Security, Policies & Guidelines

NMSU Server Administration and Operation Policy – (Auditor imposed)

Purpose of Policy: This policy addresses servers connected to the NMSU network. It specifies who is eligible for accounts, security maintenance and the policy for reporting server break-ins.

A server is any computing device which provides services to other computing devices. Servers can be divided into two major categories: full-function servers and limited-function servers.

Full-function servers are usually multi-user environments which maintain login accounts for many users, provide disk space to several machines, and can provide network services like Domain Name Service, Sendmail or WWW. Typically, full-function servers are UNIX-based machines, Windows NT/ 2000 XP Servers, MVS, VM, VMS, NOVELL and Mac OSX.

A limited-function server is one which provides disk space and/or printer services. An example is an office computer which shares disk drives to others in the office. A machine providing more than file and print services should be considered a full-function server.

Computers which do not provide services to the network community are considered “clients”. It is often the case that a client machine is changed to a server by sharing a "computer drive". Whenever this occurs, the computer becomes a server.

SERVER - security

Account eligibility and account maintenance:

Account maintenance will be in accordance with university policies and procedures (http://ict.nmsu.edu/Guidelines). In general, computer accounts are limited to NMSU faculty, staff, and students. Other accounts to facilitate official NMSU efforts are permitted and should be limited to those services needed to assist the institution. Accounts should not be provided to family, friends, or other non-NMSU affiliates.

Access to the server should be limited to those computers (clients) which need access to the available services on the server. The server system administrator should take efforts to restrict other access. Unused services should be removed from the machine. The sharing of disk drives should be limited to those clients who require access. The person sharing the disk is required to ensure the disk is password protected and does not violate copyright laws by exporting vendor software.

Due to the nature of computer server vulnerabilities, ANY computer classified as a server must have additional efforts taken to ensure that the server is not compromised from internal and external malicious activity. Maintaining the operating system along with vendor-supplied patches is required to maintain a server the NMSU network. Regular security audits of servers are required.

1. The server must be updated with all known security patches at least twice a year. This means the server system-administrator must have access to updates by the vendor.
2. Account audits should be made at least 4 times a year. All unnecessary accounts should be removed.
3. Access control to services like disk sharing, should be reviewed twice a year.
   
4. The review of services provided by the server should occur at least once a year.
   If assistance is required in maintaining your server, please contact Information & Communication Technologies for support.

Whenever a server experiences or is involved in a break-in, it is the responsibility of the server system-administrator to report the incident to the Director of Security and Research Computing at Information & Communication Technologies.

The department owning the server will be responsible for performing any audits required by Information & Communication Technologies, NMSU, or other legal authorities. The department will be responsible for ensuring that backups of the compromised machine are made and all security patches are applied. The department will be fiscally responsible for performing these tasks.