Server Administration Guidelines
As an Application Administrator of a virtual or physical server in the Texas State University data center, you and the Technology Resources Core Systems team have specific responsibilities and must work together to maintain a safe and secure environment for the university and its data. You are also responsible for ensuring that external vendors and contractors follow these guidelines.
State Laws and University Policies
All parties must adhere to applicable federal and state laws, university policies, and information technology best practices and procedures.
- Texas Administrative Code 202 (TAC 202)
- UPPS 04.01.09 - Server Management Policy
- UPPS 04.01.01 - Security of Texas State Information Resources
- UPPS 04.01.05 - Network Use Policy
Core Systems Responsibilities
Periodically, Core Systems may contact you about software or configurations on a server you maintain. These are often in response to a security concern or some other unusual circumstance, so please respond in a timely manner.
Core Systems provides daily backup schedules for both physical and virtual servers.
The host-based firewall is installed, configured, and enabled in an effective manner.
Core Systems is responsible for the server up-time, proactive maintenance, and maintaining back-end infrastructure.
|Local and Domain Authentication||
Access to a server must be through a Super User (SU) account, and local accounts are not permitted. Where Active Directory groups are used to control access, the groups are maintained via the Role Management tool in the Online Toolkit.
|Operating System Configuration||
Core Systems performs changes that pertain to Operating System (OS) system configuration such as registry or system-level configuration.
|Operating System Installation||
Core Systems installs an approved OS and configures it to best practices.
|Operating System Updates||
Core Systems updates OS's on a scheduled basis and typically outside business hours.
|Shares / Mounts||
Core Systems Core Systems creates shares which must be restricted per best practices for the specific protocol used. (e.g., Windows SMB Shares must be controlled by a FileShare group, or NFS Mounts must be controlled via an Access List).
Application Administrator Responsibilities
Application Administrators may install software that is required for the primary application of the server to function. The software must be approved by the Information Security Office and Core Systems.
|Upgrades||Application Administrators must keep software up-to-date, and all security fixes must be applied to protect against the latest security vulnerabilities.|
|Support||Application Administrators work with vendors to support issues with performance, installation, or configuration of the application. Note: Core Systems will work with the Application Administrator if changes need to be made at the OS level.|
Applications must use a supported centralized authentication source (e.g., LDAP, Windows Authentication, Active Directory, Shibboleth).
|Encryption||Any web services that make use of authentication must use an encrypted method for passing authentication credentials. SSL certifications can be requested here.|
Event logging must be enabled on all applications/services that at minimum include access and configuration changes.
Access to servers must be audited periodically by the application administrator. If contacted by Core Systems about software or configurations on a server you maintain, application administrators are expected to respond in a timely manner.
Applications and/or services are not authorized for use until a data security plan and a successful vulnerability scan is completed.
All authentication to a server must be via a NetID or Super User account. Super User accounts are to be used when remotely administering systems (such as via Remote Desktop or SSH). Service accounts will not be used to remote desktop or remotely administer systems. Any exception to this must be authorized by ISO and TR.
System needs must be reviewed on at least a yearly basis (i.e. If a system needs to be decommissioned or more resources are needed, IT must be informed).