The Official Web site for the Office of Information Technology - UTSA

This document should be rendered in an HTML format with cascading style sheets and JavaScript turned on.

Office of Information Technology Home Page

Skip to Main Content

Skip to Navigation

Please take a few minutes to read our Accessibility Page which will make your visit through this Web site easier.

Copyright (c) 2010. The University of Texas at San Antonio. All rights reserved.

OIT Home > About OIT > Information Resource Standards > Server Hardening Standard

Server Hardening Standard

Purpose - The UTSA Server Hardening Standard document describes the requirements for installing a new server in a secure fashion and maintaining the security and integrity of the server and application software.

Audience - The UTSA Server Hardening Standard applies to all individuals who are responsible for the installation of new information resources that will be connected to the UTSA network, the operations of existing information resources and individuals charged with information resource security.

  1. A server must not be connected to the UTSA network until it is secure and the network connection has been activated. This includes:

    1. Internet traffic

    2. Electronic mail traffic

    3. LAN traffic, protocols and device inventory

    4. Operating system security parameters

    5. Rogue access points/devices

    6. Installed software on servers and desktops

  2. In order to harden a server, follow these general steps:

    1. Install the operating system from a source approved by the Office of Information Technology (OIT)

    2. Apply vendor-supplied patches to keep software properly updated

    3. Remove unnecessary software, system services and drivers

    4. Set security parameters and file protections; enable audit logging

    5. Disable or change the password of default accounts

  3. UTSA OIT will monitor security issues (both internal and external to UTSA) and will manage the testing and application of patches to affected UTSA core systems managed by OIT.

  4. Security patches must be implemented within a reasonable timeframe after their release date. UTSA OIT will make periodic announcements of required patches.

  5. The server must run legally licensed versions of the operating system and software.

  6. The server must run only necessary services. All unnecessary services should be shut down.

  7. After the administrator determines what default accounts are required on a server, all other default accounts must be disabled.

  8. The server may not function as a relay for SMTP or other means of relaying non-UTSA related mail; it may not function as an FTP server or Web server without written approval from OIT.

  9. The server must comply with all other IR security policies and standards.

  10. Servers must authenticate all users using industry-standard procedures to ensure only authorized access to the resource.

Account Management

Disposal of Computers
Other Electronic Devices

Laptop Encryption

Policy Exception and Risk Assumption Procedures

Administrative/Special Access

E-Mail Management

Log-in Disclaimer

Security Monitoring

Application Registration

Incident Management

Network Access

Security Training

Enterprise Backup &
Data Recovery

Information Resource Use and Security (pending)

Network Configuration

Server Hardening

Change Management

Information Security Risk Assessment

Password

Software Licensing

Computer Naming Convention

Information Security Administrator (ISA)

Patch Management Standard

Threat Detection and Prevention

Configuration and Asset Management

Information Security Training Standard

Personal Computing

Unauthorized File Sharing

Copiers and Printers

Information Services Privacy

Physical Access

Vendor Access

Data Center

Internet Use

Portable Computing

Web Application Vulnerability Scanning

Data Classification

Intrusion Detection

Protection Against Malicious Software

Wireless Network

 

 

 

Workstation Operating Systems Support

Tools