Central Washington University - Networks: Web Servers

CWU Home

Applications

Helpdesk

Networks

Resnet

Telecom

Training

Computer Support Services (CSS)

IT Project and Training Services (EIS)

Web Office

Wireless

ITS Home

Back to ITS
Back to Previous Page

Summary of recommended practices for Web Servers

1. Web Servers are isolated from CWU public and internal networks
2. Web Servers are configured with appropriate access controls
3. Web Server logging mechanisms are configured
4. Security implications are considered before selecting programs, CGIs, scripts, plug-ins, and servlets
5. Web servers are configured to use authentication and encryption technologies
6. Patches are applied as soon as possible after release
7. Maintain an authoritative copy of Web site content

Detail of recommended practices for Web Servers

1. Web Servers are isolated from CWU public and internal networks

Public web servers are placed on a separate, protected subnetwork. This will ensure that the traffic between the Internet and the server does not traverse any part of the private internal network and that no internal network traffic is visible to the server.

2. Web Servers are configured with appropriate access controls

Web servers are configured to execute only under unique individual users or group identities.
Passwords must meet minimum complexity standards.
Default accounts are disabled or removed.
Unnecessary services such as FTP, SNMP, etc are turned off unless required for the web server application.
Executable files are limited to specific directories and source codes can't be downloaded.
Security tools provided by the web-server vendor and the OS vendor are run after upgrades.
Time-outs are configured to mitigate the effects of DoS attacks.
The number of persons with administrator access is limited.

3. Web Server logging mechanisms are configured

Web servers are configured for logging and logs reviewed by systems administrators regularly. Intrusion detection software monitors connections to the server when necessary. The web servers are scanned periodically with tools like ISS, nmap or Satan to look for vulnerabilities.

4. Security implications are considered before selecting programs, CGIs, scripts, plug-ins, and servlets

All programs, CGIs, scripts, plug-ins, servlets, etc. are selected from trustworthy sources after a cost/benefit analysis and thorough review from publicly available information to identify vulnerabilities.

5. Web servers are configured to use authentication and encryption technologies

Authentication and encryption is used to protect information traversing the connection between a Web browser client and a public Web server. Web servers are configured to use SSL and SSL server keys and related certificates if confidentiality and authentication is needed.

6. Patches are applied as soon as possible after release

Patching and updates are applied as soon as they are announced and released from the vendors.

7. Maintain an authoritative copy of Web site content

After patches, OS updates, etc, an authoritative copy of the web site content is backed up to tape.

Contact Information

ITS - Networks
400 E. University Way
Ellensburg, WA 98926
Phone (509) 963-2924
Email: networks@cwu.edu

Central Washington University

400 E. University Way, Ellensburg WA 98926

This Site Optimized For Newer Browsers.