Server exception request

The University of Louisville maintains an enterprise class secured data center for the housing of university servers. Any server not maintained in the university data center must be approved via ISO PS004 Policy Exception Management Process.

The policy exception management process (ISO PS004) applies to all University workforce, faculty and student members; including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate; while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

Identifying Information
Windows Servers
Type
Please indicate whether this is a new installation or a change to an existing one.



Verify that server is physically located in a secured access controlled environment. See ISO PS009 Data Facility Security.
Verify the network connection is hardwired.
Verify that all disks are formatted with NTFS.
Verify that all accounts have passwords that meet the password standards in the security program (8 characters minimum, both alpha and numeric characters). Additionally, all passwords should be changed from vendor supplied defaults.
Disable unnecessary services. A list of services and their purposes is available at http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp. The Center for Internet Security benchmarks also contain information on Windows 2003 services (see the link below to download the benchmarks). It is the responsibility of the system administrator to determine what services should be disabled. Some infrequently used services to consider are: Alerter, Distributed Link Tracking, Distributed Transaction Coordinator, Fax Service, Indexing Service, Internet Connection Sharing, Messenger, NetMeeting Remote Desktop Sharing, QoS RSVP, Remote Access Auto Connection Manager, Remote Access Connection Manager, Remote Registry Service, Routing and Remote Access, Smart Card, Smart Card Helper, Telnet, Uninterruptible Power Supply.
Disable or delete any unnecessary user accounts.
Remove all unnecessary file shares. Verify permissions on all shares that are necessary.
Confirm that firewall rules have been applied at the Enterprise Internet firewall.
Confirm that the local host firewall is enabled and configured.
Rename the guest account.
Disable the guest account.
Rename the administrator account.
Configure password policies (8 characters minimum, both alpha an numeric characters).
Configure account lockout policies (lockout after 6 failed attempts, reset after 60 minutes).
Configure log file policies (see NIST checklist for recommendations).
Configure screen saver to lock the screen within 30 minutes of inactivity.
Configure a logon message.
Verify that systems designed to perform email, calendaring or scheduling automatically interoperate with the Unversity furnished enterprise solutions for these tasks. This includes all University schools, divisions, and other affiliated entities.
Apply all security patches. If patches cannot be applied due to software incompatibilities or other conflicts, it is the responsibility of the system administrator to understand the vulnerability and implement appropriate measures to mitigate the vulnerability.
Install anti-virus software. Configure it to automatically update definitions. Apply an appropriate configuration for cleaning/quarantine/deletion of infected files and configure notification of infections. See ISO PS014 Protection from Malicious Software.
Verify that licensing documentation, if applicable, is available and on hand for all software installed.
Verify that physical safeguards are in place to restrict access to only authorized users for all server devices that store, transmit or access electronic Protected Health Information (ePHI).
Review a MBSA/Nmap/Nessus scan of host for any potential problems.
When setting up a UNIX style server (Linux, HP-UX, *BSD, MacOS X, etc.)
UNIX Server
Please indicate whether this is a new installation or a change to an existing one.



Verify that server is physically located in a secured access controlled environment. See ISO PS009 Data Facility Security.
Verify that connection to network is hardwired
Verify that all accounts have passwords that meet the password standards in the security program (8 characters minimum, 3 character classes minimum).
Check to see if the Bastille hardening program (http://www.bastille-linux.org/) supports your OS. Currently supported OSes include HP-UX, Mac OS X, and Red Hat Linux. If your OS is supported run the hardening program to improve security on the system.
Review the Center for Internet Security Benchmark for your system’s OS. These benchmarks are available at the link below. While reviewing the benchmarks make changes as appropriate to improve the security of your system. In most cases it should be possible to achieve a score of 7/10 or greater on the CIS benchmark.
Configure password policies.
Configure screen saver to lock the screen within 30 minutes of inactivity.
Configure a logon message.
Confirm that firewall rules have been applied at the core firewall.
Confirm that the local host firewall is enabled and configured if it exists.
Verify that systems designed to perform email, calendaring or scheduling automatically interoperate with the Unversity furnished enterprise solutions for these tasks. This includes all University schools, divisions, and other affiliated entities.
Apply all vendor supplied patches/updates. If patches cannot be applied due to software incompatibilities or other conflicts, it is the responsibility of the system administrator to understand the vulnerability and implement appropriate measures to mitigate the vulnerability.
Install anti-virus software. Configure it to automatically update definitions. Apply an appropriate configuration for cleaning/quarantine/deletion of infected files, and configure notification of infections. See ISO PS013 Protection from Malicious Software.
Verify that licensing documentation, if applicable, is available and on hand for all software installed.
Verify that physical safeguards are in place to restrict access to only authorized users for all server devices that store, transmit or access electronic Protected Health Information (ePHI).
Review a Nmap/Nessus scan of host for any potential problems.
Other