Tarleton OITS Server Hardening Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Server Hardening Standard

Effective: February 11, 2020

Revised: June 1, 2026

Procedure Summary

Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054.

The purpose of this standard is to describe the requirements for installing a new server in a secure fashion and maintaining the integrity of the server and application software. In addition, this standard provides a set of measures that will mitigate information security risks associated with server hardening. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. The intended audience includes, but is not limited to, computing system managers and administrators who manage university information resources that store or process mission critical and/or confidential information.

Please see the Tarleton Security Controls Catalog, for additional information and requirements.

Procedures and Responsibilities

Tarleton computers running a server operating system shall reside in an ITS secure data center.
Departmental information technology personnel will test security patches prior to implementation (where practical).
- Departmental information technology personnel are encouraged to have hardware resources available for testing security patches in the case of special applications.
System administrators shall ensure that vendor-supplied patches are routinely acquired, systematically tested, and installed promptly based on risk management decisions.
System administrators shall remove unused software, system services, and drivers as needed.
System administrators shall enable security features included in vendor-supplied systems including, but not limited to: firewalls, virus scanning and malicious code protections, and other file protections.
- Audit logging shall also be enabled.
- User privileges shall be set utilizing the least privilege concept of providing the minimum amount of access required to perform job functions. Privileges may be added/elevated based on a user’s demonstrated need.
- The use of passwords shall be enabled in accordance with the OITS Password Authentication Standard and the Tarleton Security Controls Catalog, IA-5(1): Authenticator Management – Password Based Authentication.
System Administrators shall disable or change the passwords of default accounts.
System administrators (or their designee) shall test servers periodically for known vulnerabilities.
System Administrators shall seek and implement best practices for securing their particular system platform(s).

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.

Security Patch: a fix to a program that eliminates a vulnerability exploited by malicious hackers.