New Systems and Services Security Guidance

Transcription

1 New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes /05/2012 Donna Waymouth First draft /06/2012 Donna Waymouth Update re certificates /10/2012 Donna Waymouth Updated introduction /05/2013 Donna Waymouth & Paul Sandy Minor Updates. Presented at ISSG Reference Title Related Policies IT Governance and Compliance Page 1 of 5

2 Contents Security Good Practice for New Systems... 3 System Services... 3 Login & Passwords... 3 Logon Banners... 4 Internet... 4 General... 5 Sensitive Services... 5 IT Governance and Compliance Page 2 of 5

3 Security Good Practice for New Systems This document is for use by anyone setting up a new service, or substantially upgrading an existing system, for use on the University network. Prior to connecting any new server or service to the University of Exeter network, we must try to ensure that it does not undermine the security of existing data and systems. As such, any new system should be reviewed against a number of security good practice requirements. Please note this is not an exhaustive list, and some items may not apply in certain cases due to the different functions of platforms. When any part of this security guidance is included as an input to the tendering process, it should be considered as highly desirable, not mandatory. Depending on the nature of the data to be stored or processed by the system or service, the weighting attributed to these security questions will need to be varied. If further information or clarification is required on any aspect of this guidance please contact the IT projects team on ITprojects@exeter.ac.uk System Services In order to reduce the number of vulnerabilities available for a malicious user to attack, it is important to deploy only the system services necessary for the service to function correctly and remove any default or sample data they could make use of: a) Any services that are not required for the platform to function correctly should be disabled. Where possible code / libraries for those services should be removed. b) The service banner eg IIS should be changed so it does not advertise the software type, version or revision number. c) All system supplied passwords must be changed d) Any unused default accounts must be removed e) All sample code / development libraries / code or tools used for debugging or testing must be removed from the platform Login & Passwords Passwords are the first line of defence for any IT system hence they must offer a suitable level of security for the platform: a) New services should be incorporated into the University single sign-on platform whereever possible. Local logons must not be used in parallel unless there are overriding Business Continuity/Disaster Recovery requirements. b) No generic logins should exist. Please note, in the case of root, SU should be used so that the originating user can be identified c) The login page must not provide any error messages that indicate whether a UserID exists. d) The login page must not provide an error messages that indicates whether the UserID or Password is incorrect, just that the login has not been successful. e) Do not pre-fill userid with the previous logged on user at that computer. f) Do not offer a remember me or a keep me signed in function if possible. g) Where local authentication is required: Password complexity including capital and lowercase, numeric and symbols, in line with university password policy must be implemented. h) Consider whether an account lockout is appropriate eg delay for return to the login screen, lockout of account for x minutes after 3 incorrect login attempts, account lockout until reset by support team / y of z previously defined questions. A lockout of 2 minutes after 3 incorrect login, extended to 10 minutes after 10 incorrect login attempts is recommended. IT Governance and Compliance Page 3 of 5

4 i) Systems that handle personal or sensitive data should provide the user with information on when and from what device they last successfully logged in. j) Consider whether multiple concurrent logins should be permitted from different browsers using the same source IP address from different IP addresses If concurrent logins are not required, this activity should be prevented by the platform k) Login forms and transmitted credentials must be protected with encryption eg https. l) Any transmitted data that may contain personal, confidential, financial or sensitive information in either direction should be protected with encryption eg https. m) Ensure that only those people who should have access to a system are authorised and have valid accounts. Do not create accounts for all University members or all staff unless this is actually required. Logon Banners It is important to tell people that they should not attempt to connect to the server unless they are authorised to do so: A login banner must be set at any login prompt indicating that this platform s use is restricted such as: This computer system is operated on behalf of the University of Exeter. Only authorised users are entitled to connect and/or login to this computer system. If you are not sure whether you are authorised, then you are not and should DISCONNECT IMMEDIATELY. Your connection may be monitored for lawful purposes. This computer system is operated on behalf of the University of Exeter. Only current staff are entitled to connect to and/or login to this computer system. If you are not currently employed by the University of Exeter you should DISCONNECT IMMEDIATELY. This message may be a pop-up window or a statement immediately above or below the login fields. Internet Internet connectivity makes the system available directly to your required userbase, but also to malicious users: a) Access to internet facing platforms must be filtered by a security device so that only those services required are accessible to internet hosts. b) If the web platform is not intended to be indexed by search engines or similar include a /robots.txt file in the websites root directory. Please note this will not be observed by malware: User-agent: * Disallow: / c) Self-signed certificates must not be used on any internet facing services. d) Requests for certificates for any platform should be placed through the Exeter IT Helpdesk. The certificate s expiry date will then be monitored to ensure continuity of encryption services. Please Note. These certificates are not of a commercial grade for payment transactions. IT Governance and Compliance Page 4 of 5

5 General It is important that the new service is protected against known threats and updated when necessary to prevent exploitation or data leakage. a) Install anti-virus / anti-malware software. The platform must be incorporated into the antivirus management platform to ensure automated updates. b) The platform must be included in any system monitoring platform c) The platform must be included in the backup schedule d) Out of band management should be used. If platform management is over the same network interface as the standard user access, consider what continuity arrangements need to be made in the case of routing issues, denial of service etc. e) All management traffic must be encrypted. f) Management access on remote platforms must be restricted to University of Exeter IP address range. g) All authentication data must be encrypted. h) A nominated role holder must be identified as the owner of the platform i) Prior to going live a support team must be identified as being responsible for updates / patching of the platform. j) All test data must be removed from the platform k) Secure coding should be adopted to prevent compromise. Further information can be found at or l) Internet facing systems must be security scanned prior to launch. Sensitive Services Fines or legal action can be brought against organisations that do not look after personal or sensitive data appropriately. a) Any system that is internet facing and will handle sensitive information eg personal data, financial data should be penetration tested prior to launch. Please contact infosecurity@exeter.ac.uk for more information about penetration testing and associated costs. b) Any critical or high impact vulnerabilities must be fixed prior to access from the internet / go live. IT Governance and Compliance Page 5 of 5