Shawn McCarthy | Eight ways to standardize server configurations

Internaut--commentary

Now that we have the Federal Desktop Core Configuration for PCs,
wouldn't it be great to apply the same concept to servers?


Unfortunately, government servers come with a wide variety of
operating systems with a multitude of configurations to support
each server's unique situation. Extending the FDCC concept to
servers would be chaotic and probably futile.


But that doesn't mean government server configurations can't be
nudged toward some kind of consistency. Some examples:



  1. When setting up a new server, consider investing in a trusted
    operating system. While trusted systems, such as Trusted Solaris,
    were initially developed for military use, the relatively new
    Trusted Linux system is a secure, affordable solution that's useful
    for any government agency. Essentially, a trusted system supports
    multilevel security and support for the Common Criteria for
    Information Technology Security Evaluation and other standards that
    are specific to government.
  2. Carefully consider each server's role within your organization
    and consider the public vs. "not public" information that flows
    through it. Create departmental policies to address the acceptable
    use and security of each machine.
  3. Consider what needs to be done before any server is plugged
    into your network. Set up authentication and account management.
    Install and patch the operating system as needed. Reduce
    vulnerabilities by enabling the minimum number of services needed
    by your applications, based on the server's role in an
    organization. Disable Telnet and File Transfer Protocol if they
    aren't needed. Use SSH Secure Shell instead if remote connectivity
    is needed. If possible, shut off all unused features and limit who
    can access the features that are made available. Then set this
    configuration in stone and make sure it's the baseline setting that
    is always enforced.
  4. Stay away from the default names that come with the computer.
    For example, if Simple Network Management Protocol is enabled,
    change the default community name and set permissions. In fact,
    unless you are actively using network management tools, turn SNMP
    off completely.
  5. At the very least, make sure you are in compliance with Federal
    Information Processing Standard 200, which sets minimum security
    requirements for federal systems.
  6. Invest in automated configuration management tools capable of
    both monitoring and interacting with all servers on your network.
    Once a machine's configuration has been set, the software should be
    capable of tracking, evaluating and approving changes, not only to
    individual machine configuration, but also to the
    interrelationships among system components. This is especially
    important as government networks begin their slow migration toward
    IPv6. (Devices configured only for IPv4 will not know what to do
    with packets using the new addressing scheme, creating a possible
    security hole.)
  7. Don't just set and monitor the machine configuration, also
    configure all installed software.
  8. Keep up-to-date with the National Vulnerability Database
    sponsored by the National Institute of Standards and Technology and
    the Homeland Security Department.

While these steps are a long way from an FDCC-style set of
requirements, they can help standardize an organization's approach
to configuration management and security for servers.

Shawn McCarthy is a senior analyst and program manager at IDC
Government Insights.



About the Author

Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above