In order to set a baseline for how systems should be configured when attached to the Ohio University network, a working group was established in August 2008 for the purpose of developing a standard to which all systems should comply.
After reviewing several of the standards in existence, the group took the NIST 800-123 Guide to General Server Security as their template and modified it to more closely meet the environment of Ohio University. In all cases, the group attempted to stay true to the following security concepts.
Defense in Depth - Simply stated, good security doesn't rely on only one level of protection.
Principle of Least Privilege - An individual, process, or system should only have the minimum amount of rights, access, or privilege required to get the job done.
Less is More - A system should only contain or have running those files and functions necessary to get the job done; nothing more, nothing less.
One change that the working group made to the standard was the recognition that not all systems are the same. Toward that end, the standard has been broken into three levels. The standard is cumulative - i.e. Moderate systems have to comply to both Moderate and Minimum, while Maximum must comply to all three.
|Minimum||Minimum standards apply to all general purpose computer environments. (i.e. Windows, Mac, Linux, BSD, etc.)|
|Moderate||All servers are at least Moderate, and servers containing confidential data must meet the maximum requirement.|
|Maximum||Maximum is required regardless of whether the system is "production" if it contains sensitive data.|