...
Web servers are typically the most exposed and targeted systems. If they are not properly secured they introduce a significant risk to Lehigh University. The following are the minimum standards which must be maintained for all web servers available on the Internet. Failure to maintain these standards could result in a firewall rule being revoked and the web server only being available to our campus.
Scope
All Required for all Lehigh web servers exposed to the Internet. Recommended guidance for web servers on our internal network. This standard is maintained by Lehigh’s System Engineering team.
Security Requirements
The Center for Internet Security (CIS) publishes secure configurations which represent best security practices.
...
Patch and/or upgrade operating system to maintain the OS in a secure state. Security patches should be applied within 30 days of release.
Configure operating system to meet vendor/system best practices
Principle of Least Privilege
Disable all services which are not necessary.
All accounts should have the only required permissions
Remove or disable unnecessary accounts
Change all default passwords and ensure they meet Lehigh password guidelines
OS should be maintained by a qualified administrator. Contact LTS for support options if a local qualified administrator is not available.
Lehigh security tools are installed and properly configured. This will include endpoint detection, host firewalls, IDS, and others.
Patch and/or upgrade server components which have critical/high security flaws. This includes, but is not limited to Apache, IIS, PHP, NGINX, and others.
Configure Web server to meet recommended best practices.
Web server installed on dedicated host.
Disable all unnecessary services
Configure to prohibit access to not intended for public distribution. Disallow directory browsing.
Separate web server directories from operating system and application directories
Use secure encryption technologies such as TLS. Should be configured to redirect to https following http strict transport.
All web services should be accessible using HTTPS on port 443.
Plain-text HTTP on port 80 should be disabled entirely if possible.
This can cause problems for users with old bookmarks or who type domain names manually. If this is of concern, HTTP on port 80 may be enabled and must be configured to return a 301 "Permanently Moved" redirect to HTTPS if accessed by clients.
Web server responses should include the
Strict-Transport-Securityheader with an appropriately largemax-age.
e.g.
Strict-Transport-Security: max-age=31536000(where 31536000 seconds is one year)
HTTPS must be configured to use TLS 1.2 or 1.3.
All versions of SSL, along with TLS 1.0 and TLS 1.1 must not be used.
Weak TLS cipher suites should be disabled.
A list of cipher suites with security ratings and explanations can be found at https://ciphersuite.info/cs/?security=all&sort=sec-desc&singlepage=true . Prefer algorithms labeled 'Recommended' and 'Secure'.
Any cipher suite with the following keywords must be disabled:
NULL,anon,EXPORT,RC4,DES,3DES,MD5Contact security@lehigh.edu if you require assistance with selecting and configuring cipher suites.
Implement firewalls to restrict access to the web server. Only allow traffic to necessary ports (typically 80/http and 443/https).
Web server administrators are responsible for ensuring they are receiving, reviewing, and reacting to vulnerability reports monthly. Please contact security@lehigh.edu to schedule vulnerability reports/tickets.
Logging should be enabled and provided Enable logging and connect to Lehigh’s central logging service.
Enable detailed logging on web servers. Ensure that logs include access logs, error logs, and security logs.
System backups - Based on the criticality of a system web content, application configs and operating system should be backed up.
...