Beruflich Dokumente
Kultur Dokumente
Document
CH-1211 Geneva 23
Switzerland
1062502
ABSTRACT A Security Baseline defines a set of basic security objectives which must
be met by any given service or system. The objectives are chosen to be pragmatic and
complete, and do not impose technical means. Therefore, details on how these security
objectives are fulfilled by a particular service/system must be documented in a separate
Security Implementation Document [1]. These details depend on the operational
environment a service/system is deployed into, and might, thus, creatively use and
apply any relevant security measure. Derogations from the baseline are possible and
expected, and must be explicitly marked.
At CERN, for each service/system used in production, such a Security Implementation
Document must be produced by its system/service owner, and be accepted and
approved by the Computer Security Officer. All systems/services must be implemented
and deployed in compliance with their corresponding Security Implementation
Document. Non-compliance will ultimately lead to reduced network connectivity for the
affected services and systems (i.e. closure of CERN firewall openings, access blocked to
other network domains, and/or disconnection from the CERN network).
This document describes the Security Baseline for Web Hosting services used in CERN
production environment.
Prepared by:
Checked by:
Approved by:
IT Security Contacts
Department Security Contacts
Experiment Security Contacts
Distribution:
Unrestricted
Document
History of Changes
Rev. No.
Date
0.5
0.6
0.9
2010/02/02
2010/02/24
2010/05/20
1.0
1.1
2010/05/20
2010/09/06
Reference
Several
Several
WEB-PRV-7
Description of Changes
Draft
Comments from the Security Team
Comments from IT Security Contacts, Department
Security Contacts, and Experiment Security Contacts
Version for approval
Approved version.
Removed the timescale (in months).
Document
Requirement
WEBAC1
RestrictdefaultaccesstoallhostedWebsitestotheCERN
ApplyingtheRuleofleast
IntranetandonlyuserswithavalidCERNprimaryand/or
privilegereducesthescopea
serviceaccount,e.g.usingSSO(followingthedefinitionin[3]). successfulattackercanhave.
AskregularlyownersofpubliclyvisibleWebsitestoreview
whethertheircurrentaccessrestrictionsareappropriatewith
regardstothepublishedinformation.Themeaningof
regularlymustbeexplicitlydefined(inmonths).
DocumentpubliclythedefaultsettingsasdefinedinWEBAC
1.
WEBAC2
WEBAC3
Comment
1.2 PROVISIONING
Ref.
Requirement
WEBPRV1
WEBPRV2
MakeallWebsitesstaticbydefault.
Reducethenumberofprogrammingplatformsandlibraries
provisionedforWebapplicationstoanoperationalminimum.
Configuretheprogrammingplatformsandlibraries
provisionedforWebapplicationssecurely.
Ensurethatallinstalledprogrammingplatformsandlibraries
provisionedforWebapplicationsarekeptuptodate.
Documentpubliclytheprogrammingplatformsandlibraries
provisionedforWebapplicationsasdefinedinWEBPRV2.
Compartmentalizethehostingserviceinordertoseparate
multipleWebsiteshostedonasingleserverorservice.
VerifyregularlythateveryhostedWebsitehasanowner.For
Websiteswithoutanowner,anewowner(e.g.fromtheline
hierarchy)mustbeidentified.Themeaningofregularly
mustbeexplicitlydefined.
WEBPRV3
WEBPRV4
WEBPRV5
WEBPRV6
WEBPRV7
Comment
Thisreducesthemaintenance
overheadandtheattacksurface.
Thisavoidsthatacompromizeofa
singleWebsiteaffectsothersites.
Requirement
WEBADD1
ImplementtherequirementsdefinedinmostrecentSecurity
BaselineforServers[4].
Comment
2. REFERENCES
[1] The CERN Security Team, Security Implementation (Template), EDMS 1062504
[2] Network Working Group, RFC2119, http://www.ietf.org/rfc/rfc2119.txt
[3] IT/OIS, Identity Management, http://cern.ch/identitymanagement
Document
[4] The CERN Security Team, Security Baseline for Servers, EDMS 1062500