Security Standard for General Information Systems



Similar documents
GUIDANCE FOR BUSINESS ASSOCIATES

HIPAA HITECH ACT Compliance, Review and Training Services

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Serv-U Distributed Architecture Guide

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

IT Account and Access Procedure

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

ABELMed Platform Setup Conventions

Christchurch Polytechnic Institute of Technology Access Control Security Standard

MaaS360 Cloud Extender

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

Installation Guide Marshal Reporting Console

TrustED Briefing Series:

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Cloud Services Frequently Asked Questions FAQ

Microsoft Certified Database Administrator (MCDBA)

Junos Pulse Instructions for Windows and Mac OS X

Name. Description. Rationale

ScaleIO Security Configuration Guide

Instructions for Configuring a SAFARI Montage Managed Home Access Expansion Server

Configuring BMC AREA LDAP Using AD domain credentials for the BMC Windows User Tool

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

BackupAssist SQL Add-on

Deployment Overview (Installation):

Helpdesk Support Tickets & Knowledgebase

Serv-U Distributed Architecture Guide

Emulated Single-Sign-On in LISTSERV Rev: 15 Jan 2010

FINRA Regulation Filing Application Batch Submissions

PROTIVITI FLASH REPORT

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Ten Steps for an Easy Install of the eg Enterprise Suite

Information Services Hosting Arrangements

SMART Active Directory Migrator Requirements

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Installation Guide Marshal Reporting Console

Introduction to Mindjet MindManager Server

The Relativity Appliance Installation Guide

Webalo Pro Appliance Setup

GETTING STARTED With the Control Panel Table of Contents

HOWTO: How to configure SSL VPN tunnel gateway (office) to gateway

Cloud Services MDM. Windows 8 User Guide

5.2.1 Passwords. Information Technology Policy. Policy. Purpose. Policy Statement. Applicability of this Policy

Learn More Cloud Extender Requirements Cheat Sheet

Licensing Windows Server 2012 for use with virtualization technologies

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Licensing Windows Server 2012 R2 for use with virtualization technologies

Avatier Identity Management Suite

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

RSA Authentication Manager 5.2 and 6.1 Security Best Practices Guide. Version5

Configuring and Monitoring AS400 Servers. eg Enterprise v5.6

Password Reset for Remote Users

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

A Beginner s Guide to Building Virtual Web Servers

Integrating With incontact dbprovider & Screen Pops

SaaS Listing CA Cloud Service Management

VCU Payment Card Policy

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Flash Padlock. Self-Secured and Host-Independent USB Flash Drive White Paper. April 2007 Prepared by ClevX, LLC for Corsair Memory

CNS-205: Citrix NetScaler 11 Essentials and Networking

Session 9 : Information Security and Risk

Solution Brief. Aerohive and Impulse. Powerful Network Security for Education and Enterprise

Chapter 7 Business Continuity and Risk Management

SANsymphony-V Storage Virtualization Software Installation and Getting Started Guide. February 5,

CallRex 4.2 Installation Guide

Evaluation Report. 29 May Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA

EA-POL-015 Enterprise Architecture - Encryption Policy

Readme File. Purpose. What is Translation Manager 9.3.1? Hyperion Translation Manager Release Readme

X7500 Series, X4500 Scanner Series MFPs: LDAP Address Book and Authentication Configuration and Basic Troubleshooting Tips

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

State of Wisconsin. File Server Service Service Offering Definition

Ensuring end-to-end protection of video integrity

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Mobile Device Manager Admin Guide. Reports and Alerts

Adobe Sign. Enabling Single Sign-On with SAML Reference Guide

Monthly All IFS files, all Libraries, security and configuration data

Getting Started Guide

Software Distribution

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Restricted Document. Pulsant Technical Specification

To clarify terms used within these policies, the following definitions are provided:

Datasheet. PV4E Management Software Features

Instant Chime for IBM Sametime Quick Start Guide

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Attunity RepliWeb SSL Guide

Systems Support - Extended

First Global Data Corp.

Security of Interactive and Automated Access Management Using Secure Shell (SSH)

Understand Business Continuity

System Business Continuity Classification

Monitor Important Windows Security Events using EventTracker

Transcription:

Ohi University Security Standard fr General Infrmatin Systems A Standard fr the Cnfiguratin and Operatin f Infrmatin Systems at Ohi University System Security Wrking Grup 10/24/2008

Security Standard fr General Infrmatin Systems Octber 24, 2008 TABLE OF CONTENTS Intrductin... 3 3 Levels f Standard... 3 Patching... 4 Server Deplyment... 4 Remve, Restrict r Disable Unnecessary r Unused Services, Applicatins, and Netwrk Prtcls... 5 Cnfigure OS User Authenticatin... 6 Cnfigure Resurce Cntrls Apprpriately (File permissins, netwrk shares, etc)... 8 Install and Cnfigure Additinal Security Cntrls... 8 Securely Installing the Server Sftware... 9 Cnfiguring Access Cntrls... 10 Server Resurce Cnstraints... 11 Selecting and Implementing Authenticatin and Encryptin Technlgies... 12 Maintaining the Security f the Server... 12 Server Backup Prcedures... 13 Security Scanning... 13 Remtely Administering a Server... 13 2 Intrductin Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 INTRODUCTION In rder t set a baseline fr hw systems shuld be cnfigured when attached t the Ohi University Netwrk, a wrking grup was established in August f 2008 fr the purpse f develping a standard t which all systems shuld cmply. This wrking grup had a membership rster that included: Kapil Bajaj Jay Beam Dug Bwie Dnner Davis Matthew Daltn Mike Ellit Chris Hayes Steve Hffer Sunil Narasimhan Paul Schmittauer Rn Yakem After reviewing several f the standards in existence, the grup tk the NIST 800-123 Guide t General Server Security (http:// csrc.nist.gv/publicatins/nistpubs/800-123/sp800-123.pdf) as their template and mdified it t mre clsely meet the envirnment f Ohi University. In all cases, the grup attempted t stay true t the fllwing security cncepts: Defense in Depth Simply stated, gd security desn t rely n nly ne level f prtectin Principle f Least Privilege An individual, prcess r system shuld nly have the minimum amunt f rights, access r privilege required t get the jb dne. Less is Mre A system shuld nly cntain, r have running thse files and functins necessary t get the jb dne nthing mre, nthing less. 3 LEVELS OF STANDARD One change that the wrking grup made t the standard was the recgnitin that nt all systems are the same. Tward that end, the standard has been brken int three levels. The standard is cumulative i.e. Mderate systems have t cmply t bth Mderate and Minimum, while Maximum must cmply t all three. Minimum Mderate Maximum Minimum Standards apply t all general purpse cmputer envirnments (i.e. Windws, Mac, Linux, BSD, etc.) All Servers are at least Mderate, and servers cntaining cnfidential data must meet the maximum requirement. Maximum is required regardless f whether the system is prductin if it cntains sensitive data. Ohi University Intrductin 3

Security Standard fr General Infrmatin Systems Octber 24, 2008 PATCHING Minimum Create, dcument, and implement a patching prcess. (may be accmplished thrugh WSUS, GPO, r aut patching) Install permanent fixes (patches, upgrades, etc.) (see previus bullet) Mderate Identify vulnerabilities and applicable patches. (unless autmated) Maximum Mitigate vulnerabilities temprarily if needed and if feasible (until patches are available, tested, and installed). (depending n explit available, r difficulty f the fix) SERVER DEPLOYMENT Minimum Mderate Keep the servers discnnected frm netwrks r cnnect them nly t an islated "build" netwrk until all patches have been transferred t the servers thrugh ut-f-band means (e.g., CDs) and installed, and the ther cnfiguratin steps listed in this sectin have been perfrmed. (Mderate) Place the servers n a virtual lcal area netwrk (VLAN) r ther netwrk segment that severely restricts what actins the hsts n it can perfrm and what cmmunicatins can reach the hsts---nly allwing thse events that are necessary fr patching and cnfiguring the hsts. D nt transfer the hsts t regular netwrk segments until all the cnfiguratin steps listed in this sectin have been perfrmed Maximum Administratrs shuld generally nt apply patches t prductin servers withut first testing them n anther identically cnfigured server 4 Patching Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 REMOVE, RESTRICT OR DISABLE UNNECESSARY OR UNUSED SERVICES, APPLICATIONS, AND NETWORK PROTOCOLS Fr the fllwing sectin, if any f the public services listed belw are enabled, the system is at least Mderate. Minimum Mderate Public Services Directry services (e.g., Lightweight Directry Access Prtcl [LDAP], Netwrk Infrmatin System [NIS]) Web servers and services Email services (e.g., SMTP) System and netwrk management tls and utilities, including Simple Netwrk Management Prtcl (SNMP) Remte cntrl and remte access prgrams, particularly thse that d nt strngly encrypt their cmmunicatins (e.g., Telnet) File and printer sharing services (e.g., Windws Netwrk Basic Input/Output System [NetBIOS] file and printer sharing, Netwrk File System [NFS], FTP) Wireless netwrking services (unless currently in use) Bluetth, infrared Maximum Language cmpilers and libraries (Off if prductin) System develpment tls (Off if prductin) Ohi University Remve, Restrict r Disable Unnecessary r Unused Services, Applicatins, and Netwrk Prtcls 5

Security Standard fr General Infrmatin Systems Octber 24, 2008 CONFIGURE OS USER AUTHENTICATION Minimum Remve r Disable Unneeded Default Accunts---The default cnfiguratin f the OS ften includes guest accunts (with and withut passwrds), administratr r rt level accunts, and accunts assciated with lcal and netwrk services. The names and passwrds fr thse accunts are well knwn. Remve (whenever pssible) r disable unnecessary accunts t eliminate their use by attackers, including guest accunts n cmputers cntaining sensitive infrmatin. Fr default accunts that need t be retained, including guest accunts, severely restrict access t the accunts, including changing the names (where pssible and particularly fr administratr r rt level accunts) and passwrds t be cnsistent with the rganizatinal passwrd plicy. Default accunt names and passwrds are cmmnly knwn in the attacker cmmunity. (Minimum) Disable Nn-Interactive Accunts---Disable accunts (and the assciated passwrds) that need t exist but d nt require an interactive lgin. Fr Unix systems, disable the lgin shell r prvide a lgin shell with NULL functinality (e.g., /bin/false). (Minimum) Create the User Grups---Assign users t the apprpriate grups. Then assign rights t the grups, as dcumented in the deplyment plan. This apprach is preferable t assigning rights t individual users, which becmes unwieldy with large numbers f users. (Minimum) Create the User Accunts---The deplyment plan identifies wh will be authrized t use each cmputer and its services. Create nly the necessary accunts. Permit the use f shared accunts nly when n viable alternatives exist. Have rdinary user accunts fr server administratrs that are als users f the server. (Minimum) Cnfigure Autmated Time Synchrnizatin---Sme authenticatin prtcls, such as Kerbers, will nt functin if the time differential between the client hst and the authenticating server is significant, s servers using such prtcls shuld be cnfigured t autmatically synchrnize system time with a reliable time server. Typically the time server is internal t the rganizatin and uses the Netwrk Time Prtcl (NTP) fr synchrnizatin; publicly available NTP servers are als available n the Internet. (Minimum) Check the Organizatin's Passwrd Plicy---Set accunt passwrds apprpriately. Elements that may be addressed in a passwrd plicy include the fllwing: (Minimum - Use highest level f enfrcement that the system supprts) Length---a minimum length fr passwrds. Cmplexity---the mix f characters required. An example is requiring passwrds t cntain uppercase letters, lwercase letters, and nnalphabetic characters, and t 6 Cnfigure OS User Authenticatin Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 nt cntain "dictinary" wrds. Aging---hw lng a passwrd may remain unchanged. Many plicies require users and administratrs t change their passwrds peridically. In such cases, the frequency shuld be determined by the enfrced length and cmplexity f the passwrd, the sensitivity f the infrmatin prtected, and the expsure level f passwrds. If aging is required, cnsideratin shuld be given t enfrcing a minimum aging duratin t prevent users frm rapidly cycling thrugh passwrd changes t clear ut their passwrd histry and bypass reuse restrictins. Reuse---whether a passwrd may be reused. Sme users try t defeat a passwrd aging requirement by changing the passwrd t ne they have used previusly. If reuse is prhibited by plicy, it is beneficial, if pssible, t ensure that users cannt change their passwrds by merely appending characters t the beginning r end f their riginal passwrds (e.g., riginal passwrd was "mysecret" and is changed t "1mysecret" r "mysecret1"). Authrity---wh is allwed t change r reset passwrds and what srt f prf is required befre initiating any changes. Passwrd Security---hw passwrds shuld be secured, such as nt string passwrds unencrypted n the server, and requiring administratrs t use different passwrds fr their server administratin accunts than their ther administratin accunts. Cnfigure Cmputers t Prevent Passwrd Guessing---It is relatively easy fr an unauthrized user t try t gain access t a cmputer by using autmated sftware tls that attempt all passwrds. If the OS prvides the capability, cnfigure it t increase the perid between lgin attempts with each unsuccessful attempt. If that is nt pssible, the alternative is t deny lgin after a limited number f failed attempts (e.g., three). Typically, the accunt is "lcked ut" fr a perid f time (such as 30 minutes) r until a user with apprpriate authrity reactivates it Mderate Maximum Install and Cnfigure Other Security Mechanisms t Strengthen Authenticatin Ohi University Cnfigure OS User Authenticatin 7

Security Standard fr General Infrmatin Systems Octber 24, 2008 CONFIGURE RESOURCE CONTROLS APPROPRIATELY (FILE PERMISSIONS, NETWORK SHARES, ETC) Minimum Mderate Permit access t nly required files (e.g. users shuldn't be allwed t access system mmc cntrls r ther users' files) (Mderate) Maximum Islate service users t virtual envirnments (e.g. chrt 'jails') (Mderate) INSTALL AND CONFIGURE ADDITIONAL SECURITY CONTROLS Minimum Anti-malware sftware, such as antivirus sftware, anti-spyware sftware, and rtkit detectrs, t prtect the lcal OS frm malware and t detect and eradicate any infectins that ccur. Examples f when anti-malware sftware wuld be helpful include a system administratr bringing infected media t the server and a netwrk service wrm cntacting the server and infecting it. (as it applies) Mderate Hst-based firewalls, t prtect the server frm unauthrized access. (Minimum if it can supprt) Peridic security testing f the OS is a vital way t identify vulnerabilities and t ensure that the existing security precautins are effective and that security cntrls are cnfigured prperly 8 Cnfigure Resurce Cntrls Apprpriately (File permissins, netwrk shares, etc) Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 Maximum Hst-based intrusin detectin and preventin sftware (IDPS), t detect attacks perfrmed against the server, including DS attacks. Fr example, ne frm f hst-based IDPS, file integrity checking sftware, can identify changes t critical system files. Netwrk based firewalls shuld be cnfigured as additinal prtectin Patch, Package and Cnfiguratin management r vulnerability management sftware t ensure that vulnerabilities are addressed prmptly. Patch management and vulnerability management sftware can be used nly t apply patches r als t identify new vulnerabilities in the server's OSs, services, and applicatins. (abve and beynd WSUS, yum, up2date) (Altiris, BigFix, ZenWrks, etc.) Disk Encryptin technlgies (and Prtable - as pssible) SECURELY INSTALLING THE SERVER SOFTWARE Minimum Apply any patches r upgrades t crrect fr knwn critical vulnerabilities in the server sftware (i.e. Apache, IIS, Oracle, MS-SQL, Cld Fusin, etc.) Mderate Install the server sftware either n a dedicated hst r n a dedicated guest OS if virtualizatin is being emplyed. (Single netwrk service/rle per server - Web, database, DNS, smtp, etc.) Apply any patches r upgrades t crrect fr knwn vulnerabilities in the server sftware (i.e. Apache, IIS, Oracle, MS-SQL, Cld Fusin, etc.) Create a dedicated physical disk r lgical partitin (separate frm OS and server applicatin) fr server data, if applicable. Remve r disable all services installed by the server applicatin but nt required (e.g., gpher, FTP, HTTP, remte administratin). Remve r disable all unneeded default user accunts created by the server installatin. Remve all example r test files frm the server, including sample cntent, scripts, and executable cde (fr prductin) Remve all unneeded cmpilers. Reduce the permissins that a service accunt has t nly thse required. Ohi University Securely Installing the Server Sftware 9

Security Standard fr General Infrmatin Systems Octber 24, 2008 Apply the apprpriate security template r hardening script t the server. Fr external-facing servers, recnfigure service banners nt t reprt the server and OS type and versin, if pssible. Cnfigure warning banners fr all services that supprt such banners. Cnfigure each netwrk service t listen fr client cnnectins n nly the necessary TCP and UDP prts, if pssible. Maximum Remve all manufacturers' dcumentatin frm the server. CONFIGURING ACCESS CONTROLS Minimum Mderate Limit the access f the server applicatin t a subset f cmputatinal resurces. (If Pssible/feasible - can be accmplished thrugh virtualizatin, but nt easy in many mdern OSs) Limit the access f users thrugh additinal access cntrls enfrced by the server, where mre detailed levels f access cntrl are required. Typical files t which access shuld be cntrlled are as fllws: Applicatin sftware and cnfiguratin files Files related directly t security mechanisms: Passwrd hash files and ther files used in authenticatin Files cntaining authrizatin infrmatin used in cntrlling access Cryptgraphic key material used in cnfidentiality, integrity, and nnrepudiatin services Server lg and system audit files System sftware and cnfiguratin files Server cntent files 10 Cnfiguring Access Cntrls Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 Service prcesses are cnfigured t run as a user with a strictly limited set f privileges (i.e., nt running as rt, administratr, r equivalent). Service prcesses can nly write t server cntent files and directries if necessary. Temprary files created by the server sftware are restricted t a specified and apprpriately prtected subdirectry (if pssible). Access t these temprary files is limited t the server prcesses that created the files (if pssible). Maximum SERVER RESOURCE CONSTRAINTS Minimum Mderate Installing server cntent n a different hard drive r lgical partitin than the OS and server sftware. Placing a limit n the amunt f hard drive space that is dedicated fr uplads, if uplads t the server are allwed. Ideally, uplads shuld be placed n a separate partitin t prvide strnger assurance that the hard drive limit cannt be exceeded. Maximum If user uplads are allwed t the server, ensuring that these files are nt published by the server until after sme autmated r manual review prcess is used t screen them. This measure prevents the server frm being used t prpagate malware r traffic pirated sftware, attack tls, prngraphy, etc. It is als pssible t limit the size f each upladed file, which culd limit the ptential effects f a DS attack invlving uplading many large files. Ensuring that lg files are stred in a lcatin that is sized apprpriately. Ideally, lg files shuld be stred n a separate partitin. If an attack causes the size f the lg files t increase beynd acceptable limits, a physical partitin helps ensure the server has enugh resurces t handle the situatin apprpriately. Cnfiguring the maximum number f server prcesses and/r netwrk cnnectins that the server shuld allw. Ohi University Server Resurce Cnstraints 11

Security Standard fr General Infrmatin Systems Octber 24, 2008 SELECTING AND IMPLEMENTING AUTHENTICATION AND ENCRYPTION TECHNOLOGIES Minimum Systems shuld emply encryptin technlgies when transmitting r string sensitive infrmatin and authenticatin credentials. Maximum Mderate Systems shuld authenticate t a central system, such as OIT AD t allw access t nnpublic resurces MAINTAINING THE SECURITY OF THE SERVER Minimum Mderate Lgging Identifying Lgging Capabilities and Requirements Lgs shuld capture successful and failed authenticatin attempts If pssible, lgs shuld capture privileged use attempts Lgs shuld capture accunt management activities Lgs shuld capture, as much as pssible, system cnfiguratin changes, schema changes, r state changes Reviewing and Retaining Lg Files Lg files shuld be retained fr at least ne year Lg files shuld be reviewed weekly fr anmalies Maximum Lg files shuld be reviewed thrugh the University's Security Infrmatin and Event Manager (SIEM) 12 Selecting and Implementing Authenticatin and Encryptin Technlgies Ohi University

Security Standard fr General Infrmatin Systems Octber 24, 2008 SERVER BACKUP PROCEDURES Minimum Backup media shuld be prtected frm theft and/r disclsure at the same level as the system itself (physical, encryptin, etc.) Mderate Minimum f Differential backups shuld ccur at least nightly Full Backups shuld ccur at least twice a Mnth Backup recvery testing shuld be perfrmed at least twice a year Backups shuld be maintained in a separate physical lcatin/building frm the system itself. Recmmend at least 3 full backups be kept, but envirnment may dictate differently Maximum Full Backup recvery test shuld be perfrmed at least twice a year SECURITY SCANNING These services will be perfrmed by the University Infrmatin Security Office Minimum Systems shuld be scanned fr cmmn external vulnerabilities quarterly, r as new, significant vulnerabilities are discvered Sme findings may result in the immediate remval f the system frm the netwrk until remediatin is perfrmed Mderate The results f these scans need t be addressed within ne week f them being prvided t the administratr f the system Maximum Penetratin testing shuld be perfrmed n an annual basis Nte: Sme perating systems have self remediatin tls such as the Micrsft Baseline Security Analyzer, that allw a user r administratr t assess sme f the security f their system. Althugh nt required, these are helpful t determine what may need t be perfrmed n a system prir t, r between scans. REMOTELY ADMINISTERING A SERVER Ohi University Server Backup Prcedures 13

Security Standard fr General Infrmatin Systems Octber 24, 2008 Minimum Restrict which hsts can be used t remtely administer the server. (minimum) Restrict by authrized users (minimum) Restrict by IP address (nt hstname) (minimum) Restrict t hsts n the internal netwrk r thse using the rganizatin's enterprise remte access slutin. (minimum) Use secure prtcls that can prvide encryptin f bth passwrds and data (e.g., SSH, HTTPS); d nt use less secure prtcls (e.g., telnet, FTP, NFS, HTTP) unless abslutely required and tunneled ver an encrypted prtcl, such as SSH, SSL, r IPsec. (minimum) Enfrce the cncept f least privilege n remte administratin (e.g., attempt t minimize the access rights fr the remte administratin accunts). (minimum) D nt allw remte administratin frm the Internet thrugh the firewall unless accmplished via strng mechanisms, such as VPNs. (minimum) Use remte administratin prtcls that supprt server authenticatin t prevent man-inthe-middle attacks. (minimum) Change any default accunts r passwrds fr the remte administratin utility r applicatin. (minimum) Mderate Use a strng authenticatin mechanism (e.g., public/private key pair, tw-factr Maximum authenticatin). 14 Remtely Administering a Server Ohi University

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information