RCIT-15 Server Management

IT Reeves County Server Management Policy

Policy Statement:

This policy defines the requirements for the secure installation, configuration, maintenance, patching, and monitoring of all servers within the IT Reeves County. It is applicable to servers operating on Windows Server or Linux operating systems, encompassing application servers, security electronics servers, and database servers.

Guidelines:

A. Responsibilities:

- Server Administrator: Responsible for hardware management, networking, operating system, server security, and log management.

- IT Security Team: Responsible for patching, endpoint protection, and validation of server hardening.

- Application Owner: Responsible for application policies, data classification, and application administration.

B. Approvals:

- All server deployments require approval from the IT Reeves County's Director.

- The application owner must submit a written request to the IT Director via email, clearly defining business requirements.

C. Data Classification:

- Application owners must clearly define the type of data stored on each server, with additional security requirements for Protected Information.

D. Physical Location:

- Server locations must be approved by the IT Director and equipped with necessary environmental systems such as power, cooling, and security.

E. Network Configuration:

- The network must adhere to specific rules, including domain registration, approved static IP addresses, protocols and ports compliance, and wired connectivity.

F. Authentication:

- Windows OS: Servers must be joined to the primary domain "LOCAL."

- Non-Windows OS: LDAP authentication against the primary domain "LOCAL."

G. Remote Access:

- Remote administration is limited to authorized and secure methods such as "Remote Desktop" and "ssh."

- Compliance with RC’s Remote Access Policy and other security policies is mandatory.

H. Backups:

- Application owners must document and implement a backup plan overseen by the server administrator.

I. Naming Conventions:

- Development: "DEV" + (3 letter app abbreviation) + (2 letter type abbreviation) + "nn" (number identifier).

- Production: "PRD" + (3 letter app abbreviation) + (2 letter type abbreviation) + "nn" (number identifier).

J. Server Hardening:

- General hardening guidelines must be applied, and servers must be tested quarterly for vulnerabilities.

- Logs must be sent to RCIT Help Desk solution installed and updated by the IT Department, and the OS patched regularly.

K. Disposal:

- Disposal follows RC’s Equipment Disposal Policy.

- Servers must not be sold or transferred outside Reeves County Government buildings.

- Repurposing for internal use requires proper wiping of hard drives using a multi-pass process.

L. Policy Administration and Enforcement:

- Administered by the IT Reeves County IT Department.

- Exceptions can be requested through the RCIT Help Desk procedure.

- Violations may result in disciplinary actions, access restrictions, termination, and legal consequences.