Reminder: Justification letters must be submitted to the Office of the VC for IT for any server or IT based service maintained within a department and an approval must be granted. See PM - 36 resources on the LSU IT Policies page.
Departmental Servers (Security Baseline)
- The operating system and applications should have the most recent security updates installed.
- Anti-malware (anti-virus and anti-spyware) applications should be running and up-to-date.
- Administrative accounts should only be used for system management and not left logged on.
- Number of administrative accounts on server should be very limited.
- Windows servers should be added to the LSU Active Directory.
- Windows servers should remove "Domain Users" from the Users group.
- Servers should be backed up routinely and those backups should be periodically tested for data integrity and availability.
- A local firewall should be running and properly configured to limit access to specific ports and/or subnets.
- Servers storing SSNs must submit a request form to the Office of the University Registrar for approval (PS113: Social Security Number Policy).
- Servers should log events such as account logins and account changes.
- User access to servers should be limited to the specific users it serves.
- Physical access to servers should be very limited (secure location).
Departmental E-mail Servers
- Information Technology Services (ITS) provides campus e-mail services (firstname.lastname@example.org) through Microsoft Exchange and Tiger Mail. Departments are discouraged from operating e-mail servers or services, and should strongly consider using the campus e-mail services before starting a departmental e-mail server (email@example.com).
- All departmental e-mail servers must be approved and registered with Information Technology Services in order to send/receive e-mail through the University network. Once approved, mail servers can be registered by sending an e-mail to firstname.lastname@example.org with the IP address and manager of the departmental e-mail server.
- Managers of departmental e-mail servers who assign e-mail addresses and aliases such as email@example.com will be responsible for assigning IDs that are distinguishable and unique.
- Managers and users of departmental e-mail servers are responsible for adhering to all mail storage and retention requirements and applicability of laws and policies such as PS06.15 Use of Electronic Mail.
- Departmental e-mail servers should follow the best practices security baseline listed above.
Departmental File Servers
- Access to file shares should be limited to specific users (No open/anonymous shares).
- Users should be given only the appropriate amount of privileges to access data within the file shares.
- Personally Identifiable Information (PII) such as credit cards and bank accounts numbers should not be stored unless absolutely necessary.
- Any Personally Identifiable Information (PII) must be stored on software or hardware encrypted disks.
- Departmental file servers should follow the best practices security baseline listed above.