Server Administration Guidelines

As an Application Administrator of a virtual or physical server in the Texas State University data center (whether on-premise or cloud), you and the Technology Resources Systems Administration Team have specific responsibilities and must work together to maintain a safe and secure environment for the university and its data. You are also responsible for ensuring that external vendors and contractors follow these guidelines.

State Laws and University Policies 

All parties must adhere to applicable federal and state laws, university policies, and information technology best practices and procedures.

TXST Shared Responsibility Model

Systems Administration TeamSoftwareInstallationInstall supported Operating System and configure it to TXST IT best practices.
UpdatesUpdate operating system on virtual and physical servers in the TXST data center on a scheduled basis defined by the TXST Systems Administration Team. Out-of-band patches may be applied on an accelerated basis depending on severity. Any deviation from the automated process, application administrators may opt to be responsible for updates.
Shares/MountsCreate shares which must be restricted per best practices for the specific protocol used. (e.g., Windows SMB Shares must be controlled by a FileShare group, or NFS Mounts must be controlled via an Access List.)
HardwareComputeResponsible for uptime/maintenance of hardware.
StorageConfiguration/maintenance/monitoring of central or dedicated storage.
NetworkingEnsure uptime and connectivity to TXST network.
ServicesBackupBackups will be available to physical and virtual systems hosted in the data center under IT division control.
Firewall

Ensure the host-based firewall is installed, configured and enabled.

Requests for firewall modification can be submitted through a Server Support Request.

AuthenticationAdministrative access to the server must be through a Super User (SU) account and local accounts are not permitted. Where Active Directory groups are used to control access, the groups are maintained via the Role Management tool in the Online Toolkit. Two factor authentication (such as Duo) will be required for administrative access.
Application Administrator Application SupportInstallation

Responsible for installing authorized software that is required for the primary application of the server and is authorized by the data security plan. See below for more information on authorization policies.

Note: Microsoft Windows Roles should be installed via a Server Support Request

Note: The software must be authorized by the Information Security Office and the System Administration Team. Services such as FTP, OpenSSH for Windows, and File Sharing may not be installed by the application administrator. Any requirement for this should be requested to the System Administration Team.

ConfigurationResponsible for configuring application to University policy and best practices.
UpdatesUpdate applications on a scheduled basis (at minimum quarterly). Urgent security updates should be evaluated and applied as soon as possible.
Support

Work with vendors to support issues with performance, installation, or configuration of the application.

Note: Systems Administration Team will work with the Application Administrator if changes need to be made at the OS level.

Application SecurityEncryptionAny services that make use of authentication must use an encrypted method for passing authentication credentials. SSL Certificates can be requested here
LoggingEvent logging must be enabled on all applications/services to include access and configuration changes at a minimum.
Auditing

Access to servers must be audited periodically by the application administrator. Potential methods for review can include Role Management and within the application itself.

If contacted by Texas State Division of Information Technology staff about software or configurations on a server you maintain, application administrators are expected to respond ASAP.

Access

Applications and/or services may not be used until they have been authorized for use by the Information Security Office. Depending on the scenario, authorization steps may include, but are not limited to, the creation of a data security plan, completion of a vulnerability scan, and remediation of identified vulnerabilities.  

All authentication to a server must be via a valid named account. Super User accounts are to be used when remotely administering systems (such as via Remote Desktop or SSH). Service accounts will not be used to remote desktop or remotely administer systems. Any exception to thus must be authorized by ISO and TR.

Onboarding Checklist

Ensure your software is evaluated and authorized by the Information Security Office.

Service Evaluation Request

  • Request a server to be provisioned. This will route to the Information Security Office for a review of the system prior to the Systems Administration Team provisioning the server. You may request a DNS alias (CNAME) at this time.
  • Install and configure your system.
    • Application support issues should be referred to your vendor.
      • If your vendor needs access to the system, please see the Server FAQ page
    • Requests for support regarding the server itself can be made through a Server Support Request
    • If your service needs an SSL certificate, please request via the SSL Certificate Request.
    • Any file shares should be requested through a Server Support Request.
    • IMPORTANT: You are not authorized to use this application in a production manner until ISO signs off on your vulnerability scan.
      • Production means having users log in and use the application for its intended design with real data. You may only test until the application is authorized.
  • Request a vulnerability scan. Issues discovered during the vulnerability scan will need to be resolved before proceeding.
  • If your server will only need to be accessible on the TXST network or through VPN.
    • Request changes to the server's host-based firewall.
  • If your server will need to be accessible via the internet (not through VPN)

Tasks prohibited on University servers without authorization

Installing or running services that include, but not limited to,

  • Active Directory Services
  • DNS
  • DHCP
  • SSH on Windows
  • FTP/SFTP/FTPS
  • Web browsing
  • Checking email
  • Using as a primary desktop
  • Installing software not authorized by the Information Security Office or Systems Administration Team.
    • Free software must still be evaluated for use.
  • Installing software not required for the main function of the server.
  • Circumventing controls established by TXST IT.
  • Modifying host-based firewall.
  • File share creation
  • Use of packet capture applications such as Wireshark.

Authorization for these tasks must be requested through the Systems Administration Team. You may be required to get additional authorization from the Information Security Office