Introduction

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Corporate. Effective implementation of this policy will minimize unauthorized access to corporate proprietary information and technology.

Scope

This policy applies to server equipment owned and/or operated by Corporate, and to servers registered under any Corporate-owned internal network domain. This policy is specifically for equipment on the internal corporate network.

Failure to comply with this policy may result in disciplinary action up to and including termination.

 Policy

Ownership and Responsibilities

All devices and applications maintained by Corporate must be owned by an operational group that is responsible for system administration. Approved device and application configuration guides must be established and maintained by each operational group, based on business need and approved by the Compliance group.

Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by the Compliance group.

This policy shall apply to all servers, operating systems, applications, networking devices, and any other IT component that may be managed by Corporate.

• All devices must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact:
  • Device contact(s) and location, and a backup contact;
  • Hardware and Operating System/version;
  • Customer name and contact information; and
  • Main functions and applications, if applicable.
• Information in the corporate enterprise management system must be kept up-to-date.
• Configuration changes for managed devices and applications must follow the appropriate change management procedures.
• Patching for managed devices and applications must follow the appropriate change management procedures.
• Changes to the standards are permitted to meet specific customer requirements provided that there is no other means to achieve the same functionality at a reasonable cost. Any deviations from the standards must be documented and approved by the customer prior to implementation.

General Configuration Guidelines

• Configuration guidelines should be based on either vendor hardening requirements, or industry standards such as those from The Center for Internet Security (“CIS”), The National Institute for Standards and Technology (“NIST”) or the SysAdmin Audit Network Security Network (“SANS”).
• Services and applications that will not be used must be disabled where practical.
• Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do.
• Always use standard security principles of least required access to perform a function.
• Do not use a privileged account when a non-privileged account will do.

Specific Requirements

All configuration standards must minimally address the following:

• Always change vendor default usernames, passwords, or other credentials. Remove any unneeded accounts prior to implementation.
• On multi-application servers, ensure that users of each application cannot access data from the other applications.
• Reference corporate Encryption policy
• Deploy anti-virus software in accordance with the anti-virus policy.
• Ensure that all users have unique authentication credentials that meet with the Logical Access policy.
• Provide an audit trail that is either stored on the local device for up to 30 days, or is sent to a separate logging server.  
• Use of Network Time Protocol (NTP) or another mechanism for managing system time.