The purpose of this policy is to establish standards for the base configuration of server equipment that is owned or operated by Elon University. Effective implementation of this policy will minimize unauthorized use of the University information technology network or other access to the University’s proprietary information and technology.
Any web or database server using any part of the university network is considered Elon University hardware, and is subject to this policy, regardless of the ownership of the server hardware/software or the affiliation of the server’s administrator or webmasters.
A server administrator, upon connecting their server to Elon’s network is responsible for the security of that device in accordance with Elon guidelines. An administrator is held accountable when a compromise occurs. It is also expected that the administrator demonstrate reasonable precautions to ensure the security of their host system or server hardware.
Servers should be placed in physically secured areas accessible only to authorized personnel. There is no substitute for physical security.
- No personal/departmental routers (cable/data) should be attached to the Elon network.
- No personal/departmental wireless access points should be connected to the Elon network.
- Switches and hubs are permitted.
3.2 Services Supported
Administrators should run only services on servers that are needed for it to complete its designed task. Every service running should be regarded as a mode of entry. The number of entry points should be limited to only those required.
3.3 Security Updates
The latest system patches should be applied and updated every two weeks. If it is determined that the owner is unable to maintain appropriate server maintenance, Elon University Information Systems & Technologies will take control and possession of the server for ongoing maintenance with provisions made for the appropriate academic/administrative use.
The first intrusion or security breach will result in a warning and closer monitoring by Information Systems & Technologies staff, the second will result in loss of control of the server by the owner/administrator. Any hardware must not conflict with the operation of university systems, not limited to email servers or web servers.
3.4 Virus Protection
It is expected that administrators regularly scan all servers with updated virus detection software.
3.5 Log-on Limits
Administrators should limit log-on retries to three (3) with a fifteen (15) minute wait time.
3.6 Account Reviews
Elon University Information Systems & Technologies will regularly review all accounts for inactivity and any dormant accounts may be disabled.
3.7 Password Protection
All accounts must conform to the Elon University Password policy.
Information Systems & Technologies encourages server administrators to maintain backups on all servers for 30 days.
3.9 Server Logs
Logs of user activity must be retained for a defined period which is defined by the owner in writing. (e.g. 30 days).
3.10 Sensitive Information
Elon University Information Systems & Technologies must be made aware of any server that contains sensitive data. This includes, but is not limited to, social security numbers, credit card numbers, active grades and other personal data.
3.11 Remote Administration
In order for a vendor or consultant to gain access to a server from off campus, they must be assigned a VPN account. The system administrator is responsible for registering the vendor or consultant before the VPN can be assigned. In addition, a vendor or consultant may be required to sign a nondisclosure agreement before gaining access to a server.
Elon University Information Systems & Technologies reserves the right to scan systems for known vulnerabilities. When vulnerabilities are discovered, it is expected that system administrators will immediately act to close all known security vulnerabilities for which there are reasonable methods. If the administrator is unable to do this in a timely manner it is expected that they will remove the server from the network to protect other systems or it will be removed by Information Systems & Technologies.
All servers should be registered with Elon University Information Systems & Technologies.
Note: All server administrators must notify Information Systems & Technology (IST@elon.edu) of servers running in their department. This registration will require names and phone numbers of people to call in emergency situations including contact information during semester breaks. When security related issues arise and this information is not available there may be no choice other than to disconnect a server without notice. Information Systems & Technology must be notified upon discovery of any system breach or suspected system breach. Information Systems & Technology reserves the right to disconnect any server which poses a threat to the campus network. Any server not following the above procedures will be considered unsafe and as such poses a threat to the campus network and other systems.
3.14 Naming Conventions
All server domains should be named with appropriate convention such as elon.edu/test. If it is discovered that a domain is registered out of convention it will be removed from network access unless approved by Assistant Vice President for Technology.