• Report an Incident
• Incident Information
• Self Service Security
• Services and Products
• Best Practices
  • Staff
  • Workstations
  • Personal Systems
  • Servers
    • Update the operating system
    • Update all software
    • Desktop locking
    • Turn off unnecessary services
    • Using a firewall
    • How to choose a password
    • Password Standards
    • Backups
    • Physical security
    • Using anti-virus
    • Server Security Tools
    • Connecting Web Servers to the Internet
    • Information Security Checklist
  • Mobile Devices
  • Medical Devices
  • All Best Practices
• Policies, Guidelines and Procedures
• Security Awareness, Training and Education (SATE)
• Vulnerability Information
• About EIS
• What's New

---

Servers

Properly securing a server requires an understanding of many components as different servers have different functions. They may contain different information, provide different services, have diverse networking environments, etc.  Here are some guidelines for strengthening overall server security.

Ways to strengthen server security

1. Keep the operating system and software up-to-date.
2. Install and regularly update anti-virus software.
3. Understand what applications are running.  Research proper installation, common mistakes, common vulnerability problems, and if possible subscribe to the vendor or developer email list to keep on top of changes.
4. Network Services
• Define all port/services needed on the server; disable any services that are not needed.
• Use a firewall.
• Disable remote access if not needed (SSH, Remote Desktop, VNC, etc.).
5. Users and passwords
• Do not allow generic userIDs on the server, such as user, anonymous, and administrator. If the accounts are needed rename them if possible.
• Change administrator passwords regularly.
• Each administrator should have their own userID.  The administrator account should only be used when absolutely needed
• Require a password for any and all userIDs.
• Remove or disable default user accounts.
• Set and enforce password standards (if not using the centralized UCSF authentication service).
6. Encourage users to log off of the (server) application if they no longer need access, or will be away from their workstation for prolonged periods of time.  If possible and appropriate set the user session to either log out or force re-authentication after the session has been idle for a while.
7. Protect files on the server with appropriate permissions.
8. Maintain an audit log of all server activity. Review the log on a weekly basis.
9. Backup the server daily. For those servers with high transaction activity, also take incremental backups on a regular basis during the day.
10. Physical Security
• Secure the server so that it cannot be physically damaged.
• Locate critical servers in a locked room with card access entry, if possible.
• Lock the server screen when unattended.
• Set a screen saver to automatically turn on and lock the server screen in case someone forgets to do it manually.
11. When a third party works on the server, always monitor the work being done.
12. Request a vulnerability scan from OAAIS Enterprise Information Security (EIS).
13. When you suspect there is a security issue, contact OAAIS Enterprise Information Security (EIS).

Connecting Web Servers to the Internet (Port 80 Reconnects)

Server Security Tools

Information Security Checklist

Please tell us what you think of our new website