Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Description

Web servers are typically the most exposed and targeted systems. If they are not properly secured they introduce a significant risk to Lehigh University. The following are the minimum standards which must be maintained for all web servers available on the Internet. Failure to maintain these standards could result in a firewall rule being revoked and the web server only being available to our campus.

Scope

All Lehigh web servers

Security Requirements

The Center for Internet Security (CIS) publishes secure configurations which represent best security practices.

https://www.cisecurity.org/cis-benchmarks

NIST SP 800-44 v2 - Guidelines on Securing Public Web Servers

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Implementation

  1. Patch and/or upgrade operating system to maintain the OS in a secure state. Security patches should be applied within 30 days of release.

  2. Configure operating system to meet vendor/system best practices

    1. Principle of Least Privilege

      1. Disable all services which are not necessary.

      2. All accounts should have the only required permissions

      3. Remove or disable unnecessary accounts

    2. Change all default passwords and ensure they meet Lehigh password guidelines

    3. OS should be maintained by a qualified administrator. Contact LTS for support options if a local qualified administrator is not available.

  3. Lehigh security tools are installed and properly configured. This will include endpoint detection, host firewalls, IDS, and others.

  4. Patch and/or upgrade server components which have critical/high security flaws. This includes, but is not limited to Apache, IIS, PHP, NGINX, and others.

  5. Configure Web server to meet recommended best practices.

    1. Web server installed on dedicated host.

    2. Disable all unnecessary services

    3. Configure to prohibit access to not intended for public distribution. Disallow directory browsing.

    4. Separate web server directories from operating system and application directories

    5. Use secure encryption technologies such as TLS. Should be configured to redirect to https following http strict transport.

    6. Implement firewalls to restrict access to the web server. Only allow traffic to necessary ports (typically 80/http and 443/https).

  6. Web server administrators are responsible for ensuring they are receiving, reviewing, and reacting to vulnerability reports monthly. Please contact security@lehigh.edu to schedule vulnerability reports/tickets.

  7. Logging should be enabled and provided to Lehigh’s central logging service.

    1. Enable detailed logging on web servers. Ensure that logs include access logs, error logs, and security logs.

  8. System backups - Based on the criticality of a system web content, application configs and operating system should be backed up.

all

Definitions

all

Revision History

Date

Version

Description

Approval

Apr 25, 2024

1.0.1

Revisions

Draft

  • No labels