Part 7 of 7 of an article on Web Site Security by Steve Avery MSc BA
1. Official System Security Policy
One of the most effective ways to increase Website security is non-technical. Although input is required from Web Masters and Network Administrators, the system administrator, or person with overall responsibility for data security, should establish a network security policy which is formally documented and maintained, and is assiduously practised. Such a network security policy should state clearly and briefly:
- Who is permitted access to the system;
- When access is permitted to these users;
- Where they are permitted access. Areas of access should vary according to User Groups;
- What tasks they are permitted to perform, e.g., read, write, create, alter, delete, etc. This should vary according to job function within User Groups;
- How access to the system is granted to them;
- Circumstances under which their access is denied or even revoked, e.g., on termination of employment;
- Criteria for acceptable use, e.g., certain types of website may be blocked or deemed inappropriate;
- Procedures for logging in and out, locally and remotely;
- Standards for the definition and integrity of passwords, and methods for their retrieval if lost;
- Procedures for monitoring the system, e.g., the use of log files;
- Procedures for dealing with suspected breaches of security.
The system security policy documentation does not need to be couched in lofty terminology, but needs to be, basically, a synopsis of how the organization's information system functions within its managerial and technological constraints.
An official system security policy provides several benefits:
- Everyone knows exactly what is and what is not allowed on the system. Web Masters and Network Administrators particularly must have a clear understanding of what is allowed, so that they can be sure whether there has been a violation or not.
- Everyone understands the importance of the system security policy. An official document increases security awareness, and serves as a standard reference point.
- The document itself can act as a specification of requirements against which possible technical changes can be judged. Money and time can be saved if the right solution is implemented in the first instance, rather than buying a solution in the hope that it will fit or can be adapted to suit the system.
- The system security policy can support a legal case in the event of a need to prosecute for a violation of system security.
2. Preventive Measures
The majority of Web servers run on the Unix or Windows NT platform. For detailed advice on system security precautions, see other articles in this series. Here is an outline:
- Basically, keep things as simple as possible. Don't keep what you don't use.
- Any unused services should be removed from the system. All unneeded software should be uninstalled. The "super-server" file /etc/inetd.conf (Unix) or System Center Service Manager (Windows NT) should be checked to see whether there are any servers unnecessarily active, and those that are not used should be deactivated.
- All unneeded language interpreters and shell programs should be uninstalled or, at least, disabled.
- Log-in accounts should be limited to the minimum required on each machine. Users who become inactive should be deleted immediately.
- Password policy should be strictly enforced.
- Permissions must be set correctly on system files and directories for being displayed, read, edited, written or deleted. The Web server configuration file or the document directory structure can be changed inadvertently by a local user, thereby creating a security hole. File permissions should be set in the server root and document directories, so that changes can be made only by trusted local users.
- Both the Web log files and the system log files should be scrutinized regularly for signs of suspicious activity.