Harvard University Information Security | HARVARD.EDU

Servers A

Application patching

Evaluate, schedule, and apply any missing application security updates in a timely manner.

Schedule patches appropriately

Evaluate, schedule, and apply any missing security updates within 30 days. Apply patches immediately and without delay for critical vulnerabilities enabling remote, unauthenticated administrative access.

Transfer temporary passwords securely

Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call). A phone call is the preferred method.

Require password changes

When creating passwords, administrators must ensure that they are set to be changed after first use.

Store passwords encrypted

Store passwords encrypted and log all administrator access to password files; for ActiveDirectory, use whole disk encryption on domain controllers that are not in a secure location.

Use a password vault

Use a password vault such as Cyber Ark for access to encryption key.

Store passwords as seeded/salted hashes

Store passwords as seeded/salted hashes (for example, by using bcrypt). On Windows reversible encryption must be disabled. More information.

Ensure users agree to access only required specific information

User must agree annually (via confidentiality reminder) to only access the specific information they have a business reason to access.

Make use of user groupings

Make use of user groupings to determine authorization (for example, via groups in ActiveDirectory or LDAP or by using AuthZProxy or Grouper).

Review active accounts

Send a list of active accounts to the business owner monthly to review; ideally this will be done via a trackable mechanism such as Service Now.

Disable account access

Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.

Disable generic accounts and change default passwords

On Windows the default built-in Administrator account must be renamed. Also, the default built-in Guest account must be disabled.

Encryption should be implemented where feasible

If not using one of the above servers then encryption should be implemented where technically and economically feasible.

Remote login must only permit the use of encrypted communications

Remote login to all servers must only permit the use of encrypted communications such as ssh. Windows servers must enforce a minimum of 128-bit encryption for Terminal Services and Remote Desktop communication. All servers running SSH must use a minimum of protocol version 2. Use of VPN is advised where available.

Windows file servers running SMBv3 must only permit use of encryption

Windows file servers running SMBv3 must only permit use of encryption.

More information.

Information Security Policy

Harvard University