Security and Management of Web Servers

Security and Management of Web Servers

Policy agreed by the Information Strategy Committee (ISC) - Thursday 21 February 2002

Abstract

The web is the key medium for providing information about the University and its activities to a worldwide audience. It follows that the University should have robust procedures for the management and operation of the systems providing the web service in order that the information published is authentic and available at any time and from any place. This policy is aimed at maximising the reliability and availability of the University's Web presence and ensuring that the information published is not compromised.

Why is it important?

The web is a vital tool to present the corporate image of the University and to market its services to prospective students, research collaborators and funders, both in the private and public sectors. It is therefore critical that the information published is current, accurate, authentic and available.

The phenomenal growth of the Web has resulted in the underlying systems being a major target for hackers. The attacks can take a variety of forms and have unacceptable outcomes ranging from defacing Web pages, publishing offensive or illegal material, denial of service and using the Web servers to attack other systems and services both within Glasgow and on the wider Internet. Such activities damage the reputation of the University and could lead to legal action being taken against it.

The main defence against hacking attempts rests on rigorous and timely application of patches to fix security loopholes in the systems that have been or may be exploited. These patches are issued quite frequently and UKERNA JANET CERT often mandate that they are applied in a timely fashion.

Who has the responsibility?

The Computing Service has responsibility for the management and operation of both the University central web server and the University network and its connection to JANET. Where a Faculty or department has decided to run its own Web server, the Dean or Head of Department/Division should ensure that sufficient resource has been allocated for this purpose and that all such systems are registered with Computing Service.

What is the procedure?
  1. The central University web server should be the normal platform for publishing public Web pages.
  2. The Computing Service should maintain the operating system, web server software and other supporting software to the patch level advised by JANET CERT (Computer Emergency Response Team) and take any emergency action as advised or required by CERT.
  3. Where Faculties/departments operate their own web servers, then sufficient resource should be allocated to ensure that any steps performed under b) can be mirrored on Faculty/departmental web servers in a timely manner, as advised by Computing Service, in order to maintain integrity of service and avoid the risk of the University being temporarily cut off from JANET by UKERNA.
  4. Local web servers should be registered with Computing Service who will maintain a list of contacts of those responsible for administering local web servers so that the Computing Service can pass on any security notifications for immediate action. Any changes should be notified immediately to Computing Service.
  5. Any web server that is not registered will not be accessible from off-Campus.
  6. In order not to compromise the University's connection to JANET, any web server that has been hacked and is thus causing problems either internally to the University community or more generally on the Internet will be disconnected until the problem has been successfully dealt with.