Minimum Security Standard for Servers


This standard defines the baseline security configuration and procedural requirements for information system servers owned or leased by the University of Mary Washington and/or connected to the University’s wired and wireless network, including application servers, database servers, web servers and email servers.


          Minimum Standard

  • All servers must have appropriate supported operating system and application security patches installed in a timely fashion.  Completions of patch cycles must be appropriately documented in UMW’s  BART change control system.
  • The Windows screen should lock after 10 minutes of inactivity and require authentication to unlock.
  • All Operating Systems Consoles should never remain logged in unless a specific diagnostic tool(s) require it when the System Administrator is not present in the room.
  • All Windows servers must run an antivirus software program that is regularly updated with the latest virus definitions available.  Exceptions to this must be submitted and approved by the UMW Information Security Officer (ISO).
  • Unnecessary accounts and services should be disabled or blocked.
  • A host-based firewall must be in use on all Windows servers. Exceptions to this must be submitted and approved by the UMW Information Security Officer (ISO).
  • All authentication must be encrypted.
  • A system administrator must be identified.
  • A backup and recovery process should be in place and tested regularly.
  • Separate accounts should be used for privileged and unprivileged access.
  • Passwords must be changed from the vendor defaults.

Additional Standards for Critical High Availability Systems and/or Systems with Highly Sensitive Data

  • Servers that are used to access highly sensitive data or servers that require critical high availability must be physically located in an area with restricted access.
  • Servers controlling highly sensitive data or critical high availability systems must be documented as such.  These systems require disaster recovery plans and risk assessment plans.
  • Database servers containing highly sensitive data must have a designated database administrator with regular reviews of appropriate logs, and a designated application security administrator.
  • Periodic operating system level vulnerability scanning must be performed.

Exceptions to this policy must be requested to, and approved by, the UMW ISO.  Documentation of approved exceptions must be maintained along with pertinent and relevant system documentation.


Approved:  November 15, 2010 by Vice President for Information Technologies & CIO

Last Revision Date 3/1/11