Server Security Policy

Unsecured1.0 Purpose

Servers are critical components of the organization's IT infrastructure, hosting vital applications and vulnerablesensitive data. Unsecured or improperly configured servers continue to berepresent a majorsignificant entryvulnerability pointand a primary target for malicious threatactors. actors.  Consistent Server installation policies, ownership and configuration management are all about doing the basics well.

The purpose of this policy is to establish the minimum standards for the basesecure configurationconfiguration, management, operation, and monitoring of internalall server equipment that is owned and/or operated by <Companythe Name>.organization Effectiveon implementationits internal networks. Adherence to these standards is crucial to minimize security risks, prevent unauthorized access, and protect the confidentiality, integrity, and availability of this policy will minimize unauthorized access to <Company Name> proprietaryorganizational information and technology.technology assets.

2.0 Scope

AllThis policy applies to all employees, contractors, consultants, temporary staff, vendors, and other workerspersonnel atresponsible Ciscofor andthe itsdeployment, subsidiariesadministration, mustoperation, adhereor tomanagement this policy. This policy applies toof server equipment thaton isthe organization's internal network. It covers all physical and virtual servers owned, operated, or leased by Ciscothe organization or registered under aan Cisco-organization-owned internal network domain.

This policy specifiesapplies specifically to internal servers; servers located in a Demilitarized Zone (DMZ) are subject to additional requirements foroutlined equipment onin the internal Cisco network. For secure configuration of equipment external to Cisco on the DMZ, see the Internet DMZ Equipment Policy.

General3.0 RequirementsPolicy Statements

3.1 Ownership, Responsibility, and Registration

*   **Ownership:** All internal servers deployed at <Company Name> must behave owneda byclearly andesignated owning operational group thator isdepartment responsible for system administration. Approved server configuration guides must be establishedadministration and maintained by each operational group, based on business needs and approved by Precision Computer. Operational groups should monitor configuration compliance and implement an exception policy tailoredcompliance.
*   to**Configuration their environment.Guides:** Each operational group must establishestablish, amaintain, processand forfollow changingapproved theserver configuration guides,guides which(secure includesbaseline builds) tailored to their specific server roles and operating systems. These guides must be based on organizational standards and security best practices and require initial and ongoing review and approval by the designated IT authority (e.g., Precision Computer.Computer). A Theprocess followingfor itemsmanaging changes to these guides, including review and approval, must be met:

in

Serversplace.
*   **Registration:** All servers must be registered withinin the corporateorganization's central asset management or enterprise management system. AtRegistration information must be kept accurate and up-to-date, including at a minimum,minimum:
 the   following*   informationServer ishostname requiredand toIP positivelyaddress(es).
 identify   the*   pointPrimary and backup administrator/owner points of contact:

Server contact(s) and location, and a backup contact

(including

location).
    *   Hardware details and Operating System/VersionVersion.
 

 

Main*   Primary functions and applications,applications ifhosted.
*   applicable**Change Management:** All configuration changes applied to production servers must follow formal organizational change management procedures.

Information3.2 Secure Configuration Requirements

*   **Baseline Conformance:** Servers must be configured in accordance with the corporateapproved enterprisesecure managementconfiguration guides/baselines relevant to their operating system and function.
*   **Service Hardening:** Unnecessary services, applications, and network ports must be disabled or removed to minimize the server's attack surface.
*   **Patch Management:** Servers must be kept up-to-date.date

with

Configurationthe changeslatest security patches and updates provided by the OS and application vendors. Patches must be applied promptly according to the organization's vulnerability management timeline requirements, with documented exceptions only permitted for production servers must follow the appropriate change management procedures

For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

 

Configuration Requirements

Operating System configuration should be in accordance withspecific, approved Precisionbusiness Computerreasons guidelines.requiring

compensating

controls.
*   **Principle of Least Privilege:**
    *   Services and applications thatshould willrun notunder accounts with the minimum privileges necessary for their function. Use of highly privileged accounts (e.g., root, Administrator) should be usedrestricted to essential administrative tasks.
    *   User access must adhere to the principle of least privilege, granting only the permissions required for assigned job duties.
*   **Trust Relationships:** System-level trust relationships (e.g., domain trusts, Kerberos delegation, SSH key-based trusts) must be disabledimplemented judiciously, documented, regularly reviewed, and avoided where practical.

alternative

secure communication methods suffice.
*   **Secure Administrative Access:** Privileged access (administrative login) must be performed over secure, encrypted channels (e.g., SSH, TLS-protected protocols, console access via secure terminal servers). Unencrypted administrative protocols (e.g., Telnet, FTP) are prohibited.
*   **Access Control Logging:** Access to critical services should be logged and/orand potentially protected throughby access-control methods such as a web application firewall, if possible.

The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.

Always use standard security principles of least requiredadditional access tocontrol perform a function.  Do not use root when a non-privileged account will do.

If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels,layers (e.g., encryptedweb networkapplication connectionsfirewalls usingfor SSHweb orservices) IPSec).where feasible.

3.3 Physical Security

*   Servers shouldmust be physically located inwithin ansecure, access-controlled environment.environments

(e.g.,

Serversdata arecenters, specificallylocked prohibitedserver fromrooms) operatingcompliant with the organization's Physical Security Policy.
*   Operating servers from uncontrolled cubicleareas, areas.such as user cubicles or open offices, is strictly prohibited.

3.4 Monitoring and Logging

Monitoring

*  

All**Audit Logging:** Servers must generate audit logs for security-relatedrelevant events onas defined in the Audit Logging Policy. This includes logins (success/failure), privilege changes, configuration modifications, critical orservice sensitivestart/stop systemsevents, significant errors, and security tool alerts.
*   **Log Forwarding:** Security-related logs must be loggedforwarded andto auditthe trailsorganization's savedcentral aslogging follows:system

(SIEM)

Allin securitynear relatedreal-time.
*   **Log Retention:** Audit logs will be kept online for a minimum of 1 week.

Daily incremental tape backups willmust be retained foraccording atto leastthe following minimum schedule (or as defined by the organizational Record Retention Schedule, whichever is longer):
    *   Online (e.g., within SIEM): Minimum 1 month.week
 

 

Weekly*   fullOffline tapeBackups backups(e.g., ofdaily logsincrementals): will be retained for at leastMinimum 1 month.month
 

 

Monthly*   fullOffline backupsBackups will(e.g., beweekly retainedfulls): forMinimum a1 minimummonth
 of   *   Offline Backups (e.g., monthly fulls): Minimum 2 years.years
*  

**Log

Review and Reporting:** Security-related events willidentified in logs or by monitoring systems (e.g., port scans, unauthorized privilege access attempts, anomalous system behavior) must be reported to and reviewed by the designated security authority (e.g., Precision Computer, whoSecurity Operations Center). This authority will reviewcoordinate logsincident response and reportprescribe incidents to IT management. Correctivecorrective measures will be prescribed as needed. Security-related events include, but are not limited to:

Port-scan4.0 attacks Compliance

Evidence4.1 ofCompliance unauthorized access to privileged accounts Measurement

AnomalousThe occurrencesdesignated thatIT areauthority not related to specific applications on the host.

 

Compliance Measurement

The(e.g., Precision Computer teamteam, Information Security, Internal Audit) will verify compliance towith this policy through various methods, including butconfiguration notaudits limitedagainst to,approved periodicbaselines, walk-thrus,vulnerability videoscanning, monitoring,penetration businesstesting, toolreview reports,of internalchange andmanagement records, physical security checks, log reviews, internal/external audits, and feedbackassessment toof themonitoring policy owner. procedures.

**4.2 Exceptions**

Any exception to this policy requires formal, documented justification outlining the technical necessity or constraint, risk assessment including compensating controls, and advance approval from the designated IT authority (e.g., Precision Computer Team or Information Security). Operational groups managing servers should maintain a record of approved exceptions relevant to their systems.

4.3 Enforcement

*   Servers found to be non-compliant with this policy must be approvedremediated within a defined timeframe or risk being isolated or removed from the network.
*   Failure by thepersonnel Precisionresponsible Computerfor teamserver inadministration advance.or

An employee foundmanagement to haveadhere violatedto this policy may beresult subject toin disciplinary action, up to and including termination of employment.employment or contract.

Audit5.0 PolicyDefinitions

*   **Server:** A computer system (physical or virtual) providing shared resources, services, or applications to other computers (clients) over a network.
*   **Baseline (Secure Configuration Guide):** A documented standard configuration defining the required security settings and software state for a specific operating system or server role.
*   **DMZ (Demilitarized Zone):** A perimeter network segment logically placed between an internal network and an external network (like the Internet).
*   **Least Privilege:** The security principle of granting users and processes only the minimum permissions necessary to perform their required functions.
*   **Trust Relationship:** A configured link between systems or domains allowing one system/domain to accept authentication or authorization decisions made by the other.

6.0 Related Policies

*   Audit Logging Policy
*   Change Management Policy
*   Data Classification Policy
*   DMZ Equipment Policy

*  

Information

Security

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

De-militarized zonePolicy (DMZ)Overall)
*   Password Policy
*   Physical Security Policy
*   Vulnerability Management Policy / Patch Management Policy
*   Record Retention Schedule / Policy