Shawn McCarthy | Eight ways to standardize server configurations
Internaut--commentary
Now that we have the Federal Desktop Core Configuration for PCs,
wouldn't it be great to apply the same concept to servers?
Unfortunately, government servers come with a wide variety of
operating systems with a multitude of configurations to support
each server's unique situation. Extending the FDCC concept to
servers would be chaotic and probably futile.
But that doesn't mean government server configurations can't be
nudged toward some kind of consistency. Some examples:
- When setting up a new server, consider investing in a trusted
operating system. While trusted systems, such as Trusted Solaris,
were initially developed for military use, the relatively new
Trusted Linux system is a secure, affordable solution that's useful
for any government agency. Essentially, a trusted system supports
multilevel security and support for the Common Criteria for
Information Technology Security Evaluation and other standards that
are specific to government.
- Carefully consider each server's role within your organization
and consider the public vs. "not public" information that flows
through it. Create departmental policies to address the acceptable
use and security of each machine.
- Consider what needs to be done before any server is plugged
into your network. Set up authentication and account management.
Install and patch the operating system as needed. Reduce
vulnerabilities by enabling the minimum number of services needed
by your applications, based on the server's role in an
organization. Disable Telnet and File Transfer Protocol if they
aren't needed. Use SSH Secure Shell instead if remote connectivity
is needed. If possible, shut off all unused features and limit who
can access the features that are made available. Then set this
configuration in stone and make sure it's the baseline setting that
is always enforced.
- Stay away from the default names that come with the computer.
For example, if Simple Network Management Protocol is enabled,
change the default community name and set permissions. In fact,
unless you are actively using network management tools, turn SNMP
off completely.
- At the very least, make sure you are in compliance with Federal
Information Processing Standard 200, which sets minimum security
requirements for federal systems.
- Invest in automated configuration management tools capable of
both monitoring and interacting with all servers on your network.
Once a machine's configuration has been set, the software should be
capable of tracking, evaluating and approving changes, not only to
individual machine configuration, but also to the
interrelationships among system components. This is especially
important as government networks begin their slow migration toward
IPv6. (Devices configured only for IPv4 will not know what to do
with packets using the new addressing scheme, creating a possible
security hole.)
- Don't just set and monitor the machine configuration, also
configure all installed software.
- Keep up-to-date with the National Vulnerability Database
sponsored by the National Institute of Standards and Technology and
the Homeland Security Department.
While these steps are a long way from an FDCC-style set of
requirements, they can help standardize an organization's approach
to configuration management and security for servers.
Shawn McCarthy is a senior analyst and program manager at IDC
Government Insights.