{"id":3219,"date":"2026-06-01T21:44:37","date_gmt":"2026-06-01T21:44:37","guid":{"rendered":"https:\/\/www.tarleton.edu\/technology\/?page_id=3219"},"modified":"2026-06-01T21:44:38","modified_gmt":"2026-06-01T21:44:38","slug":"tarleton-oits-server-hardening-standard","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/technology\/tarleton-oits-server-hardening-standard\/","title":{"rendered":"Tarleton OITS Server Hardening Standard"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-7387b849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h1 class=\"wp-block-heading\">Tarleton Office of Innovative Technology Solutions (OITS) <br>Server Hardening Standard<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Effective: February 11, 2020<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Revised:\u00a0 June 1, 2026\u00a0<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image alignright size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.tarleton.edu\/technology\/wp-content\/uploads\/sites\/170\/2021\/12\/Tarleton_TonTexas.svg\" alt=\"The Tarleton State University logo\" class=\"wp-image-670\" style=\"width:159px;height:auto\" \/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator alignfull has-alpha-channel-opacity has-vivid-cyan-blue-to-vivid-purple-gradient-background has-background is-style-wide\" \/>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Procedure Summary<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity,\u00a0confidentiality\u00a0and availability are\u00a0maintained. One of the required steps to\u00a0attain\u00a0this assurance is to ensure that the servers are installed and\u00a0maintained\u00a0in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.\u00a0\u00a0\u00a0\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tarleton State University\u2019s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm\">Texas Government Code Chapter 2054<\/a>. <\/p>\n\n\n\n<div class=\"wp-block-group word-wrap: normal is-layout-flow wp-block-group-is-layout-flow\">\n<p class=\"wp-block-paragraph\">The purpose of this standard is to describe the requirements for installing a new server in a secure fashion and\u00a0maintaining\u00a0the integrity of the server and application software. In addition, this standard provides a set of measures that will mitigate information security risks associated with server hardening.\u00a0The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with <a href=\"https:\/\/texas-sos.appianportalsgov.com\/rules-and-meetings?chapter=202&amp;interface=VIEW_TAC&amp;part=10&amp;title=1\">Texas Administrative Code (TAC) Chapter 202 \u2010 Information Security Standards<\/a>, each department and\/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. The intended audience includes, but is not limited to, computing system managers and administrators who manage university information resources that store or process mission critical and\/or confidential information.\u00a0\u00a0\u00a0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Please see the <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/\"><\/a><a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/\">Tarleton Security Controls Catalog<\/a>, for additional information and requirements.<\/p>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Procedures and Responsibilities<\/strong>&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Tarleton computers running a server operating system shall\u00a0reside\u00a0in an ITS secure data center.\u00a0\u00a0<\/li>\n\n\n\n<li>Departmental information technology personnel will test security patches prior to implementation (where practical).\n<ul class=\"wp-block-list\">\n<li>Departmental information technology personnel are encouraged to have hardware resources available for testing security patches in the case of special applications.\u00a0\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>System administrators shall ensure that vendor-supplied patches are routinely\u00a0acquired, systematically tested, and installed promptly based on risk management decisions.\u00a0\u00a0\u00a0<\/li>\n\n\n\n<li>System administrators shall remove unused software, system services, and drivers as needed.\u00a0\u00a0\u00a0<\/li>\n\n\n\n<li>System administrators shall enable security features included in vendor-supplied\u00a0systems\u00a0 including, but not limited to: firewalls, virus scanning and malicious code protections, and other file protections. \n<ul class=\"wp-block-list\">\n<li>Audit logging shall also be enabled. <\/li>\n\n\n\n<li>User privileges shall be set\u00a0utilizing\u00a0the least privilege concept of providing the\u00a0minimum\u00a0amount of access\u00a0required\u00a0to perform job functions. Privileges may be added\/elevated based on a user&#8217;s demonstrated need. <\/li>\n\n\n\n<li>The use of passwords shall be enabled\u00a0in accordance with\u00a0the <a href=\"https:\/\/www.tarleton.edu\/technology\/tarleton-oits-password-authentication-standard\/\">OITS Password Authentication Standard<\/a> and the <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/identification-and-authentication-ia\/ia-51-authenticator-management-password-based-authentication\/\">Tarleton Security Controls Catalog, IA-5(1): Authenticator Management &#8211; Password Based Authentication<\/a>.\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>System Administrators shall disable or change the passwords of default accounts.\u00a0<\/li>\n\n\n\n<li>System administrators (or their designee) shall test servers periodically for known vulnerabilities.\u00a0\u00a0\u00a0\u00a0<\/li>\n\n\n\n<li>System Administrators shall\u00a0seek\u00a0and implement best practices for securing their\u00a0particular system\u00a0platform(s).\u00a0\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Definitions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Confidential Information<\/strong>: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Information Resources (IR)<\/strong>: the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Information Security Officer (ISO) \/ Chief Information Security Officer (CISO)<\/strong>: responsible for administering the information security functions within the university and reports to the information resources manager (IRM).&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Mission Critical Information<\/strong>: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Owner of an Information Resource<\/strong>: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Security Patch:\u00a0<\/strong>a fix to a program that\u00a0eliminates\u00a0a vulnerability\u00a0exploited by malicious hackers.\u00a0\u00a0\u00a0<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Related Statutes, Policies, or Requirements<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/policies.tamus.edu\/29-01.pdf\">TAMUS Policy 29.01, Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-02.pdf\">TAMUS Regulation 29.01.02, Use of Licensed Software<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-03.pdf\">TAMUS Regulation 29.01.03, Information Security<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-04.pdf\">TAMUS Regulation 29.01.04, Accessibility of Electronic and Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-05.pdf\">TAMUS Regulation 29.01.05, Artificial Intelligence<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/policies.tamus.edu\/29-01-06.pdf\">TAMUS Regulation 29.01.06, Covered Applications and Prohibited Technologies<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/policy\/wp-content\/uploads\/sites\/142\/2022\/06\/29_01_03_T0_01.pdf\">Tarleton SAP 29.01.03.T0.01, Information Resources &#8211; Acceptable Use<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/policy\/wp-content\/uploads\/sites\/142\/2022\/06\/29_01_99_t1.pdf\">Tarleton Rule 29.01.99.T1, Information Resources<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/\">Tarleton Security Controls Catalog<\/a><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Contact Office<\/strong>&nbsp;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Office of Innovative Technology Solutions&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AVP and CIO of Innovative Technology Solutions&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">254-459-5685&nbsp;<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tarleton Office of Innovative Technology Solutions (OITS) Server Hardening Standard Effective: February 11, 2020 Revised:\u00a0 June 1, 2026\u00a0 Procedure Summary&nbsp; Servers are relied upon to deliver data in a secure, &#8230;<\/p>\n","protected":false},"author":94,"featured_media":580,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"template-fullwidth.php","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","_wds_title":"","_wds_metadesc":"","_wds_focus-keywords":"","_wds_meta-robots-adv":"","_wds_meta-robots-noindex":false,"_wds_meta-robots-nofollow":false,"_wds_meta-robots-index":false,"_wds_meta-robots-follow":false,"_wds_autolinks-exclude":false,"_wds_canonical":"","_wds_redirect":"","_wds_opengraph":[],"_wds_twitter":[],"footnotes":""},"class_list":["post-3219","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/technology\/author\/jgeorge\/","display_name":"jgeorge"},"relative_dates":{"created":"Posted 3 days ago","modified":"Updated 3 days ago"},"absolute_dates":{"created":"Posted on June 1, 2026","modified":"Updated on June 1, 2026"},"absolute_dates_time":{"created":"Posted on June 1, 2026 9:44 pm","modified":"Updated on June 1, 2026 9:44 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/comments?post=3219"}],"version-history":[{"count":1,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3219\/revisions"}],"predecessor-version":[{"id":3220,"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/pages\/3219\/revisions\/3220"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/technology\/wp-json\/wp\/v2\/media?parent=3219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}