Server Connection Policy
Application of this agreement.
This agreement applies to all computer servers connected to the campus network via CLASnet. This includes both university-owned and non-university-owned computers.
A server is a computer providing some service to other client computers via the network. A server's programs process requests from other computers for read and write access to the server's local hard drive or other shared resources (disk, printer, memory, etc). Some examples include, but are not limited to, computers running Windows NT with IIS, Linux with X-windows or Apache, and "peer-to-peer" networking, such as Appleshare, Windows File-&-Print sharing, personal FTP daemon, etc.
Guidelines.
The server must have a responsible contact listed with CLASnet. Ideally, this person is a USPS or A&P staff person trained in system administration for the server's platform. The contact should have a backup listed, in case the primary contact is unavailable.
The server must be configured from the outset in a secure mode. All vendor security patches must be applied, and file permissions must be "corrected" for the server's role. No unauthenticated accounts/access (ie, "guest") should be allowed.
The primary contact must update the server with any vendor-supplied security patches on a regular basis. New exploits for services are constantly located and fixed by the vendor. These new fixes must be applied to close known security holes.
The server should be installed on a switched network, to isolate its traffic. The increased network traffic to/from the server may adversely affect performance of other client computers in a shared-media network. In addition, If the server is compromised, a network monitoring program could be installed. In a shared-media network, such a program can capture username/password combinations, which can compromise additional servers both on and off UF campus.
Remote access to the server must be encrypted. Telnet and FTP are deprecated, unless tunneled inside a secure SSH or SSL/TLS session. Unauthenticated access methods (for example, rsh/rexex/rlogin) must be disabled.
Rationale.
If a cracker gains access to the insecure system, then:
- The cracker may read or delete any files on the insecure server. The cracker may modify any files or programs that the insecure computer serves out, which may then compromise any client computer that downloads those files.
- The cracker may add illegal files for download, which may include pirated copyrighted material (aka "warez").
- The cracker may use the insecure server to attack other servers.
- The cracker may install a network monitor to capture other usernames/passwords. This would compromise any other CLASnet servers on the network, as well as any remote servers accessed via the network.
- The cracker may start up a DoS (Denial of Service) attack against a remote server. UF may be assessed damages if found responsible for the insecure server. These damages may be charged back to the servers' unit.
Any server connected to the UF/CLASnet network must comply with these guidelines. In addition, the server must comply with the CLASnet computer connection policy. Failure to comply may result in immediate termination of network connection and financial responsibility for damages incurred.
