Security Baseline For Web Hosting

This document outlines security requirements ("baseline") for web hosting services used in CERN's production environment. The baseline defines requirements in three areas: 1) access control, restricting access to hosted websites, 2) provisioning, reducing platforms/libraries and keeping them secure and up-to-date, and 3) additional security baselines, including implementing baseline requirements for servers. The objectives apply to all servers hosting websites. Details on fulfilling each requirement must be documented separately.

Uploaded by

ss rajan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

84 views4 pages

Security Baseline For Web Hosting

Uploaded by

ss rajan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 4

CERN Document

CH-1211 Geneva 23 Security Baseline for Web Hosting

Switzerland CERN Div./Group or Supplier/Contractor Document No.

Computer Security Officer

EDMS Document No.
1062502

SEPTEMBER 6TH, 2010

SECURITY BASELINE FOR WEB HOSTING

ABSTRACT A “Security Baseline” defines a set of basic security objectives which must
be met by any given service or system. The objectives are chosen to be pragmatic and
complete, and do not impose technical means. Therefore, details on how these security
objectives are fulfilled by a particular service/system must be documented in a separate
“Security Implementation Document” [1]. These details depend on the operational
environment a service/system is deployed into, and might, thus, creatively use and
apply any relevant security measure. Derogations from the baseline are possible and
expected, and must be explicitly marked.

At CERN, for each service/system used in production, such a Security Implementation

Document must be produced by its system/service owner, and be accepted and
approved by the Computer Security Officer. All systems/services must be implemented
and deployed in compliance with their corresponding Security Implementation
Document. Non-compliance will ultimately lead to reduced network connectivity for the
affected services and systems (i.e. closure of CERN firewall openings, access blocked to
other network domains, and/or disconnection from the CERN network).

This document describes the Security Baseline for Web Hosting services used in CERN
production environment.

Prepared by: Checked by: Approved by:

Computer Security Team IT Security Contacts Computer Security Officer
Department Security Contacts IT Group Leaders
Experiment Security Contacts IT SRM Members

Distribution: Unrestricted
Document

Security Baseline for Web Hosting

Page 2 of 4

History of Changes

Rev. No. Date Reference Description of Changes

0.5 2010/02/02 Draft
0.6 2010/02/24 Several Comments from the Security Team
0.9 2010/05/20 Several Comments from IT Security Contacts, Department
Security Contacts, and Experiment Security Contacts
1.0 2010/05/20 Version for approval
1.1 2010/09/06 Approved version.
WEB-PRV-7 Removed the timescale (“in months”).
Document

Security Baseline for Web Hosting

Page 3 of 4

1. SECURITY BASELINE REQUIREMENTS

The objectives of the Security Baselines below apply to any server, PC, laptop (commonly
denoted within this document as “server”). If a service/system consists of multiple servers, the
baseline applies to each of them. The terminology follows RFC2119 [2]. The words “least”,
“minimize”, “restrict” and “small” refer to the operative minimum before rendering the
service/system useless.

1.1 ACCESS CONTROL

Ref. Requirement Comment
WEB‐AC‐1 Restrict default access to all hosted Web sites to the CERN Applying the “Rule of least
Intranet and only users with a valid CERN primary and/or privilege” reduces the scope a
service account, e.g. using SSO (following the definition in [3]). successful attacker can have.
WEB‐AC‐2 Ask regularly owners of publicly visible Web sites to review
whether their current access restrictions are appropriate with
regards to the published information. The meaning of
“regularly” must be explicitly defined (in months).
WEB‐AC‐3 Document publicly the default settings as defined in WEB‐AC‐
1.

1.2 PROVISIONING
Ref. Requirement Comment
WEB‐PRV‐1 Make all Web sites static by default.
WEB‐PRV‐2 Reduce the number of programming platforms and libraries This reduces the maintenance
provisioned for Web applications to an operational minimum. overhead and the attack surface.
WEB‐PRV‐3 Configure the programming platforms and libraries
provisioned for Web applications securely.
WEB‐PRV‐4 Ensure that all installed programming platforms and libraries
provisioned for Web applications are kept up‐to‐date.
WEB‐PRV‐5 Document publicly the programming platforms and libraries
provisioned for Web applications as defined in WEB‐PRV‐2.
WEB‐PRV‐6 Compartmentalize the hosting service in order to separate This avoids that a compromize of a
multiple Web sites hosted on a single server or service. single Web site affects other sites.
WEB‐PRV‐7 Verify regularly that every hosted Web site has an owner. For
Web sites without an owner, a new owner (e.g. from the line
hierarchy) must be identified. The meaning of “regularly”
must be explicitly defined.

1.3 ADDITIONAL SECURITY BASELINES

Ref. Requirement Comment
WEB‐ADD‐1 Implement the requirements defined in most recent “Security
Baseline for Servers” [4].

2. REFERENCES
[1] The CERN Security Team, “Security Implementation (Template)”, EDMS 1062504
[2] Network Working Group, RFC2119, http://www.ietf.org/rfc/rfc2119.txt
[3] IT/OIS, “Identity Management”, http://cern.ch/identitymanagement
Document