System Administrators Security Guidelines
Security guidelines provided by IT Security & Policy incorporating guidance from Purdue policies and standards, CIS Controls, and mitigating controls against known incidents.
Control Use of Administrative Privileges (Includes CIS Controls 4, 16)
- Use dedicated administrative accounts
- Do not use privileged accounts tied to Career Accounts or regular user accounts
- Use only for administrative activities
- Use a separate account for non-administrative activities such as internet browsing, email, reading or editing general documents
- Where possible, creation of Privileged Accounts should follow a standard naming convention to associate to the user. Include user initials (3 – 4) + department where account is being used (3 -7) + system where privileges are granted (3) + optional extra (1).
- jhsPVMITdsk - Jane H. Smith in PVM-IT desktop support
- jhsiamoOUa - John H. Smith in IAMO with an OU admin role
- jhs2iamoOUa – Another John H. Smith in IAMO with an OU admin role
- Maintain inventory of privileged accounts
- Leverage automated tools where possible to inventory all administrative accounts, including domain and local accounts
- Use a password vault or privileged account management system (e.g. MS Local Administrator Password Solution)
- Authentication/Password controls
- Use multi-factor authentication
- Follow the University user credentials standards for password creation
- Set password expiration to 90 days
- Before deploying new assets, change default passwords to have values consistent with administrative level accounts
- Where multi-factor authentication is not supported (such as local administrator, root, or service accounts) use unique passwords for all accounts, don’t use same password for a privileged account and user account or personal accounts
- Do not hardcode passwords within scripts or programs without strong encryption
- Use dedicated workstations for all O/S and applications administrative tasks
- Ensure an administrative workstation is segmented from the public network and prohibit or restrict internet access (machine will not be used for email, browsing internet)
- Use only for administrative activities and not internet browsing, email, similar activities
- Do not use personal devices
- Encrypt remote administrative access
- Use VPN or other encrypted remote access mechanisms
- VPN administrators should configure VPN as a full tunnel for administrative VPN profiles that are used by remote users
- Log and alert on administrative account login success and failure and regularly review. Reference IT Resource Logging (S-11). Request audit logging assistance via firstname.lastname@example.org.
Secure Configuration for Servers, Workstations and Laptops, Mobile Devices
(Includes CIS Controls 2, 3, 5, 6, 8, 9, 11, 13, 14, and 15)
- Maintain documented security configuration standards for all authorized operating systems and software
- Maintain secure hardened images
- Securely store master images
- Validate with integrity monitoring tools
- Deploy system configuration management tools
- Deploy configuration management tools that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals
- Require dedicated machines for processing and handling of restricted information, don’t use for regular office work, email or unrestricted internet use.
- Ensure system logging/alerting and review per IT Resource Logging S-11
- Apply operating systems and software security patches and updates regularly
- Install anti-virus, anti-spyware software and ensure definitions are up to date and run regular scans; utilize an endpoint protection solution (e.g. IT Security & Policy anti-virus solution). Request endpoint protection via email@example.com
- Review and remediate findings from vulnerability scans. Request web application scan via //risque.itap.purdue.edu/Portal. Request system vulnerability scan via firstname.lastname@example.org.
- Configure devices for an automatic malware scan of removable media
- Require re-authentication after 15 minutes of inactivity
- Disable wireless access on devices if not required
- Enable host based firewall
- Encrypt hard drive of all mobile devices and desktops
- Configure systems to not write to external removable media if there is no business need
- For those areas where use of removable media is necessary, require devices to be encrypted and removed and stored securely when not in use
- Ensure only authorized ports, protocols and services are running
- Enable command-line audit logging for command shells, such as PowerShell and Bash
- Ensure only authorized software on systems accessing, transmitting, storing sensitive or restricted information
- Restrict administrative privileges on workstations and laptops to IT support staff
Secure Purdue System Administrator’s Resources
Benchmarks - Center for Internet Security (CIS)
While there are a number of commercial or external benchmark tools and guidelines available to system administrators to provide best practice standards for security configuration, ITaP Security and Policy recommends the use of benchmarks created by the Center for Internet Security (CIS), if the system is not centrally supported. The Center for Internet Security (CIS) helps organizations reduce risks incurred from the use of inadequate technical security controls. CIS distributes consensus best practice benchmarks for security configuration. These benchmarks are unique because they are created by consensus by hundreds of security professionals worldwide. The benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as the Gramm-Leach Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), HIPAA, FERPA, and other information security regulatory requirements.
Purdue University is a member of the CIS, and as such has the right to distribute the benchmarks and tools for use within Purdue University. ITaP Security and Policy recommends the CIS benchmarks for consultation and use by Purdue University System Administrators when no other specific Purdue University policy, standard, guideline, or procedure applies to the underlying system.
Any number of Purdue University employees may obtain a user account on the CIS Members Site. To register, go to https://enroll.cisecurity.org/#/ and click Apply link. (This page is also accessible via link from home page of the public web site http://www.cisecurity.org). Complete and submit the registration information. Within 24 hours you will receive an email indicating that your registration has been activated. Then you can enter the site using the username and password you selected.
All the CIS Benchmarks, and several software Scoring Tools that can be used to compare the configuration of Purdue systems to the benchmarks, are distributed from the CIS Public Web site at http://www.cisecurity.org. There is no need to register for access to that site. On the Members Web Site Purdue employees have access to CIS Scoring Tools with specialized features, including:
- A command line version that eases deployment of the tool and scoring of networked systems.
- A version that reads customized input files, enabling users to compare the configuration of their systems with both the CIS benchmarks and their organization's local configuration policies.
The CIS Members Web Site also contains various discussion forums and development versions of new Benchmarks and Scoring Tools. Please note that ITaP Security and Policy does not provide support for the tools and benchmarks available from CIS. To read more about the benchmarks, please visit: https://benchmarks.cisecurity.org/