System Security Guidelines

Please review the guidelines below to ensure that your system is up-to-date and running securely.

Account Security

  • Access to your account on any system by another party is prohibited
  • Accounts are equivalent to signing your name on a tangible document
  • Anything done with these accounts under your name is your responsibility and you may be liable for it
  • Accounts setup for group use is prohibited

Anti-Malware

  • All systems must run an antivirus and anti-spyware software package
    • Make sure to budget to renew your antivirus definitions service on a yearly basis. Many programs come with one free year of upgrades, but you need to budget (usually < $15) to keep your antivirus upgrade access current
    • Definition files should be checked on daily basis
  • Inform systems administrators as soon as a malware has been detected

Auditing

  • Review security event logs on a regular basis
    • It is useless to generate event logs if one is not going to monitor them

Backups

  • Perform full backups weekly
  • Store full backups off site in a secure location at least once per month
    • Periodically test the backups for integrity

Business Resumption Plan

  • Each college, school, or department should have a business resumption (continuity) plan (COOP)
    • In case of a disaster, such as a hurricane, you need to have critical systems back online as quickly as possible
  • Keep good inventory

Drive Mapping

  • Administrators must take precautions when logging into workstations that have drive mappings to their servers. Many viruses will propagate using the mapped drive. If an administrator has full access to servers and logs in to a workstation that has a drive mapped to a server, and the workstation happens to be infected with a worm, it may infect the server as well.
    • Administrators should use an account with limited permission to servers when troubleshooting a workstation or have the regular user login to the workstation

Firewall

  • All systems must have a firewall software installed and enabled
    • Built-in firewall on Windows XP or Vista is sufficient
    • Use IPfilters on  UNIX systems

FTP, SSH, and Web Servers

  • Disable anonymous FTP
  • Disable version banners
  • Set filters/wrappers based on IP addresses to deny access to unwanted hosts
  • Run these services/applications with user permissions other than administrator or root

Hardware Disposal

Install Latest Patches

Modems

  • Modems on systems  that are also attached to the UCF network  are strictly prohibited
    • Unmanaged or poorly managed desktop/server modems pose a risk to UCF

Passwords

  • Use strong passwords based on UCF’s password standards
  • Never share passwords with anyone
  • Change passwords at least every  60 days

SSH (Secure Shell)

  • Use SSH instead of Telnet or rlogin
  • Disable Telnet where possible
  • A good program to use is PuTTY. Download it here.

Time Synchronization

To effectively investigate compromises or security incidents, it is necessary to have clocks synchronized to a common system (NTP – Network Time Protocol).

OS-Specific Guidelines

Windows Server Guidelines

  • All restricted data must be stored on NTFS partition
  • Shared folders must have unique permissions for individual users
  • A System administrator must be on a security mailing list(s) and should apply fixes and upgrades in a timely manner.
  • Turn off auto run for external devices.
  • Disable floppy disk drives
  • Synchronize system clock to the UCF timeservers. UCF timeservers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • No null user sessions should be allowed
  • Rename the administrator account

Linux/Unix Server Guidelines

  • Ensure that e-mails to postmaster@ and root@ go to the proper system administrator.
  • NFS shares are not publicly visible from the internet.
  • Remove etc/hosts.equiv
  • No accounts with null passwords
  • Edit /etc/inetd.conf (or equivalent) to remove all unnecessary services.   Specifically disable: uucp, systat, netstat, echo, discard, daytime, chargen, sprayd, rexd, finger, ftp, telnet, etc.
  • Run the latest supported version of sendmail.
    • Configure sendmail to deny relaying, EXPN, VRFY, and DEBUG
  • Perform all remote administration of servers over secure channels.
    • Use SSH or Kerberos instead of telnet or rlogin
  • Remove .rhosts files nightly by a script
  • Rotate logs and accounting files (/var/adm/{acct,pacct}, /etc/wtmp) to keep the last few weeks of logs (/usr/lib/newsyslog )
  • Synchronize system clock to the UCF timeservers. UCF timeservers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • Mount all user partitions and /tmp and /var with the “nosuid” flag.
  • Install tcp-wrappers to help control and log access.
  • Install/run identd to help determine the source of problems.
  • Use tripwire or other IDS packages in order to detect changes to critical files

macOS Guidelines

  • Securely erase the Mac OSX install partition before install
  • Require an Open firmware or EFI password
  • Create an access warning for the login window and command line.
  • Do not use fast user switching with non-trusted users or when multiple users access local accounts.
  • Modify the /etc/authorization file to secure directory domain access, disable su, and restrict sudo users to use only required commands.
  • Change the default password for the system administrator account.
  • Disable automatic login.
  • Display: Show password hints, enable fast user switching, show the restart, sleep, and shut down buttons.
  • Do not display recent applications, documents, and servers
  • Disable the dashboard.
  • Enable auto screen lock or automatic account time-out on systems and devices that activates after 10 to 15 minutes of idle time.
  • Disable unnecessary services, including airport support, bluetooth, microphone, iSight camera, Bonjour, iChat, file sharing, remote login, VPN, automatic login, root login, web service, printing service, unnecessary mail protocols, QuickTime stream server, Xgrid.
  • Enable virus filter. Disable SMTP Banner. Provide different servers for outgoing mail service and incoming mail service when possible.
  • Synchronize system clock to the UCF timeservers. UCF timeservers:
    • time.ucf.edu (Primary)
    • ucf1.ucf.edu (Secondary)
    • ucf2.ucf.edu (Tertiary)
    • ucf3.ucf.edu (Quaternary)
  • A System administrator must be on a security mailing list(s) and should apply fixes and upgrades in a timely manner.