Web server and website owners, or those who manage their content, must do so in accordance with departmental policy and the guidelines we offer. Before running a Web server on the Departmental Network, approval must be obtained from the Department’s Network Administrators (email@example.com). This is both to ensure that the Department can monitor web page content for its suitability and in the interests of network security. The information here details policies relating to webservers and websites and provides guidance to help achieve the standard required. To start with, the Engineering Network Rules and the terms within must be met. This is regardless of whether your site is hosted in or outside of the department.
Do you need a website?
One of the first things to consider is whether you have a real need for a website or hosted content. The university offer a range of services that may be more applicable, depending on your needs.
- For file storage and sharing, there are options for cloud and onsite storage. Further detail can be found here.
- For teaching and learning content, see here.
- For collaboration, see here.
It is essential that any website or server that is accessible from outside the Department, and any external site or server with a hostname under eng.cam.ac.uk, is appropriately secured and protected. We routinely scan websites and servers for known vulnerabilities and, if any are detected, it will fall to the site administrator to apply fixes. Depending on the severity of the problem, or the length of time required to fix, websites may be taken down until we are confident that the problem has been resolved. To help mitigate this risk, please ensure the following requirements are met:
Site administrators should ensure that proper care is taken regarding access to websites and, in particular, administrative privileges. You must:
- Ensure administrative accounts are secured with a non-default password and Multi-Factor Authentication (MFA)
- Determine which users should have access to what content, clearly define and document their level of access, and update that documentation with any changes over time
- Ensure administrative accounts are used for administrative purposes only. Users with administrative accounts should normally use ‘standard’ accounts for non-administrative purposes.
- Use MFA for all users, wherever possible.
- Remove or disable any unnecessary user accounts, including departed users, guest accounts, and administrative accounts that will not be used.
We recommend using Raven authentication wherever possible.
Ensuring a site and/or server is suitably configured will inherently reduce the level and number of possible vulnerabilities. Configuration may vary depending on your requirements, but there are several steps you can take to help mitigate configuration-based issues.
- Remove or disable any unnecessary software, including applications, plugins, system utilities and services.
- Ensure any remaining software, including applications, plugins, system utilities and network services are kept up to date.
- Implement HTTPS if at all possible, and redirect all HTTP traffic to HTTPS. Keep TLS certificates up-to-date. (N.B. There are many ways to acquire TLS certificates, including for free. See the UIS website for more information.)
- Disable directory indexing and browsing.
Ensuring your system and software is up to date is vital to protecting our network. ICS schedules regular vulnerability scans of servers and websites to ensure they are not compromising the collective integrity of the Engineering network. Any device that runs software can contain security flaws, known as vulnerabilities. Vulnerabilities are regularly discovered in all sorts of software. Once discovered, malicious individuals or groups move quickly to misuse (or ‘exploit’) vulnerabilities to attack computers and networks in organisations with these weaknesses.
To ensure the threats to our network are minimised, you must:
- Ensure all software being used is up to date and being supported
- Remove or replace software whenever it becomes un-supported
- Have automatic software updates enabled where possible, and ensure updates are successfully applied on a regular basis where not.
- Apply updates within 14 days of release where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
- The update addresses vulnerabilities with a CVSS v3 score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
For optimum security and ease of implementation, it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.
In cases where a user is managing a webserver, or other externally accessible server, security-hardening measures must be taken and software installed with scans running regularly, in line with our Security Policy
In order to comply with University rules, legislation and the proper use of national network funding, the following restrictions apply to web pages and sites published on all computer systems in the Department (note particularly the guideline relating to server security).
- The use must comply with the University ISC’s Rules, the associated guidelines on interpretation and Web Guidelines, and with the Authorisation for Use of the CUDN. These in turn require compliance with JANET Acceptable Use rules and relevant legislation. Some of the main points which these cover are that the material must not: be pornographic or defamatory; contravene the Data Protection Act; breach any copyright or trademark registration; or bring the University or Colleges into disrepute. One of the commoner improper uses is use of the University crest without permission.
There are also requirements under the Disability Discrimination Act for material to be as accessible as possible to disabled users.
- It must be clear to the reader of any page whether it is being published officially by the Department or privately by an individual. Privately published material must not contain any material which gives the impression that it is an official publication and must indicate who is publishing the material. Material published on behalf of the Department must be approved by someone authorised by the Head of Department to do so.
- Private Web pages are allowed on the understanding that they are for the provision of information for non-profit-making purposes relating to the individual publishing them. This may include academic and recreational interests but must not extend to the provision of Web pages on behalf of a third party (for which explicit permission must be obtained – see 4 below). Additional disk space and other resources will not normally be provided for private Web pages unless the content is primarily academic and of relevance to the work of the Department.
- If Web pages are to be provided on behalf of a third party or for profit-making purposes, permission must first be obtained from the Computer Systems Committee by sending a written request to the Secretary of the committee. The Department will not normally provide space for Web pages on behalf of a third party unless that person or organisation’s activites are directly related to and compatible with its own. Note that the University no longer offers facilities for providing Web pages for University societies, but instead recommend the use of the Student-Run Computing Facility (SRCF), and societies will normally be required to use these rather than departmental facilities.
- Particular care must be taken when using facilities which cause the Web server to run additional programs (eg cgi-bin scripts) especially if these are to receive input from a client Web browser. Unless such programs are very carefully written, attacks may be made on the server or other machines by people using deliberately malformed input.
If one server in the Department can be compromised in this way, it may then be used to attack other machines. Alternatively, programs which generate email, if compromised, can be used to send nuisance email to other sites. Since these types of attack potentially affect the whole Department, carelessness of this type in setting up Web servers may be treated as a disciplinary matter.
In cases of doubt about the appropriateness of material intended for publication on the Web, please email firstname.lastname@example.org. In any dispute about appropriate use of the Department’s facilities for the provision of Web material, the Head of Department’s decision is final. Contravention of these guidelines may be treated as misuse of a computer system and dealt with by the ISC’s disciplinary procedures.