If you are permitted to access or maintain sensitive institutional data using a server or database that you manage, please meet the minimum expectations below.
Information Assurance (IA) recommends that you begin the process of hardening university servers, workstations, or databases by running the Center for Internet Security's Configuration Assessment Tool—CIS-CAT. The tool will scan your system, compare it to a preset benchmark, and then generate a report to help guide further hardening efforts. See CIS-CAT for U-M Systems for information about the UM-specific version of the tool.
These guidelines were developed for MySQL and MSSQL databases, but can be applied more universally.
Check the Sensitive Data Guide and Minimum Information Security Requirements
Use the Sensitive Data Guide to confirm that your server is eligible to access or maintain the type(s) of sensitive data it is storing or processing. If you are accessing or maintaining data classified as Restricted or High on your server, you should consult with IA by contacting the ITS Service Center.
Use the Minimum Information Security Requirements for Systems, Applications, and Data to see a summary of requirements spelled out in U-M's Information Security policy (SPG 601.27) and the U-M IT security standards.
Configuration and Management
- Do not use the root, default, or sa account to connect the web server to the back end database.
- Manage accounts by limiting account privileges to only the necessary database instances.
- Ensure that there is a unique administrator account and password for each database instance. If local account authentication is being used, ensure that administrative accounts in each database are given unique passwords.
- Use secure passwords. See guidelines for creating a secure password.
- Schedule periodic disconnections (timeouts) for accounts idle more than two hours.
- Limit access to the database listener port(s) to U-M campus networks using firewall rules.
- Remove demo or example databases or database users if created by an application installation. Change passwords of these accounts if removal is not possible.
- Use database-level encryption if the database stores sensitive data. Use the DS-15 guidelines for Encryption to determine when encryption is required by U-M policies and standards.
- Enable logging of all database logon authentication attempts (failed and successful). Use the DS-19 guidelines for Security Logging to determine if security logging is required.
- Configure secure transaction log backups to allow database restores for disaster recovery. Be aware that transaction log backups for some database systems are stored in clear text by default and may contain sensitive data. To be consistent, database backup files should be encrypted if database-level encryption is not used. Encrypt those logs when in transit and where stored.
- Update promptly. Update the service or application within 30 days of an official security patch release by a vendor.