Internet Services (Server) Registration Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates

(Summary of Changes/Additions/Deletions)

POLICY:

All devices connected to the Georgia State University network that are intended to “serve” information to on or off campus users must be registered with University Computing and Communications Services (UCCS).
Rationale:
The rising frequency of security incident involving network-attached devices significantly increases the probability of major disruptions to the internal computer systems of the University.  Current server technology is easily implemented but the platforms if not properly configured provide an extremely vulnerable and high risk opportunity for exploitation and significant damage to other connected devices, other external devices, and other users.  Registration of all such serving devices with accompanying procedures for verifying security configurations will significantly reduce the potential for this type of damage and also greatly shorten the time needed to identify and isolate equipment which has been inadvertently compromised.  Additionally, care taken in build and deployment of serving devices provides a greater level of protection to other devices connected to the network.  Establishing policy centrally and issuing standards and utilities from a central authority allows for rapid incident response and continuous update of protection methods.

Standards & Procedures:

Standards:

Compliance. Deans and Vice Presidents are responsible for monitoring compliance with this policy and associated standards by: (1) directing the registration of machines within their respective organizations that meet the standard definition of servers; and (2) directing reviews of, and action on, reports on unregistered serving devices connected to the University network that are generated either by UCCS or the University Auditing and Advisory Services.

Definition of Servers.  Typically, servers are machines that have intentionally been set up to provide services to others on campus or the Internet.  These provided services could include Web (http) servers, FTP servers, file sharing servers, etc.  Most of these services are not typically offered by end-user workstations.  However, is an end-user workstation has installed or turned on web server, FTP server, etc. services, this machine would be required to register as a serving device.

Server Registration.  As a minimum, UCCS must be provided the following information on each device currently or intended to be attached to the University network for the purpose of “serving” information either on or off campus:

  • Brand of hardware platform
  • Operating system version
  • Equipment MAC address
  • Requested DNS name
  • Assigned or requested IP address
  • Person responsible for management of the device (including phone number and email address)
  • Device physical location
  • Internet services being offered by the platform
  • Security Protection measures applied to the device

As a continuing activity associated with normal network management, UCCS will periodically scan for network-connected devices.  Any unregistered serving devices found during these scans will be isolated from the network until proper registration is accomplished. When it has been determined by the University Information Security Officer that a security incident or compromise has occurred, failure to have accomplished registration will result in deactivation of network ports associated with the serving device. 

Server Security Audits. Colleges and administrative departments are responsible for developing and administering their own local procedures for initial verification of server security configuration as well as for ensuring that updated security patches are applied to serving devices within their respective organizations.  Assistance from the University Information Security Officer is available for initial system verification and for periodic scans of systems.  The University Information Security Officer will provide minimum requirements for server configurations.  Failure to meet these minimums will result in the serving device being isolated from the network.

Procedures:
Register an Internet Services (Server) Device
Ensure Currency of Patches for Internet Services (Server) Devices

Revisions:
Revised for compliance with ISAT Senate Committee recommended formatting
(January 2003)

Approval Date(s):

Reviewed by IST:
Reviewed by Information Security Subcommittee:
Reviewed by ISAT Senate Committee:
Approved by: University Administrative Council
Approved on: September 11, 2002
Version number: 2.0.0
Effective Date: September 11, 2002

SUMMARY OF CHANGES/ADDITIONS/DELETION

This policy was originally adopted by the Administrative Council on September 11, 2002. This revision re-validates the intent of the policy. This revision places the original policy into the ISAT Senate Committee recommended format for clarity and ease of reference and update.

Back to University Information Systems Policies