Evaluate, schedule, and apply any missing security updates within 30 days. Apply patches immediately and without delay for critical vulnerabilities enabling remote, unauthenticated administrative access.
Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call). A phone call is the preferred method.
Store passwords encrypted and log all administrator access to password files; for ActiveDirectory, use whole disk encryption on domain controllers that are not in a secure location.
Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.
Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available.