Server Security

The Luddy School of Informatics, Computing, and Engineering has a diverse collection of research, teaching, administrative, and center-based servers, both physical and virtual, to support our vast research and administrative efforts. The school is committed to following all IU computing policies and industry best practices for server management, including:

• Guidelines in the IT-12 Security of Information Technology Resources and IT-28 Cyber Risk Mitigation Responsibilities will be followed on all systems
• An assessment of the nature of the data being stored on the server will be made and appropriate actions taken to secure all Institutional Data (Critical/Restricted/University-Internal) per IU regulations.
• Anti-virus software will be used on all servers for which appropriate tools are licensed by IU.
• Identity finder will be used on all Windows servers.
• Systems housing Institutional Data (Critical/Restricted/University-Internal) will be located at the Data Center (preferably as II VMs) and be subject to the UITS hardware firewall
• All systems will run host-based firewalls (eg. Windows Firewall, Linux iptables, etc) with as limited a scope (port and source IP addresses) as possible to accomplish the required task.
• Systems that allow logins from non-IU IP space will be configured to automatically deny all access from hosts that repeatedly attempt and fail to log in.
• Accounts and access will be limited based on required need, authentication will be against the IU AD Servers using IU passphrases, and accounts will be promptly disabled when people leave IU.
• Administrator/root accounts will never be used for daily tasks not requiring elevated access. All request for administrator privileges will be fully vetted and approved and permissions limited to the required tasks.
• Supported operating systems will be chosen for their reliability, maintainability, and security.
• Whenever possible, automated techniques (eg. Ghost for Windows and Kickstart for Linux) will be employed to allow for quick and uniform deployment of systems.
• Whenever possible, operating system patches will be managed and monitored from a single, central location using tools like SCCM (Windows), RHN (Linux), and Casper (Mac). Security-related software updates are applied as soon as is practicable (following the 24/48/72 hour standard outlined in IT-12 Security of Information Technology Resources).
• All system log data required by IT-12 Security of Information Technology Resources will be collected, stored centrally, reported, and reviewed.
• Authentication will only be allowed using mechanisms that encrypt user credentials.
• The transmission of any critical data over the network will be done via encrypted channels (eg. SMB v3 with encryption for Windows file servers)
• Professional Luddy IT Staff will be properly trained in both industry best practices and IU policies.

In addition, server management is guided by these other Luddy IT policies:

• External vulnerability scanning will be performed and problems mitigated per IT Policy: Vulnerability Scans
• System logging will be performed per IT Policy: Server Logging
• Systems will be inventoried and tracked per IT Policy: Hardware and System Inventory
• Appropriate server platforms will be selected per IT Policy: Virtual Machines and Physical Servers
• An assessment will be made of the most secure IP addressing per IT Policy: Public IP Addresses
• Systems will be disposed of in a secure manner per IT Policy: System and Media Disposal
• Any security breaches will be handled appropriately per IT Policy: Incident Response
• Backups will be performed per IT Policy: Backups
• Hosted web services will be managed per DRAFT IT Policy: Web
• Any system not being managed by the Luddy ITG will be managed per IT Policy: Administrator Access and Self-Managed Systems
• Disaster recovery and business continuity plans will be maintained per IT Policy: Disaster Recovery and IT Policy: Business Continuity

Given the unique computing requirements of computing research being done within the school, systems may need to run operating systems and software not supported by the Luddy ITG. Such cases are governed by the IT Policy: Administrator Access and Self-Managed Systems