They are used to communicate with the public, and to store our most restricted information. Proper configuration and maintenance of these devices is necessary to provide an essential layer of defense in securing University assets from unauthorized use or loss, as well to assure the confidentiality, integrity and availability of information. The draft Server Security Standard provides guidance to service owners, and their designated technical specialists, to ensure that the systems for which they are responsible are properly protected.
- Servers should be purpose built. Remove unused software and disable services that are not required.
- Servers should be well maintained. Install updates and security patches in a timely manner, and use a host based firewall, intrusion prevention, and antivirus to prevent malicious or unwanted connections and software.
- Servers should be secure. Privileged accounts should be well guarded, and the protocols used to manage the server should be protected from public access.
- Servers should be physically secure. Host them in a data centre, or at least in an area where they are physically secure and protected from environmental threats such as heat and humidity
- Servers have a lifecycle. Use secure development practices in a server’s early life. Securely dispose of hardware and software that is no longer in use, or no longer supported.
- Remember to perform backups, and review system logs regularly!