Skip to navigation content (Press Enter).

Server Security

Technology is rapidly changing; new threats to information confidentiality, integrity and availability emerge daily. Mitigating the risk of exposure to these threats is the ongoing challenge of system administrators and data owners.

Scope

These guidelines apply to any server system which is used to enable access to information or services to other remote hosts. These are recommendations and guidance for system administrators, though the information within this document may contribute to stricter standards.

Guidelines for Deploying Secure Servers

System and/or Information Value...

  • Consider the implications of unauthorized disclosure, modification, destruction or disruption to McMaster University systems and information within the context of the factors affecting system value

For further assistance with understanding the value or importance of a system, or the data and information on that system, please contact IT Security: c-uts-security@mcmaster.ca

Perform regular risk assessments...

System Administrators should perform the following risk assessments:

  • Value assessment
  • Malware scans
  • System risk assessment
  • Perimeter risk assessment
  • Application risk assessment
  • Penetration testing
  • Physical risk assessment

Disaster Recovery and Business Continuity...

  • Develop a redundancy strategy that is appropriate to the value of the information on the system
  • Perform regular backups of data, information and system files

Enable and maintain local technical controls...

  • Uninstall software and disable services that are not required by the server
  • Configure the server to automatically install security updates and/or patches
  • Install, maintain and use anti-virus and/or anti-malware software
  • Install SSL certificates unique to the system and/or service
  • Enable, configure and monitor server firewall, host-based IPS and/or local access control lists such as .htaccess file
  • Collect, maintain and review system audit logs regularly

For more information use the resources listed below.

Physical environment...

  • Ensure that room has appropriate environmental controls (fire, temperature, humidity, etc.)
  • Ensure that power to the server is appropriately controls

Control physical access...

  • Restrict physical access to the server using appropriate door locks; swipe card access is preferred
  • Physical access should be granted using the principle of least privilege and authority

Control local access...

  • All local user access attempts, successful or failed, should be logged
  • Use a strong password or passphrase to protect administrator accounts
  • Disable and/or rename default administrator accounts
  • System should automatically lock if unattended
  • Disable, rename or delete unnecessary default accounts, including but not limited to operating system accounts, remote access accounts, application management accounts, service accounts
  • System BIOS and UEFI interfaces should be password protected; default passwords should be changed
  • Local access should be granted using the principle of least privilege and authority*

Control remote access...

  • All remote user access attempts, successful or failed, should be logged
  • Disable all unencrypted management interfaces (telnet, http, etc.).
  • Restrict access to management interfaces using local access control list(s).
  • Connections to management interfaces from outside of the McMaster University network should always be made through the Virtual Private Network (VPN)
  • Remote access should be granted using the principle of least privilege and authority*

Control network access...

  • All network access attempts, successful or failed, should be logged
  • Access to applications and services should be restricted to only those that require access
  • Network access should be granted using the principle of least privilege and authority*

For more resources and guidance, please visit our external resource page:
External Resources Best Practices

* Principle of least privilege and authority:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.


Mosaic Upgraded Interface

Service Desk

Client Self Service:
https://servicedesk.mcmaster.ca
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts
-->

Great Idea Site

Great Idea