Policy for Deployment of Non-ITS Servers

Purpose

The purpose of this policy is to protect the users and the integrity of the Macalester College network. Its goal is to maintain consistency, assure availability, facilitate disaster-recovery, coordinate technical operations and apply sound security and management practices consistently.

The attachment of any server to the network can have a negative impact on other users on the rest of the network. The impact may be in the form of performance, security, or in some cases access to other resources.

Service to the entire campus community is the priority. In evaluating a response to problems associated with any server or workstation, the good of the many will always outweigh the good of the few and the device or segment in question will be logically or physically disconnected from the network until the problem can be resolved.

Policy

Macalester College departments or other organizational units may connect their own servers to the campus network only under the conditions enumerated below.

Procedures

  1. First and foremost, all uses of Macalester College technology resources require adherence to both the Responsible Use and Disruptive Network Devices Policies.
  2. An understanding of the purpose and importance of the server will be clarified in two ways:
    1. A meeting will be held with relevant members of the requesting organizational unit and appropriate members of ITS including:  Associate Director for ITS-Enterprise and Application Services, Information Security Officer, Infrastructure Manager.  The purpose of the meeting will be to discuss all aspects of the request and to evaluate its potential impact on network performance and security.
    2. The administrative head of the requesting organizational unit (e.g., department chair) will complete a form which provides the following information:
      • The date and time when the server will be connected.
      • The identity of the wall jack used. 
      • The name, phone number, and email address of the administrative contact. 
      • The name, phone numbers (day and night), and email address of the technical contact. 
      • The configuration of the server (brand name, model number, type and version of operating system).
      • Primary functions and services provided by the server.
      • Any access required by sources outside Macalester (i.e. web services or SSH)
  1. Non-ITS servers will only be located in the ITS Data Center, 3rd floor, Humanities.  Physical access will be restricted solely to the approved technical contacts specified in the original written request.
  2. Login access to the server should follow the principle of least privilege. This means access should only be provided to those who absolutely need it, only as much as is needed, and only for the length of time needed.
    1. “Root” or Administrator access to servers must be established for ITS Infrastructure Services staff.  This may be in the form of a single shared account.
    2. In general, all servers will ordinarily be part of the Active Directory (AD) domain, and domain administrators will have access to the server via remote services and physical console access.
  3. Management, oversight and maintenance of the server:
    1. The requesting organizational unit is responsible for maintaining server software to be in compliance with licensing and copyright laws.
    2. The requesting organizational unit is responsible for best practice maintenance on the server including hardware, software, patches and upgrades, account provisioning, backups, security, etc.
      • ITS staff are always available for consultation, but ultimate responsibility for maintenance and upkeep still resides with the requesting organizational unit.
    3. Patch schedules should conform to current industry best practices.
    4. Deployment of any Non-ITS server will culminate with a basic security audit conducted by ITS Network Services to ensure current OS and patching, proper firewall and port configurations, hardening as appropriate, etc.  The requesting organizational unit is responsible for maintenance of an adequate security state.
  4. The central enterprise system (network and campus servers) will not be altered to accommodate functions unique to an individual server.  
  5. At the discretion of ITS Infrastructure Services, the server may be submitted to various security restrictions, e.g., location in a secure VLAN, additional security audits or basic penetration testing.
  6. Only secure interfaces such as ssh, ssl, sftp, etc. will be implemented.
  7. Basic read-only SNMP monitoring will be enabled on all servers with the help of ITS.
  8. Services, accounts, ports, and applications that will not be used must be disabled.  Examples include: TELNET, FTP, NetBEUI, etc.
  9. No server will provide Domain Name Service (DNS) or Dynamic Host Configuration Protocol (DHCP).
  10. Only IP-based protocols will be allowed on the college network. Examples of disallowed protocols include: AppleTalk, IPX/SPX.  All IP addresses will be issued by ITS, including any public addressing.  Bogus or self-generated IPs may not be used.  At this time IPv6 may not be used.
  11. Services which are potentially detrimental to the server or network infrastructure (e.g., IMAP, POP3, SMTP, DNS, WINS, DHCP) require prior approval from ITS Infrastructure Services.
  12. Servers may not provide email service. ITS authorizes institutional email service.  The purpose of this is to present a consistent institutional address format to the outside world and to enable an enterprise email system to provide common internal functionality.
  13. Network integrity will always take precedence over other needs, particularly if accessibility to a server creates a "back door" security risk, or presents a compromise from the network perspective.  Because firewall configurations, packet filtering, or other security implementations may alter accessibility to the server from both on and off campus, ITS will work with requesting departments to accommodate accessibility in the best way possible.

Enforcement

Failure to comply with these requirements may be deemed a violation of the Information Technology Responsible Use Policy. Any violation which, in the opinion of ITS Infrastructure Services, represents a significant threat to the secure and stable performance of the Macalester network will result in removal of the relevant server from the network.

In the Event of Emergency

Either active or significant potential of compromise

  • Any response must have as its primary goal the protection and/or restoration of all network services as soon as possible.
  • All server-related problems that either are affecting network integrity or performance or suggest significant potential for same must be reported to ITS Help Desk at helpdesk@macalester.ed or 651-696-6525.
    • Please note that the server being down is not necessarily considered an emergency.
  • ITS staff will make a good faith effort to resolve problems in a manner that minimally impacts the mission of the server.
  • This information should be communicated to all server administrators and technical contacts at initial orientation.


Established:  March 2013

Updated:  October 2013