Building out Windows Servers, whether on bare metal hardware, in a VM or in the cloud (AWS) requires additional actions around the build process, networking, security, granting access and more.
Summary
These specifications apply to any implementation of Windows Server at UCSC. These specifications are for basic Windows Servers. If you would like to implement something more sophisticated on the Windows Server OS, or ask questions, submit an ITS support request.
Requirements
- Hardware (physical or virtual)
- Complies with UCSC Physical Server Specifications.
- All systems at UCSC, including servers, must have the standard set of UCSC management and security tools, which may require more CPU, memory or disk storage than application requirements specify. Submit an ITS support request if you need more details about requirements.
- Security
- As with all UCSC owned computer systems and as required by UCOP, the ITS security tool bundle for servers must be installed. For servers, the best way to do this, if you are outside of WinCore, submit an ITS support request for assistance to install:
- BigFix (Windows Server Installer)
- Trellix HX
- Insight VM agents
- As with all servers, only the port(s) necessary for the functioning of the server should be open.
- Windows Servers should not be exposed to the Internet and, instead, be on private networks. If you would like to use your server to host information on the Internet, please submit an ITS support request to contact the ITS Windows Team.
- Systems containing data with P3 or P4 protection levels are required, by UC policy, to be on the Verified Network.
- The Windows Local Host Firewall is required to be enabled and is configured and enforced with Domain group policy.
- UAC (User Account Control) is required to be enabled.
- As with all UCSC owned computer systems and as required by UCOP, the ITS security tool bundle for servers must be installed. For servers, the best way to do this, if you are outside of WinCore, submit an ITS support request for assistance to install:
- Networking
- Work with UCSC networking to ensure that the system’s DNS has the appropriate IP registration.
- Depending on the needs of this server, you may need to coordinate with the appropriate team (network or cloud) in regards to opening network firewall ports.
- OS level
- All servers are required to have a current and supported OS.
- All servers must be patched with monthly security updates, in line with UCOP and UCSC security policies.
- Servers should be running a patch level no older than two months old.
- Active Directory Domain Membership
- au.ucsc.edu Active Directory domain membership is required. Please submit an ITS support request for access.
- Some admins will have servers in specific delegated AU Active Directory domain OUs. These OUs are for managing servers and endpoints at a divisional or department level.
- User Accounts and Controlling Access
- Do not use or create local Administrator accounts on Windows Servers. The ITS Windows team can create a Domain account for your administrative access.
- ITS WinCore System Administrators create and configure domain accounts for server administrators
- The allowed Windows Server administrator groups are defined and enforced via group policy
- Windows Server administrator groups are maintained by ITS WinCore SAs
- The default local Administrator account is automatically managed and controlled by Active Directory Group policy.
- The default “guest” account and “guest” group on Windows Servers are disabled.
- User account access and security groups are centrally managed by ITS WinCore SAs.
- Be aware that Microsoft also requires CALs (Client Access Licenses) for different types of access. Contact WinCore (details in Summary above) for assistance.