CERN

Document

Security Baseline for Web Hosting

CH-1211 Geneva 23
Switzerland

CERN Div./Group or Supplier/Contractor Document No.

Computer Security Officer

EDMS Document No.

1062502

SEPTEMBER 6TH, 2010

SECURITY BASELINE FOR WEB HOSTING

ABSTRACT A Security Baseline defines a set of basic security objectives which must
be met by any given service or system. The objectives are chosen to be pragmatic and
complete, and do not impose technical means. Therefore, details on how these security
objectives are fulfilled by a particular service/system must be documented in a separate
Security Implementation Document [1]. These details depend on the operational
environment a service/system is deployed into, and might, thus, creatively use and
apply any relevant security measure. Derogations from the baseline are possible and
expected, and must be explicitly marked.
At CERN, for each service/system used in production, such a Security Implementation
Document must be produced by its system/service owner, and be accepted and
approved by the Computer Security Officer. All systems/services must be implemented
and deployed in compliance with their corresponding Security Implementation
Document. Non-compliance will ultimately lead to reduced network connectivity for the
affected services and systems (i.e. closure of CERN firewall openings, access blocked to
other network domains, and/or disconnection from the CERN network).
This document describes the Security Baseline for Web Hosting services used in CERN
production environment.
Prepared by:

Checked by:

Approved by:

Computer Security Team

IT Security Contacts
Department Security Contacts
Experiment Security Contacts

Computer Security Officer

IT Group Leaders
IT SRM Members

Distribution:

Unrestricted

Document

Security Baseline for Web Hosting

Page 2 of 4

History of Changes
Rev. No.

Date

0.5
0.6
0.9

2010/02/02
2010/02/24
2010/05/20

1.0
1.1

2010/05/20
2010/09/06

Reference
Several
Several

WEB-PRV-7

Description of Changes
Draft
Comments from the Security Team
Comments from IT Security Contacts, Department
Security Contacts, and Experiment Security Contacts
Version for approval
Approved version.
Removed the timescale (in months).

Document

Security Baseline for Web Hosting

Page 3 of 4

1. SECURITY BASELINE REQUIREMENTS

The objectives of the Security Baselines below apply to any server, PC, laptop (commonly
denoted within this document as server). If a service/system consists of multiple servers, the
baseline applies to each of them. The terminology follows RFC2119 [2]. The words least,
minimize, restrict and small refer to the operative minimum before rendering the
service/system useless.

1.1 ACCESS CONTROL

Ref.

Requirement

WEBAC1

RestrictdefaultaccesstoallhostedWebsitestotheCERN
ApplyingtheRuleofleast
IntranetandonlyuserswithavalidCERNprimaryand/or
privilegereducesthescopea
serviceaccount,e.g.usingSSO(followingthedefinitionin[3]). successfulattackercanhave.
AskregularlyownersofpubliclyvisibleWebsitestoreview
whethertheircurrentaccessrestrictionsareappropriatewith
regardstothepublishedinformation.Themeaningof
regularlymustbeexplicitlydefined(inmonths).
DocumentpubliclythedefaultsettingsasdefinedinWEBAC
1.

WEBAC2

WEBAC3

Comment

1.2 PROVISIONING
Ref.

Requirement

WEBPRV1
WEBPRV2

MakeallWebsitesstaticbydefault.
Reducethenumberofprogrammingplatformsandlibraries
provisionedforWebapplicationstoanoperationalminimum.
Configuretheprogrammingplatformsandlibraries
provisionedforWebapplicationssecurely.
Ensurethatallinstalledprogrammingplatformsandlibraries
provisionedforWebapplicationsarekeptuptodate.
Documentpubliclytheprogrammingplatformsandlibraries
provisionedforWebapplicationsasdefinedinWEBPRV2.
Compartmentalizethehostingserviceinordertoseparate
multipleWebsiteshostedonasingleserverorservice.
VerifyregularlythateveryhostedWebsitehasanowner.For
Websiteswithoutanowner,anewowner(e.g.fromtheline
hierarchy)mustbeidentified.Themeaningofregularly
mustbeexplicitlydefined.

WEBPRV3
WEBPRV4
WEBPRV5
WEBPRV6
WEBPRV7

Comment
Thisreducesthemaintenance
overheadandtheattacksurface.

Thisavoidsthatacompromizeofa
singleWebsiteaffectsothersites.

1.3 ADDITIONAL SECURITY BASELINES

Ref.

Requirement

WEBADD1

ImplementtherequirementsdefinedinmostrecentSecurity
BaselineforServers[4].

Comment

2. REFERENCES
[1] The CERN Security Team, Security Implementation (Template), EDMS 1062504
[2] Network Working Group, RFC2119, http://www.ietf.org/rfc/rfc2119.txt
[3] IT/OIS, Identity Management, http://cern.ch/identitymanagement

Document

Security Baseline for Web Hosting

Page 4 of 4

[4] The CERN Security Team, Security Baseline for Servers, EDMS 1062500