WMU Server Registration Policy

Purpose

This policy has been developed in the interest of system and data security and establishes rules for allowing servers to access the Internet.

Scope

This policy is intended to help prevent malicious users from accessing unregistered or unintentionally installed servers. Many newer software products install servers on machines, possibly without the aministrator's or user's knowledge.

Policy statements

All unregistered servers are restricted to the internal WMU network, WMUnet. That network is commonly called the intranet. Only registered servers are allowed to participate in the Internet. Intranet servers will continue to operate on campus without interruption.

Servers which require access to and/or from outside the Internet must:

  • Be approved by the requesting user's department or division leader.
  • Have a documented, demonstrated need not met by an existing server.
  • Successfully pass security scans performed by information technology.
  • Be operated in a secure manner. This includes installing patches and upgrades in a timely manner.
  • Comply with E-Commerce review committee standards.

Server registration requirements

In order to register a server, the following information is required:

  • Name, phone number(s), campus address, and wmich.edu email address of the University employees who are the primary and backup administrators responsible for the maintenance of the server hardware and software.
  • Physical location, name, and IP address of the server.
  • Operating system and version of the server.
  • Server software version.
  • Server support software.
  • Applications being accessed by remote users and/or applications interacting with the Internet.
  • Classify data stored or accessed.

Responsibility of server administrators

  • Keep current with security patches. Evaluate and expeditiously apply as appropriate.
  • Maintain operating system at level recommended by vendor.
  • Properly restrict access to sensitive information and comply with WMU data policies.
  • Ensure that an administrator, or a designate, be available during working hours for problem resolution.
  • Provide a current list of contacts (with emergency phone numbers) that can be reached in critical situations during non-business hours.

For servers containing University mission critical or protected information, having an approved SSL certificate installed is required, and it is recommended the server be physically located in the information technology machine room in the University Computing Center.

Justification

Unrestricted servers could pose serious security threats to WMUnet. The implementation of a server registration policy is intended to minimize the security risk and data exposure while continuing to provide needed, uninterrupted access.

Enforcement

Server administrators will be subscribed to a WMU email list that is used to distribute important security related information. Server administrators are expected to read, and when appropriate, act on information relative to server security issues in a timely manner. In critical situations, it may become necessary to contact server administrators or backup administrators at any time. In the event they cannot be contacted, it may become necessary to power off the server or disconnect the server from the network without warning.

A list of all registered servers will be maintained and made available to the registered users upon request. Unregistered servers must be configured to use the default port, and access to them will be blocked at the firewall. If a server is found running on a non-standard port, the machine will be removed from WMUnet without notice. Server administrators will be contacted on a regular basis to ensure that their server registration information is up to date. If an administrator fails to respond to these inquiries, it may result in their server being disconnected from the network or being blocked from access.

A server registration form is provided for ease in registering your server. Bronco NetID and password required.

Document action

Revised Jan. 2013