Web Security

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.

Scope

This standard applies to all web servers, services and applications using web-oriented protocols. The standard excludes embedded web servers that are not within the scope of the server standard, e.g., printers and other hardware devices. Student websites, services, and applications are subject to this standard if they are on the RIT web environment and publicly accessible.

Requirements

The following security controls are required to be implemented.

  • All servers within the scope of this standard should comply with the requirements of the Server Security Standard in addition to other relevant information security standards.
  • Upon adoption, this standard shall become the security requirements that shall be incorporated into the RIT Web Standard.

The department, owner, developer, administrator, and host location of web servers and services should be registered and updated as changes occur, and annually in the centralized registration system. The identified owner, developer, and administrator should be an RIT employee.

Private information should not be stored on web servers unless there is a legitimate business purpose approved by the Divisional VP and a security review has been conducted.

  • ITS will conduct vulnerability scans and penetration tests on a regular recurring basis
  • Critical and severe vulnerabilities (as defined in the Server Standard) should be logged in a ticketing system or email and should be remediated, have a false positive reported, or have an exception filed within 1 month.
  • Moderate vulnerabilities should be logged in a ticketing system or email and should be remediated, have a false positive reported, or have an exception filed within one month.

Web system administrators are responsible for determining whether to implement a web firewall and/or a web application firewall or IPS.  Recommended rule sets are available from the Information Security Office wiki.

  • Web servers, services, and applications should be patched within 5 business days after critical security patches are made available. Other non-critical patches should be evaluated and implemented based on the professional judgment of the server or application administrator.
  • Unpatched servers, services, and applications lacking critical security patches will be quarantined at the discretion of the CIO or Information Security Office.
  • Services and applications that no longer have vendor- or developer-provided security patches should be remediated or removed.

Web services should use, as a minimum, TLS 1.2, with TLS 1.3 being recommended.  Web services and applications should follow encryption best practices listed on the Information Security web site. 

  • Web applications should filter client input on the server following practices listed on the Information Security web site (Client Input Filtering Practices).
  • The use of world-writeable files in web services and applications should be minimized to follow the practice of least privilege.
  • Application owners are responsible for monitoring the content on their website. Form spam is prohibited and should be removed immediately.

Web application logging should meet the requirements of the server/application standard.

  • Root, service account, and administrator /user accounts should be different. The passwords for each account should be unique. The accounts should be used exclusively for the purpose for which they were created.
    • Web server-associated processes should run only under their own unique account. These accounts should not have root or administrator privileges.
    • All accounts should be authorized to provide the minimal level of access required
  • Stateless User Authentication
    • Session IDs should not be transmitted in clear text.
  • Web Services/Application Administrator Access Control
    • Configuration file write access should be limited to a web services/application administrative group.
  • Local Configuration File Use and Access Control
    • In order to prevent users from modifying the server configuration, Web Service/Application Administrators should limit access to user‑modifiable configuration commands (e.g., .htaccess) according to a documented plan.
    • Web Service/Application Administrators should provide appropriate access controls for local configuration files.

Web server, service, and application development or acquisition should meet the following requirements:

  • Follow documented development guidelines incorporating security or documented review process including security best practices available on the Information Security website.
  • Follow a documented sustainable maintenance program including security
  • Be executed by individuals with the training/education commensurate with their role.
  • The CIO, ISO, or their designees have the authority to take any website offline that poses a risk of harm to the RIT web environment.
  • The Service Desk will manage the communication and implementation of de-provisioning and re-provisioning websites.

When am I required to follow the standard?

  • If you own, administer, or maintain an official RIT web page that hosts or provides access to Private or Confidential Information.
  • If you have a web page at RIT, official or unofficial, and you use RIT authentication services.

Scanning

  • Effective 2/13/15, the RIT Information Security Office no longer provides scanning services to support RIT web pages. Contact us for more information.

Effective Date: January 23, 2015

Standard History:

  • May 15, 2008
  • September 15, 2011
  • November 11, 2013
  • October 19, 2015