• Calendar
• A-Z Index

• Yale home
• About Yale
• Academic programs
• Admissions
• Health & medicine
• Working at Yale
• Yale & New Haven
• Yale & the World
• Yale Tomorrow
• News

• Prospective students
• Students
• Parents
• Faculty
• Staff
• Alumni
• Foundations & corporations
• Patients
• Visitors

Find it

• About ITS
• Policies
• Feedback
• Search ITS
• ITS A-Z Index
• System Status

General guidelines for managing server computers

The following notes provide high-level guidelines for managing departmental servers. System administrators (SysAdmins) should follow these guidelines in proportion to the risk and criticality of servers to the continued operation of local administrative and academic services.

Protect your data

Types of Yale confidential data

Compliance requirements

Sending & sharing Yale data

Safe storage for secure data

Back up your data

A critical part of your machine, often the most critical, is the data it houses. All computers can break. You can replace components (hard drive, memory, or monitor) but if you're not performing backups, you cannot replace your data. The challenge with servers is that both the quantity and criticality of the data are substantial. Simple backup strategies that might work on a workstation are usually not sufficient for a server.

Just as importantly, discipline and disaster preparedness for data management are essential for a server. Professional backup solutions are neither cheap nor without maintenance and the “price” of not getting it right can be very high. Unless you are prepared to invest serious money and time in your own backup strategy and equipment we recommend the ITS backup system (TSM-Tivoli Storage Manager). This service allows you to automatically (nightly) or manually (any time) backup copies of your files and directories to a central tape server. You can subsequently recover those copies if the originals are damaged or lost. ITS backup requires three things:

1. An account
2. Download, install, and configure the client software
3. Confirm that regular backups have been initiated

As an alternative to ITS backup services, if you have only a few vital files on a machine they can simply be saved to removable disks each time they are updated or on a regular basis. External storage devices such as zip drives, hard disks, and removable cartridge drives can be connected to a machine allowing for direct copy or backup of large volumes of information on a scheduled basis.

Two important points about backup that are often overlooked:

• Do not store backups near the systems. Pick a secure, remote location. For very critical backups consider storing an additional copy off-site to protect against physical disaster at the department.
• Obviously, backups are only useful if you can restore the data! Familiarize yourself with the restore procedure and test the restore process

Keep software up-to-date

Servers by nature incur high risk by providing many services to many users. It is imperative to keep the basic operating system and application software up-to-date for both stability and security reasons. Most major vendors offer some form of automated or semi-automated process for upgrades and patches (e.g. Microsoft or Redhat or Sun) but, be wary, upgrades and patches are seldom fool-proof and can have unpredictable interactions with desired services.

Patches, upgrades and security fixes are being released at an increasing pace. Near universal access to the Internet has spawned a large increase in the number or exploits, hacks, and vulnerabilities. These flaws exist in all operating system and the rate of discovery is likely to continue to increase.

As an absolute minimum, any SysAdmin should take regularly visit ITS Information Security for current alerts, and subscribe to the ITpartners-list. For Windows, Macintosh or Linux/Unix support, contact the ITS Help Desk (785.3200).

• Visit the protecting against viruses, spyware, and other "malware" web page for more information.

Unnecessary services or applications

Reduce risk by not running any non-essential service or application. Nearly every piece of software code has some exposure in it and you should treat every service as an eventual security risk. Ironically, even services that are designed to enhance security (e.g., SSH server software) require ongoing security attention and should not be run unless needed.

Always seriously consider using ITS provided services and facilities (which come with ITS professional maintenance). One of the most common “break-in” scenarios at Yale is a machine that was started and built by an energetic and passionate innovator that falls into disrepair and vulnerability because of graduation, a shift in interests or with what has since become a commodity service.

Review the manufacturers' default installation and settings. Vendors have typically enabled all services “out of the box” and thus few default installations will be secure. It's also wise to remember that startup routines under most current operating systems can be complex and services get started in a variety of places. One proactive step you can take is to use a scanning tool to check your machine for vulnerability (or just running services). Contact the ITS Information Security Office if you need a security scan.

Account maintenance

Just as unused and unneeded services present a risk to your server, so to do unused and un-maintained accounts. This particularly true in an academic environment where ever year brings a new cohort of students and faculty, and a lack of systematic maintenance quickly leads to an accrual of dead accounts. Dormant accounts represent weaknesses because they represent an opportunity for an intruder to gain access while appearing to be legitimate. Active accounts need maintenance as well, and the SysAdmin should ensure that passwords are routinely changed and are sufficiently strong.

Consider tying your authentication systems into the central campus systems wherever practical.

Specialized software for servers

Strongly consider installing specialized software to provide: anti-virus protection, host based firewall, and file integrity / intrusion detection

• Anti-virus software is strongly recommended.
  Yale has an institutional site license for Norton Antivirus, if your server runs Windows or Macintosh, please visit the ITS software site to download and install.
• Many servers can benefit from the installation of software to create a “host-based” firewall. This software resides on the server but creates a firewall restricting connections to certain services or certain other machines. A wide array of choices is available by operating system including, for example, Netfilter, Zone Alarm, and IPNetSentry
• You should also strongly consider installing and using a file integrity checking or intrusion detection system that alerts you if certain key system files are altered such as Tripwire or ISS Real Secure. They can serve as early detection of break-ins and save lots of work in recovery operations.

Physical security

As with personal computers, the physical security of servers may be an important link in machine management. Ask yourself these questions:

• Are the machines in a secure and managed location (e.g., air conditioning, power, etc, back-ups)?
• Who has keys or a keycard?
• Are alarm codes changed regularly?
• What risks exist from loss of environmental supports or physical access to the machine by unauthorized individuals?
• Visit the physical security for your computers & mobile devices web page for more information.