixes necessary to repair security vulnerabilities. 
    4. Request that the Information Security department scan the system for security vulnerabilities using available technical tools, i.e. NexPose
      1. When new servers are deployed
      2. After a significant upgrade is performed to the operating system
      3. After a significant upgrade is performed to the application
    5. Repairing discovered vulnerabilities
      1. Vulnerabilities should be patched as soon as possible, i.e., the first available maintenance window
      2. In situations where applying patches are a concern to production systems, then patches should be applied to a test environment as soon as possible to eliminate these concerns. After testing has been completed, patches should then be applied to the production environment. Serious vulnerabilities may require putting mitigating controls in place during the testing phase.

        Vulnerabilities that cannot be repaired due to compatibility issues affecting the stability of the system must have mitigating contols put in place (network access controls or system level controls for example). Such vulnerabilities and the measures taken to mitigate them should be documented.
    6. Install and maintain anti-virus software when available for a given operating system
      1. Update virus definitions on a daily basis or schedule daily automatic updates
    7. Remove unneeded services and software
    8. Stay abreast of technology security issues affecting Operating Systems and Application software for which you have responsibility
    9. Follow adequate access control methods
      1. Limit access to only authorized persons
      2. Assign accounts only to individuals - no group accounts
      3. Use different passwords for privileged accounts, such as root and administrator, on different systems being maintained by the same individual
      4. Whenever possible, work as a non-privileged user. Use privileged accounts for tasks that require elevated capabilities
    10. Follow adequate procedures for user passwords
      1. Reference Password Management Policy
    11. Maintain adequate system logs. Where possible:
      1. Audit successful logins, including the loation from which the logins originated. 
      2. Audit and Alert unsuccessful logins, including the location from which the attempts originated
      3. Audit unsuccessful file accesses
      4. Audit the use of administrative privileges with operating system settings or tools such as sudo
      5. Ensure that all logs are routinely backed up
      6. Keep logs for a minimum of 30 days, unless otherwise required by compliance standards or regulation
      7. Consider sending logs to a central logging server. Contact CaTS for additional information.
    12. Limit access to IT resources to local network addresses where possible
    13. Provide technicians adequate time and resources to allow them to secure IT resources
    14. Immediately report any successful or attempted security breach at the following site: