• McMaster
  • McMaster A-Z Index
• Academics
  • Undergraduate Studies/Programs
  • Graduate Studies/Programs
  • Part-Time Studies & Continuing Education
  • Departments & Faculties
• Alumni
  • About the Alumni Association
  • Alumni Events
  • Services & Benefits
  • Programs for Alumni
  • Alumni Networking
  • Keep in Touch
  • Homecoming
  • Alumni Weekend
  • Students & Young Alumni
  • Giving to McMaster
• Discover McMaster
  • About the Campus
  • Fast Facts
  • Governance
  • History of McMaster
  • How to Get to McMaster
  • Policies, Procedures & Guidelines
  • President's Message
  • Provost & Vice-President (Academic)
  • Strategic Plan
  • Teaching and Learning at McMaster
• Future Students
  • Undergraduate
  • Graduate Studies
  • MBA Program
  • Continuing Education
  • Parents
  • Student Services
  • Virtual Tour
• Library
  • About the Libraries
  • Contact Us
  • Course Reserves
  • Library Catalogue
  • Library Services
  • My Account / Book Renewal
• Research
  • Canada Research Chairs
  • Endowed & Industrial Chairs
  • Ethics in Human Research
  • McMaster Innovation Park
  • Office of International Affairs
  • Partnership Opportunities
  • Research Centres & Institutes
  • Research Policies & Procedures
  • Science in the City
• Current Students
  • Student Affairs
  • Student Resources
    • Chaplaincy
    • Human Rights & Equity
    • Information Technology
    • Office of Academic Integrity
    • Ombuds
    • Parking & Transit
    • Registrar
    • Safety & Security
    • Student Financial Aid & Scholarships
    • Student Accounts
  • Student Government
    • Graduate Students
    • Part-time Students
    • McMaster Students Union
  • Campus Life
    • Clubs
    • Events

University Technology Services

• Security And Policies
• IT Security
  • Administrative Data
  • Desktop Computer
  • MAC ID
  • Passwords Best Practices
  • Server System Security
    • Installation of Updates/Patches
    • Password Cracking
    • Classifying Security Risks
  • Secure Connections from External Sources
• Policy and Procedures
• Photo ID
• Virus Information
• UTS Home

Administrators of server systems have a responsibility to ensure that reasonable security measures are taken to protect that server from attack.  An insecure server risks not only the resources and data on the server itself, but also the resources and data on other campus systems.  A compromised system can be used as a base to launch an attack upon other systems.  An attack could come from a location on the campus network as well as from anywhere in the world.

Maintaining security of servers is a question of trading off the costs of implementing security measures versus the likelihood of a successful attack and the impact of the breach.  While it may not be possible to eliminate all security risks associated with a server connected to a network, it is possible to reduce the chances of a breach with security efforts directed where they will have the biggest impact. 

Best Practices for Server System Administration

1. Firstly, consider the risks associated with the data stored on the server. For example, if the server is used to process payments or stores personal information of any kind including names, addresses, telephone numbers, student numbers, employee numbers or has confidential information of any kind (i.e. marks, research information, survey results) then you have an absolute obligation to protect privacy and ensure security without exception. Your first question should be whether it is necessary to store this data. You should store only absolutely essential data not available from other secure databases. You should also ensure that the data is purged routinely according to good records management practices consistent with Freedom of Information and Protection of Privacy legislation and Canadian Revenue Agency requirements.
2. Install appropriate anti-virus tools and use them regularly to protect your system. Update virus definition files and software regularly.
3. Restrict physical access to the server. Since console access generally allows an intruder to bypass most system security, secure the server room. Ensure that there is adequate fire/water protection and climate control of the server room. Take additional precautions to secure servers - enable BIOS passwords, encrypt passwords where possible, secure backup media.
4. Secure logical access to the server. Remove/disable unnecessary accounts. Accounts for vendors and 3rd party support providers should be disabled when not in use. Passwords for these accounts should be reset for each use and changed by a responsible McMaster individual immediately after service is provided.
5. Disable services that are not required on your system. A vulnerability that occurs in any service on your system can lead to compromise of the entire system. In some cases, the default configuration of a system (out of the box) leads to exploitable vulnerabilities in services that were enabled implicitly and with poor default options.
6. Additional protection of your system can be achieved through installation of a local firewall. A local firewall need not be a separate physical device but could be implemented via software (included in some systems e.g., Windows XP) on the server itself with rules specific to the needs of the server's application. A local firewall is especially important for servers that are placed on the exception list and hence bypass the campus general firewall so as not to have any protection at all. In any case, by implementing a local firewall policy, you are protecting the system from attack that might originate from the campus network as well as the Internet.
7. All remote access to any McMaster server from outside of McMaster's secure network must be via a Virtual Private Network (VPN) to provide a secure encrypted tunnel for all communication between a client computer and your server application. Some network devices provide a combination of functions - firewall, intrusion detection and VPN.
8. Protect any account with root or system administrator privilege by following recommended password practices using strong passwords. Do not use defaults passwords as received from the vendor. Passwords should not be written down on notes attached to a keyboard or monitor or left in an unlocked desk drawer. All passwords should be changed regularly. Passwords protecting privileged accounts should be changed more frequently. A strong password must:
   1. be as long as possible (never shorter than 6 characters); include mixed-case letters, if possible;
   2. include digits and punctuation characters, if possible;
   3. not be based on personal information (names or initials of family members or pets, birthdates, license plate, phone numbers, etc.) that would make it easy to guess;
   4. not be based on any dictionary word (in any language);
   5. not be based upon any form of the account name
9. Critical data on the system should be backed up regularly with a copy stored at a secure off-site location. Backup media is of little use in recovery if it is destroyed along with the computer during a machine room fire. Backup/Recovery contingency plans should be tested to ensure that recovery actually works.
10. Review system audit logs regularly. Question any unusual traffic patterns.
11. The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. You should monitor their site regularly. In addition to publishing CERT® security alerts their website is a rich resource for security issues. System Administrators should read and follow the recommended practices for securing network servers available under CERT® Security Practices.
12. Check the SANS web site http://www.sans.org/top20/ for descriptions of the top 20 Internet Security Vulnerabilities. Most attackers exploit the best-known flaws with the most effective and widely available attack tools. The SANS top 20 list includes advice to determine if you are vulnerable and measures to take to protect against the flaw.
13. The Microsoft Baseline Security Analyzer v2.0 (for IT Professionals) runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations and missing security updates in the many of the common Microsoft products including: Internet Information Server (IIS), SQL Server 7.0 and 2000, Internet Explorer (IE), and Office.
14. Administrators of Windows 2000 systems may find the security checklist available from LabMice.net http://labmice.techtarget.com/articles/securingwin2000.htm a useful resource.
15. The Missouri Research and Education Network security site is an excellent resource for security at http://www.more.net/security/index.html.  It includes a number of pages of "Best Practices" and a collection of useful links for Server administrators of Windows and Unix systems.
16. Symantec Corporation, http://www.symantec.com provides a list of "best practices" for users and administrators.