Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Patch and/or upgrade operating system to maintain the OS in a secure state. Security patches should be applied within 30 days of release.

  2. Configure operating system to meet vendor/system best practices

    1. Principle of Least Privilege

      1. Disable all services which are not necessary.

      2. All accounts should have the only required permissions

      3. Remove or disable unnecessary accounts

    2. Change all default passwords and ensure they meet Lehigh password guidelines

    3. OS should be maintained by a qualified administrator. Contact LTS for support options if a local qualified administrator is not available.

  3. Lehigh security tools are installed and properly configured. This will include endpoint detection, host firewalls, IDS, and others.

  4. Patch and/or upgrade server components which have critical/high security flaws. This includes, but is not limited to Apache, IIS, PHP, NGINX, and others.

  5. Configure Web server to meet recommended best practices.

    1. Web server installed on dedicated host.

    2. Disable all unnecessary services

    3. Configure to prohibit access to not intended for public distribution. Disallow directory browsing.

    4. Separate web server directories from operating system and application directories

    5. Use secure encryption technologies such as TLS. Should be configured to redirect to https following http strict transport.

    6. Implement firewalls to restrict access to the web server. Only allow traffic to necessary ports (typically 80/http and 443/https).

  6. Web server administrators are responsible for ensuring they are receiving, reviewing, and reacting to vulnerability reports monthly. Please contact security@lehigh.edu to schedule vulnerability reports/tickets.

  7. Logging should be enabled and provided to Lehigh’s central logging service.

    1. Logging should be performed on failed login attempts and account privilege changesEnable detailed logging on web servers. Ensure that logs include access logs, error logs, and security logs.

  8. System backups - Based on the criticality of a system web content, application configs and operating system should be backed up.

...