Security Standard for General Information Systems

In order to set a baseline for how systems should be configured when attached to the Ohio University network, a working group was established in August 2008 for the purpose of developing a standard to which all systems should comply.

After reviewing several of the standards in existence, the group took the NIST 800-123 Guide to General Server Security as their template and modified it to more closely meet the environment of Ohio University. In all cases, the group attempted to stay true to the following security concepts.

  • Defense in Depth - Simply stated, good security doesn't rely on only one level of protection.

  • Principle of Least Privilege - An individual, process, or system should only have the minimum amount of rights, access, or privilege required to get the job done.

  • Less is More - A system should only contain or have running those files and functions necessary to get the job done; nothing more, nothing less.


3 Levels of Standard

One change that the working group made to the standard was the recognition that not all systems are the same. Toward that end, the standard has been broken into three levels. The standard is cumulative - i.e. Moderate systems have to comply to both Moderate and Minimum, while Maximum must comply to all three. 

 Minimum  Minimum standards apply to all general purpose computer environments. (i.e. Windows, Mac, Linux, BSD, etc.)
 Moderate  All servers are at least Moderate, and servers containing confidential data must meet the maximum requirement.
 Maximum  Maximum is required regardless of whether the system is "production" if it contains sensitive data. 


  • Create, document, and implement a patching process. This may be accomplished through WSUS, GPO, or auto patching.
  • Install permanent fixes (patches, upgrades, etc.) 
  •  Identify vulnerabilities and applicable patches, unless automated.
  •  Mitigate vulnerabilities temporarily if needed and if feasible. (until patches are available, tested, and installed) (depending on exploit available, or difficulty of the fix)

Server Deployment

  • Keep the servers disconnected from networks or connect them only to an isolated "build" network until all patches have been transferred to the servers through out-of-band means (e.g., CDs) and installed, and the other configuration steps listed in this section have been performed. 
  • Place the servers on a virtual local area network (VLAN) or other network segment that severly restricts what actions the hosts on it can perform and what communications can reach the hosts. Only allow those events that are necessary for patching and configuring the hosts. Do not transfer the hosts to regular network segments until all the configuration steps listed in this section have been performed. 
  • Administrators should not apply patches to production servers without first testing them on another identically configured server.


Remove, restrict or disable unnecessary or unused services, applications, and network protocols.