Policy for Deployment of Network Servers
Contact
Information Technology Services (ITS)Humanities 316
651-696-6525
helpdesk@macalester.edu
Hours
Purpose
Applies to all servers that reside on the Macalester network, ITS and Non-ITS
The purpose of this policy is to protect the users and the integrity of the Macalester College network. Its goal is to maintain consistency, assure availability, facilitate disaster-recovery, coordinate technical operations and apply sound security and management practices consistently.
The attachment of any server to the network can have a negative impact on other users on the rest of the network. The impact may be in the form of performance, security, or in some cases access to other resources.
Service to the entire campus community is a priority. In evaluating a response to problems associated with any server or workstation, the good of the many will always outweigh the good of the few and the device or segment in question will be logically or physically disconnected from the network until the problem can be resolved.
Policy
Information Technology Services (ITS) and Macalester College departments or other organizational units may connect servers to the campus network only under the conditions stated below.
Procedures
- First and foremost, all uses of Macalester College technology resources require adherence to both the Responsible Use and Unauthorized Network Devices Policies.
- An understanding of the purpose and importance of the server will be clarified in two ways:
- A meeting will be held with relevant members of the requesting organizational unit and appropriate members of ITS including: Associate Director for Enterprise and Application Services, Information Security Officer, Associate Director for Infrastructure. The purpose of the meeting will be to discuss all aspects of the request and to evaluate its potential impact on network performance and security.
- The administrative head of the requesting organizational unit (e.g., department chair, ITS division director) will complete a form which provides the following information:
- The date and time when the server will be connected.
- The name, phone number, and email address of the administrative contact.
- The name, day-and-night phone numbers, and email address of the technical contact.
- The configuration of the server (brand name, model number, type and version of operating system).
- Primary functions and services provided by the server.
- Any access required by sources outside Macalester (i.e. web services or SSH).
- Login access to the server should follow the principle of least privilege. This means access should only be provided to those who absolutely need it, only as much as is needed, and only for the length of time needed.
- “Root” or Administrator access to servers must be established for ITS Infrastructure staff. This may be in the form of a single shared account.
- In general, all servers will ordinarily be part of the Active Directory (AD) domain, and domain administrators will have access to the server via remote services and physical console access.
- Management, oversight and maintenance of the server:
- The requesting organizational unit is responsible for maintaining server software to be in compliance with licensing and copyright laws.
- The requesting organizational unit is responsible for best practice maintenance on the server including hardware, software, patches and upgrades, account provisioning, backups, security, etc.
- ITS will monitor and maintain ITS servers. ITS staff are always available for consultation regarding non-ITS servers, but ultimate responsibility for maintenance and upkeep will reside with the requesting organizational unit.
- Patch schedules should conform to current industry best practices.
- Deployment of any Non-ITS server will culminate with a basic security audit conducted by ITS staff to ensure current OS and patching, proper firewall and port configurations, hardening as appropriate, etc. The requesting organizational unit is responsible for maintenance of an adequate security state.
- The central enterprise system (network and campus servers) will not be altered to accommodate functions unique to an individual server.
- At the discretion of ITS Infrastructure staff, the server may be submitted to various security restrictions, e.g., location in a secure VLAN, additional security audits or penetration testing.
- Only secure interfaces such as ssh, ssl, sftp, etc. will be implemented.
- Basic read-only SNMP monitoring will be enabled on all servers with the help of ITS.
- Services, accounts, ports, and applications that will not be used must be disabled. Examples include: TELNET, FTP, NetBEUI, etc.
- Only ITS servers may provide Domain Name Service (DNS) or Dynamic Host Configuration Protocol (DHCP).
- Only IP-based protocols will be allowed on the college network. Examples of disallowed protocols include: AppleTalk, IPX/SPX. All IP addresses will be issued by ITS, including any public addressing. Bogus or self-generated IPs may not be used. At this time IPv6 may not be used and should be disabled.
- Services on non-ITS servers which are potentially detrimental to the server or network infrastructure (e.g., IMAP, POP3, SMTP, DNS, WINS, DHCP) require prior approval from ITS Infrastructure staff.
- Servers may not provide email service. ITS authorizes institutional email service. The purpose of this is to present a consistent institutional address format to the outside world and to enable an enterprise email system to provide common internal functionality.
- Network integrity will always take precedence over other needs, particularly if accessibility to a server creates a security risk, or presents a compromise from the network perspective. Because firewall configurations, packet filtering, or other security implementations may alter accessibility to the server from both on and off campus, ITS will work with requesting departments to accommodate accessibility in the best way possible.
Enforcement
Failure to comply with these requirements may be deemed a violation of the Information Technology Responsible Use Policy. Any violation which, in the opinion of ITS Infrastructure staff, represents a significant threat to the secure and stable performance of the Macalester network will result in removal of the relevant server from the network.
In the Event of Emergency
Either active or significant potential of compromise
- Any response must have as its primary goal the protection and/or restoration of all network services as soon as possible.
- All server-related problems that either are affecting network integrity or performance or suggest significant potential for same must be reported to ITS Help Desk at [email protected] or 651-696-6525.
- Please note that the server being down is not necessarily considered an emergency.
- ITS staff will make a good faith effort to resolve problems in a manner that minimally impacts the mission of the server.
- This information should be communicated to all server administrators and technical contacts at initial orientation.