Fx6 International’s Web administrators adhere to our guideline in an effort to reduce the success of various exploit attempts and to protect against the simplest vulnerabilities inherent to Web servers.
Responsibilities and Procedures
- We patch and/or upgrade operating system on routine basis. May also need to be done as needed if critical exploit exist provided patch and/or workaround is available
- Administrators monitor appropriate mailing lists and/or web sites for security-related announcements. This means subscribing to the appropriate “announce” mailing list for any network-accessible software that has been install.
- We configure the operating system to meet system best practices. This includes but is not limited to the following:
– Enable necessary services and applications; Disable all others.
– Create user accounts following the principle of least-privilege
– Set all account passwords appropriately to meet Carnegie Mellon password guidelines
– Remove or disable unneeded default accounts
– Change any default passwords as installed by application software to meet Carnegie Mellon password guidelines
- We configure Web server to meet recommended vendor best practices.
– Install the Web server software on a dedicated host
– Enable necessary web services; Disable all others.
– Apply any patches or upgrades for known vulnerabilities
– Web servers are configured to prohibit access to files that may not be intended for public consumption.
- We create log files for future investigations and/or recovery purposes.
– Establish different log file names for various virtual Web sites that are part of the same single physical Web server
– Ensure mechanisms are in place to prevent log files from filling up the hard drive
– Ensure the log files capture failed login attempts, account privilege changes and/or other potentially suspect activities
- We separate Web server content and related subdirectories from operating system and application directories.
- We perform regular backups of Web content and occasional backups of operating system and application configurations.
- We employ Web authentication and encryption technologies such as SSL/TLS based upon the nature of Web server data (e.g. sensitive, private, confidential…).
- We establish internal change control methodology that includes but is not limited to the following:
– Notification of change (includes description, contact person, date, and time of change etc.) to all people potentially impacted by the change, an outage, and/or other items related to the change (ex: FX6 International Support Desk so they may address any calls that may come in as a result of the change)
– Test change(s) on a test system if available before making the change in the production environment
– Backup relevant information and information being affected by the change prior to implementing the change
– Document all changes being made to the system, application, or web content and establish revision control mechanisms
Last Edited on June 11, 2016