Purpose:

To secure servers and cloud services

 

Definitions

Roles  

  

ISS – Information Systems and Security – Systems Operations and Security.  The department within Information Resources that is responsible for SUNY Cortland’s servers.  

Departmental Technical Contact – the person within a department that is responsible for the operational management of the server and the applications residing on the server.  This person must have had experience managing servers and the applications on the departmental server, or attend an appropriate level of server training (at the expense of the user department).  

SOS Technical Support Contact – the SOS staff person that is responsible for the technical support of a specific server.  

Definitions 

 

Server – Virtual Server, Physical Server, Cloud Service.  The server shall be encompassing of applications on the server installed within the operating system. 

  

Server Purpose  

The purpose of a server must be documented by the designated departmental technical contact and SOS technical support contact and kept current by the departmental technical contact to reflect any changes.    

The server shall only be used for the documented purpose, and changes in purpose need to be agreed to by both parties, the SOS director and the department head.   

The purpose(s) of the server must integrate with the overall campus network and server design.  SOS will coordinate with Networking and Telecommunication to assign appropriate Internet Addresses, and allow appropriate access through firewalls.  

Server Documentation and Service Level Agreement  

Server documentation should include the name of the department head, the departmental technical contact, backup procedure, root-privileged users, life-cycle replacement plan, disaster recovery plan and purpose(s) of the server.   

SOS will document a Service Level Agreement (SLA) by way of a Team Dynamix Request and correlated to an appropriate asset, which will detail the specific responsibilities of the departmental technical contact and also the SOS technical support contact.  The Assistant Director for SOS, ISS Director and Departmental Contact as well as the Department Chair/Director shall mark their approval in the request. 

Server Location and Hardware Standards  

All servers must be housed in the Information Resources data center.  

In most circumstances, servers shall be installed in Information Resources’ virtual environment.    

If dedicated hardware is required, the departmental technical contact must consult with the SOS Assistant Director, or designee, prior to the department’s procurement.  Information Resources has standardized on certain hardware to maximize stability and control, and hardware installed into the data center must comply with these standards.  

Departments utilizing dedicated hardware will be responsible for funding the dedicated hardware’s life cycle replacement, and continuation of warranty service.  

SOS will provide basic hardware support, including working with the vendor on hardware issues.  

SOS will coordinate physical access to the server if needed.  

Server Administration  

  

Each server must have a designated departmental technical contact. Students will not be allowed to administer a server without permission from the Director of ISS.  

SOS will designate an Information Resources technical support contact for each server.    

SOS will provide only the most basic support for departmental servers, SOS will facilitate joining the server to the domain, provide an Operating System if in the virtual environment, provide power and network connectivity, and provide mdr.    

It is the responsibility of the departmental technical contact to maintain all aspects of the application and administration of this server.   The departmental contact is responsible to be aware of the patching and upgrade guidelines, and is responsible to coordinate annual upgrades at minimum. 

Departmental servers shall not run prohibited services, such as: IMAP, POP3, SMTP, DNS, WINS, DHCP, or any service which Networking or SOS deems detrimental to the server or network infrastructure.  

Proposed changes to the server configuration or purpose should be coordinated with SOS through the departmental technical contact and SOS technical support contact. Such changes must be communicated and coordinated with SOS in advance of additions or changes to the configuration.  

Each server will have a backup and disaster recovery plan (as well as a life-cycle replacement plan if using dedicated hardware) developed by the departmental technical contact and SOS technical support contact. This plan must be completed at implementation time and is a part of the overall server documentation.  

“Root” access to servers must be established for SOS support staff use. This may be in the form of a single, shared user account.  All servers will be part of the Active Directory Domain, and all Domain Administrators will have access to the server, via remote services and physical console access.  

will establish the necessary bookmarks to expedite access.  

User Accounts  

User accounts on servers should be the same name from server to server and equate to the user name within Active Directory. Usernames are of the general form firstname.lastname. Accounts not named in this fashion must be documented in the overall server documentation so as to identify the person responsible for the account and its intended use. No anonymous accounts are permitted.  

It is the intent of SAWS to develop a common account creation tool for the creation of user accounts. This common tool would maintain a central database of users accounts, names, purpose of the account and expiration date among other data items.  

User accounts on departmental servers shall be subject to the same College “appropriate use” policies as the central systems.  

Security   

All servers must adhere to all Information Resources security policies and SOS security best practices as defined in the Enterprise Information Security Program and the Information Security Standards.  In addition: 

Unnecessary Services are disabled  

Wireless devices disabled  

Windows firewall enabled with only necessary ports/services  

  

B. Web Server Best Practices  

No webserver shall house any personal information  

All web servers must adhere to the server best practices  

If running SSL all web servers will utilize SUNY Cortland certificates from our selected vendor  

Web servers will be routinely scanned  

Any forward facing web server, those available to the public, will be routinely scanned and any scripts such as php, asp, asp.net or perl will be reviewed periodically for code compliance  

  

C. Linux Servers and Appliances  

When possible automatic updates shall be enabled  

Only necessary services should be enabled  

  

All servers will be routinely scanned for necessary configurations.  Routine scans are also conducted to search for sensitive data; reports are reviewed by the information security officer, and the deputy security officers.    

 

All server will be configured to forward event to our SEIM, and will have managed detection and response capabilities. 

  

Sanctions  

  

Violations of this policy and/or other Information Resources policies may result in the server being removed from service.