|Responsible office||Information Technology|
|Enforcement official||Director, IT Security & Privacy|
Statement of Rule
Servers that administer or share resources to multiple clients in a distributed network must be registered in order for the server to have Internet access through the WMU firewall. Unregistered servers are restricted to intranet access only.
1. Purpose of Rule
This Rule has been developed in the interest of system and data security and establishes rules for allowing servers to access the Internet. It is intended to help prevent malicious users from accessing unregistered or unintentionally installed servers. Unrestricted servers could pose serious security threats to WMUnet systems and users. The implementation of a server registration is intended to minimize the security risk and data exposure while continuing to provide needed, uninterrupted access to data and applications.
2. Stakeholders Most Impacted by the Rule
This Rule applies to all system administrators and/or users that install software that is intended to be shared with other users on the network and accessed from off-campus computers and devices.
3. Key Definitions
3.1. Internet is a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols.
3.2. Intranet means the internal WMU network, WMUnet, which does not have access from outside the campus.
3.3. System/server administrator refers to WMU system and application specialists that have responsibility for installing and maintaining software applications that are accessed by multiple users of a unit, department or college.
3.4. Virtual Private Network (VPN) is a method employing encryption to provide secure access to a remote computer over the Internet.
3.5. Security scan is an operation performed by special software that searches for vulnerabilities in operating systems and other applications that are installed on a server.
3.6. E-Commerce review committee is charged with maintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS) for WMU.
3.7. IP address is the internet protocol number assigned to the physical device on the network.
3.8. Server port number is used by protocols of the application layer of the Internet protocol suite for the establishment of host-to-host connectivity.
3.9. A digital certificate is a means of proving your identity in electronic transactions and assure those using your servers that the information they receive from is authentic.
4. Full Rule Details
4.1. All unregistered servers are restricted to the internal WMU network, WMUnet. which is commonly called the intranet. Only registered servers are allowed to participate in the Internet. Test and development servers should also be registered but they will not be granted access from the Internet. Users requiring access to these systems from off-campus must use VPN services.
4.2. Servers which require access to and/or from outside the Internet must:
4.2.1. Be approved by the requesting user’s department or division leaders.
4.2.2. Have a documented, demonstrated need not met by an existing server.
4.2.3. Successfully pass security scans performed by the Office of Information Technology.
4.2.4. Be operated within the University’s security framework. This includes installing patches and upgrades in a timely manner.
4.2.5. Comply with E-Commerce review committee standards.
4.3. In order to register a server, the following information is required:
4.3.1. Name, phone number(s), campus address, and wmich.edu email address of the university employee(s) who are the primary and backup administrators responsible for the maintenance of the server hardware and software.
4.3.2. Physical location, name, and IP address of the server.
4.3.3. Operating system version of the server.
4.3.4. Server software version.
4.3.5. Applications being accessed by remote users and/or applications interacting with the Internet.
4.3.6. Classify data stored or accessed per the Data Classification Policy.
4.4. Responsibility of server administrators are:
4.4.1. Keep current with security patches. Evaluate and expeditiously apply patches within 60 days of patch release date.
4.4.2. Maintain operating system at level recommended by the vendor.
4.4.3. Properly restrict access to sensitive information and comply with WMU Data Classification Policy.
4.4.4. Ensure that an administrator, or a designate, be available during working hours for problem resolution.
4.4.5. Provide a current list of contacts (with emergency phone numbers) that can be reached in critical situations during non-business hours.
4.5. For servers containing University mission critical or protected information, having an approved digital certificate installed is required, no self-signed certificates are allowed. It is recommended the server be physically located in the secure information technology machine room in the University Computing Center.
Server administrators are expected to read the monthly server scan reports, and when appropriate, act on information relative to server security issues in a timely manner. In critical situations, it may become necessary for OIT to contact server administrators or backup administrators at any time. In the event they cannot be contacted, it may become necessary to power off the server or disconnect the server from the network without warning.
Patches must be installed within 60 days of first notification of vulnerabilities identified as “critical” or “high” based on the monthly sever scans. Failure to maintain servers at current security patches will result in blocking off-campus access and/or removal from the network.
6. Related Procedures and Guidelines
Server registration process can be found at wmich.edu/it/servers where you can register as well as de-register a server.
The Office of Information Technology serves as the WMU clearing house for obtaining digital certificates. Digital Certificate Request, you will be taken to the IT Direct service management system where a Bronco NetID and password is required to authenticate to the system.
7.1. How does one know how to remediate a vulnerability that is discovered in the monthly server scans?
Answer: The server administrator on record will either receive a vulnerability report from the scanning software or they will be directed to access the scanning software for the report. The report provides links to resources on how to patch the found vulnerability. If the server administrator does not have access to the scanning software, please contact firstname.lastname@example.org
8. Related Policies:
8.2. E-Commerce Policy
|Effective date of current version||September 1, 2019|
|Date first adopted||January 1, 2012|
|Proposed date of next review||June 1, 2022|