This page contains standards for servers in compliance with UCF security policies and best practices. Such standards will provide an understanding of what departments should be doing in protecting computer systems against attack and lose of data.

Server Standards

Windows Server Standards

  • Servers must be in physically and environmentally controlled locations
  • All restricted data must be stored on NTFS partition
  • Change passwords or disable all default accounts
  • Turn off all unnecessary services, such as SMTP, NTP,   Simple TCP/IP Services, etc.
  • Shared folders must have unique permissions for individual users
  • System administrator must be on security mailing list(s) and applies fixes and upgrades in a timely manner
  • Create and protect emergency repair disks
  • Turn on auditing, such as account logging – failed and successful
  • Review security event logs on a regular basis
  • Turn off auto run for CD-ROM
  • Monitor the audit logs
  • Clock synchronized to a central UCF time server. UCF  Time Servers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • Disable floppy disk drives
  • Enable audits of backups and restores
  • Restrict anonymous logon
  • No null user sessions should be allowed
  • Rename the administrator account
  • System administrator must actively monitor for probes or attacks, and alert the  Security Incident Response Team
  • Establish procedures and guidelines for responding to incidents. See Security Incident Response Plan  

Unix Server Standards

  • Servers must be in physically and environmentally controlled locations
  • E-mail to postmaster@ and root@ go to a real person
  • NFS shares are not exported to the world
  • Change passwords or disable all default accounts
  • Remove etc/hosts.equiv
  • No accounts with null passwords
  • Edit /etc/inetd.conf (or equivalent) to remove all unnecessary services.   Specifically disable: uucp, systat, netstat, echo, discard, daytime, chargen, sprayd, rexd, finger, ftp, telnet, etc.
  • System administrator on security mailing list(s) applies fixes and upgrades in a timely manner
  • Running the latest version of sendmail. You may consider using Postfix, Qmail, or Exim
  • Use SSH or Kerberos instead of telnet or rlogin
  • .rhosts files removed nightly by a script
  • Rotate logs and accounting files (/var/adm/{acct,pacct}, /etc/wtmp) to keep a few weeks worth on line (/usr/lib/newsyslog )
  • Clock synchronized to a central UCF time server. UCF Time Servers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • Configure sendmail to deny relaying, EXPN, VRFY, and DEBUG
  • Mount all user partitions and /tmp and /var with “nosuid” option
  • Install tcp-wrappers to help control and log access
  • Install/run identd to help determine source of problems
  • Use tripwire or other IDS package to detect changes to important files
  • System administrator must actively monitor for probes or attacks, and alert the  Security Incident Response Team.
  • Establish procedures and guidelines for responding to incidents. See Security Incident Response Plan  

Linux Server Standards

  • Servers must be in physically and environmentally controlled locations
  • NFS shares are not exported to the world
  • Change passwords or disable all default accounts
  • Remove etc/hosts.equiv
  • No accounts with null passwords
  • Edit /etc/inetd.conf (or equivalent) to remove all unneeded services
  • System administrator on security mailing list(s) applies fixes and upgrades in a timely manner
  • Running the latest version of sendmail. You may consider using Postfix, Qmail, or Exim.
  • Use SSH or Kerberos for telnet or rlogin
  • .rhosts files removed nightly by a script
  • Clock synchronized to a central UCF time server. UCF Time Servers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • Configure sendmail to deny relaying, EXPN, VRFY, and DEBUG
  • Mount all user partitions and /tmp and /var with “nosuid” option
  • Consider using tcp-wrappers to help control and log access
  • Install/run identd to help determine source of problems
  • Use tripwire or other IDS package to detect changes to important files.
  • System administrator must actively monitor for probes or attacks, and alerts the Security Incident Response Team.
  • Establish procedures and guidelines for responding to incident. See Security Incident Response Plan  

MAC Standards

  • Servers must be in physically and environmentally controlled locations
  • Securely erase the Mac OSX install partition before install
  • Do not install any unnecessary packages
  • Require an Open firmware or EFI password
  • Create an access warning for the login window, command line, do not use fast user switching with non-trusted users or when multiple users access local accounts
  • Create an administrator account and a standard account for each administrator, and create a standard or a managed account for each non-administrator, set appropriate controls, restrict the distribution and use of administrator accounts, modify the /etc/authorization file to secure directory domain access, disable su, restrict sudo users to only being able to access required commands
  • Change initial password for the system administrator account, disable automatic login, display “Show password hints”, “Enable fast user switching” “Show the Restart, Sleep, and Shut Down buttons”
  • Do not display recent applications, documents, and servers
  • Remove privileges to modify system preferences, dashboard and exposé
  • Disable dash board
  • Set a short inactivity interval for the screen saver and Use password protected screensaver
  • Disable unnecessary services, including Airport support, Bluetooth, microphone, iSight camera, DHCP services, DNS service, Bonjour,   iChat, file sharing, remote login and VPN, automatic login, root login, web service, printing service, QuickTime stream server, Xgrid. If any of above tools are needed, please configure the software securely before production according to the following guidelines: Mac OS X Server Security Configuration  
  • Deactivate unnecessary mail protocols if not needed. Enable SSL for incoming and outgoing mail service if mail servers are needed. Enable virus filter. Disable SMTP Banner. Provide different servers for outgoing mail service and incoming mail service when possible.
  • Install and enable auditing tools from: www.apple.com/support/security/commoncriteria
  • Monitor and review security event logs on a regular basis
  • Enable audits of backups and restores
  • Clock synchronized to a central UCF time server. UCF  Time Servers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • System administrator must be on security mailing list(s) and apply fixes and upgrades in a timely manner
  • System administrator actively monitors for probes or attacks, and alerts Security Incident Response Team
  • Establish procedures and guidelines for responding to incidents. See Security Incident Response Plan