Systems Security Review Process
Topic: Systems Security Review Process
Audience: Faculty and Staff
Creation Date: April 10, 2008
Author: Kevin Hayes
- Servers are high profile targets and frequently come under attack due to their perceived importance and the potential to access either confidential data or computational resources. With this in mind, all servers at Oakland University are regularly audited to confirm that the organization's security standards existing in the organization are properly applied and that the environment is as secure as possible from intrusion or unauthorized access.
Systems Requiring Review
- Quarterly, University Technology Services (UTS) staff review a listing of all centrally managed server assets associated with Oakland University (OU). A server asset is defined as any networked computer or equipment that provides resources to clients. This includes, but is not limited to:
- File Servers
- Database Servers
- Application Servers
Overall Security Architecture
- It is the intent that all systems managed by OU have multiple layers of defense protecting themselves from viruses and malicious software.
- Real-time virus signature and heuristic scanning is performed on university owned servers running a Windows-based operating-system via a centrally managed enterprise antivirus system. This system routinely pushes out antivirus updates to the servers, performs periodic full-disk antivirus scans, and provides a central point for system administrators to analyze system reports.
- Operating system updates for Windows are centrally managed by a Windows Server Update Services (WSUS) server. This system actively downloads critical and security software updates and distributes them to University servers on a predetermined schedule. In the case of significant system updates, the schedule can be modified to permit the immediate deployment of an update.
- Operating system and application updates for Red Hat Enterprise Linux servers are centrally managed thru the Red Hat Network (RHN). This system alerts administrators to critical operating system and application updates as soon as they become available. Administrators review updates before applying them to the systems on a pre-determined schedule.
- Local administrator accounts are secured using strict security guidelines. Local administrator accounts are renamed to discourage password guessing, and set with a complex password of more than 15 characters including letters, numbers and special characters. Local administrator accounts are used as infrequently as possible, and all pass phrases are securely escrowed into a vault for secure storage.
- Firewalls and intrusion detection systems (IDSs) are utilized at the University to protect systems from malicious scans, probes and activity. There are multiple layers of defense for University systems, and the default security policy is not to allow any traffic to known systems. A formal Firewall Change Request process must take place explicitly to open communications to University systems. System administrators monitor for malicious or abnormal activity and take corrective actions as appropriate.
Maintenance of Asset List
- University Technology Services Operations and the Network Security Analyst should be notified of any server additions, retirements or IP address changes. Any modifications are then reflected into the listing of server assets and related documentation.
- Servers should be reviewed for security every three months by the Systems Administrator. The listing maintained by University Technology Services Staff state the findings at the date of the previous audit, as well as the scheduled date of the next audit.
Server Review Requirements
- When a server audit takes place, a task should be created in the internal UTS ticketing system by a system administrator normally responsible for the operation of the server to perform a system audit. During the system audit, several checks must be performed, including:
Verification of current version of operating system.
- Operating system and relevant libraries should be up to date per vendor and industry recommendations. Any critical security updates or bug fixes should be applied unless application requirements prohibit the upgrade. In this case, a documented justification must be made and other controls put into place to ensure system security.
Verification of current version of relevant application software.
- Application software used by the server should be up to date per vendor and industry recommendations. Any critical security updates or bug fixes should be applied unless application requirements prohibit the upgrade. In this case, a documented justification must be made and other controls put into place to ensure system security.
Verification of user accounts.
- Any user accounts to either the server itself or any applicable application software should be confirmed as current and in-use. This includes local accounts and access via shared authentication mechanisms such as Active Directory and LDAP.
Verification of password policy.
- Administrator passwords should be confirmed as identical to the ones set during the previous audit and then changed. Passwords should conform to the length and complexity requirements set by the department.
Verification of backup policy.
- Any backup scripts, programs or processes which backup or restore data on the server should be checked for accuracy and currency based on the backup policy for the specific server. Backup stores or tapes should be confirmed to have correct backup contents, and a restore process should be tested to ensure that the entire backup and restore process is functioning properly.
Verification of logging capabilities.
- System logs should be checked to ensure that critical events are being logged and not tampered with. Common log-generating events such as login successes and failures should be performed and confirmed as logging properly. All logs should be consistent with the specific logging policy for the server.
Verification of system integrity.
- System files and libraries should be checked to ensure that they have not been modified by any virus, malware, or non-approved process. A system scan should be performed using an approved utility (e.g. MBSA, Rootkit checker) to ensure critical system processes have not been compromised.
Verification of running processes.
- Processes and programs running on the server should be compared to the both the previous audit and the specific function of the server. Any running processes, daemons or services should be disabled unless required for the proper operation of the server or application software. Any remaining processes should be either well-known or properly documented for future audits.
Verification of active network services.
- A full TCP/UDP network scan should be performed against the server to identify the network services actively running on the server. The scan should be compared to the results of the previous audit. Running services must be limited to what is required for operating system and application software to function properly. All open ports must be correlated with their respective processes and documented as to their function and scope.
Verification of applicable firewall rules.
- Based on operating system and application software requirements, the system auditor will confirm that the firewall policy in place provides the maximum amount of security. Access to both on-campus users and the Internet should be minimally limited to what is required. Network penetration tests will be performed to confirm that server access reflects the active firewall policy.
Verification of Research Security Requirements Implementation.
- If a server is supporting funded research, additional security audits may be performed based on any security requirements stated by the granting agency.
Verification of external compliance Requirements Implementation.
- If a server is supporting data associated with external compliance requirements such as PCI and HIPAA, additional security audits may be performed based on any security requirements stated by the regulation or law.
Server Review Findings
- All results from each server security review should be fully documented and stored. The server review will not be considered successful until all items under Security Review Requirements are met. If during this process a security breach is discovered, information related to the event and all related findings must be immediately disclosed to the Security Task Force for further investigation.