The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements.
This standard applies to all web servers, services and applications using web-oriented protocols. The standard excludes embedded web servers that are not within the scope of the server standard, e.g., printers and other hardware devices. Student websites, services, and applications are subject to this standard if they are on the RIT web environment and publicly accessible.
The following security controls are required to be implemented.
The department, owner, developer, administrator, and host location of web servers and services should be registered and updated as changes occur, and annually in the centralized registration system. The identified owner, developer, and administrator should be an RIT employee.
ITS will conduct vulnerability scans and penetration tests on a regular recurring basis
Critical and severe vulnerabilities (as defined in the Server Standard) should be logged in a ticketing system or email and should be remediated, have a false positive reported, or have an exception filed within 1 month.
Moderate vulnerabilities should be logged in a ticketing system or email and should be remediated, have a false positive reported, or have an exception filed within one month.
Web system administrators are responsible for determining whether to implement a web firewall and/or a web application firewall or IPS. Recommended rule sets are available from the Information Security Office wiki.
Web servers, services, and applications should be patched within 5 business days after critical security patches are made available. Other non-critical patches should be evaluated and implemented based on the professional judgment of the server or application administrator.
Unpatched servers, services, and applications lacking critical security patches will be quarantined at the discretion of the CIO or Information Security Office.
Services and applications that no longer have vendor- or developer-provided security patches should be remediated or removed.
Root, service account, and administrator /user accounts should be different. The passwords for each account should be unique. The accounts should be used exclusively for the purpose for which they were created.
Web server-associated processes should run only under their own unique account. These accounts should not have root or administrator privileges.
All accounts should be authorized to provide the minimal level of access required
Stateless User Authentication
Session IDs should not be transmitted in clear text.
Web Services/Application Administrator Access Control
Configuration file write access should be limited to a web services/application administrative group.
Local Configuration File Use and Access Control
In order to prevent users from modifying the server configuration, Web Service/Application Administrators should limit access to user‑modifiable configuration commands (e.g., .htaccess) according to a documented plan.
Web Service/Application Administrators should provide appropriate access controls for local configuration files.