TTUHSC IT Policies
Guidelines For Operating Systems Security
To ensure separation of duty, the security functions performed by the authorized administrator must be separable from the non-security functions performed by the System Administrator.
Separate and distinct privileges must be associated with distinct security relevant operations.
If a domain or system has multiple System Administrators, each System Administrator must maintain their own individual administrative account.
System Administrators must not leave the server console unattended while logged on.
All production server hardware must be physically secured in an area that restricts and limits access to the server console, if possible.
Remote system administration is not allowed from outside of the TTUHSC Internet firewall unless using an encrypted and authenticated channel.
Network System Administrators must immediately disable user accounts when notified the user has terminated employment with TTUHSC or as requested by supervisor.
Configuration of any production systems must be limited to the minimum network services, protocols, and bindings necessary for operating that system and application.
Application files must be maintained separately or partitioned from the system and user files.
System areas must never be accessible via remote mounting.
Systems running critical applications must never "trust" other non-application based hosts.
Systems supporting critical applications should have security functionality in place to control and restrict network connections from non-identified sources.
Systems configured as network routers or gateways shall support only the services necessary to perform those functions.
File Share Configuration
The Windows default hidden shares (ADMIN$, C$, D$, and PRINT$) must be set so that only system administrator rights are allowed.
The network configuration for file sharing on all Windows desktop and portable computers should be disabled by default. File systems that are shared should be set to read-only unless write access is explicitly required.
The system that requires the ability to share files must also restrict the access to only the workstations and users that are authorized to use it.
The administrator must disable or delete vendor supplied default "User ID/password pairs."
Passwords known or suspected to be compromised must be reset as soon as possible, while minimizing disruption of application operations.
Security administration passwords must be reset when system administration responsibilities have been transferred to a new administrator, or when an administrator no longer requires access to the system.
The incoming System Administrator must change the service account passwords immediately upon responsibility transfer.
Static passwords used to authenticate User IDs, must be a minimum of six (6) characters in length.
Note: This is the minimum requirement – longer character length is encouraged for increased security based on how critical the particular information assets, applications, or systems are to the institution and/or the customer.
It is strongly recommended that static passwords used to authenticate User IDs must be changed at least every ninety (90) days.
Note: This is the minimum requirement - changing passwords more often is encouraged for increased security based on how critical the particular information assets, applications, or systems are to the Institution and/or the user.
Static password complexity requires that any three of the following four characteristics must be applied when creating or changing a password:
- Alpha characters - at least 1 alpha character
- Numeric characters - at least 1 numeric character
- Special characters - at least 1 special character
- No more than 2 of the same characters used consecutively
Examples of passwords that meet the above criteria are: g123*b, abc11@, ttu&12, 1973z$
Passwords should not be reused by the same user for six months.
Individual users must be required to change their "initial" password when used for the first time. For example: initialized in a pre-expired state.
The password change routing must require the user to re-authenticate.
Note: The system should be configured to notify users in advance of requiring them to change their passwords and before their passwords expire.
Administrators must not allow the sharing of "User ID/password pairs" among multiple users.
Clear-text representation of the password on the data entry device must be automatically suppressed or fully masked out.
Windows Operating System Security
Systems must be configured such that a System Administrator is required to logon in order to shut down a server.
Service Account Passwords
Service accounts are loosely defined as accounts that are used by application services to operate on a Windows server or workstation. These accounts, in many cases, must have domain or other administrative privileges, and must always have the ability to "log on as a service" on the host server or workstation. All rights, not absolutely required for application operations such as "log on locally," must be disabled.
Passwords for service accounts must be maintained and tightly controlled by the application administrator. These passwords must follow all of the criteria for user account passwords, except for the following areas:
- Passwords must be reset when applications administration responsibilities have been transferred to a new administrator, or when an application, domain, or other administrator no longer requires access to the system
- The incoming administrator must change the service account passwords immediately upon responsibility transfer.
- In order to monitor account activities, service accounts must be audited in the same manner as user accounts.
UNIX Operating System Security
Prior to logging in at the root level, the user must first log in under his/her own User ID and then use the super user (SU) command to access root privileges.
The ability to log in with a root level password must be limited to only those authorized persons who have been entrusted with system administrator responsibility, and must be done from the system console.
Root or system administrator history must be enabled.
Upon any personnel changes, the root password must be changed as soon as practical.
Any system using shadow password files must restrict access to the shadow password file.
Only TTUHSC I.T. approved super group identification (SGID) and super user identification (SUID) programs are permitted on the system.
The permissions on crontab entries must be READ/WRITE by owner and no access for group or others. (A crontab is a list or table of commands that are executed by the operating system at specific times.)
Crontab entries must not be invoked from world readable/writable files.
Crontab entries must not be referenced from world readable/writable files.
Auditing and Accountability
The syslog daemon must be configured to start automatically at boot time. The audit records should be stored in a separate file system dedicated to auditing.
The audit information must be protected with no access for world to prevent casual browsing by non-root users.
E-mail entering or leaving the TTUHSC network must pass through the I.T. TTUHSC email servers unless approved by the CIO. All email mailbox and transport services for an individual or an application must use the I.T. TTUHSC e-mail servers unless approved by Information Technology. Refer to the Institutional Email and Computer Naming Convention Standards for more information.
Email servers including, but not limited to, SMTP, POP3, IMAP4, or Microsoft Exchange may not be run on any system connected to the TTUHSC network unless approved by Information Technology.