Fredonia Minimum Security Standards: Servers

A server is defined as a host that provides a network accessible service.

Follow the minimum security standards in the table below to safeguard your servers.


PatchingBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version.
Vulnerability ManagementPerform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days.
InventoryReview and update records quarterly. Maximum of one node per record.
Enable host-based firewall in default deny mode and permit the minimum necessary services.
Credentials and Access ControlReview existing accounts and privileges quarterly.
Two-Factor Authentication
Require two-factor authentication for all interactive user and administrator logins. Two-factor will be required for all remote authentications.
Centralized Logging
Forward logs to a remote log server. University IT Splunk service recommended.
Security TrainingComplete annual Secure the Human Training.
Malware Protection & Intrusion DetectionDeploy Symantec Endpoint Protection. Review alerts as they are received.
Physical Protection
Place system hardware in a data center.
Dedicated Admin Workstation
Access administrative accounts only through a Privileged Access Workstation (PAW).

Security, Privacy, and Legal Review
Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment.
Regulated Data Security Controls
Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.