Before planning of a new website, schools, departments, centers, projects, and labs should evaluate one of UNC’s managed solutions for creating websites.
Recent incidents at UNC-CH have highlighted the complexities and workload required to properly administer a website and prevent abuse.
UNC managed solutions include:
- Centrally-hosted and managed WordPress
- School of Medicine-hosted and managed Plone
- CloudApps Hosting (Platform-as-a-Service PaaS)
- Departmental Hosting
Non-UNC managed solution include:
- Outsourced Third-party Design and Hosting
- Large hosting providers: Weebly, Squarespace, OpenShift, AWS (Elastic Beanstalk), Google Cloud
The intent of this document is to offer guidance and reminders to help our community to avoid common security risks. It is not the intent of this document to replace UNC-CH Security Policy.
If you are creating a website, security is not automatic and must be considered from the beginning, along with planning/funding for maintenance, and eventual decommission.
If you have any questions or suggestions, please contact your ISL or the UNC-CH Information Security Office.
Sensitive Information and Mission Critical Servers
Servers that are to store or process sensitive information as well as servers considered mission critical are required to be register in SAI. Mission Critical can be defined as any system, site, or application that would negatively impact University business if it were to be down for longer than 3 consecutive hours.
The Information Security Office (ISO) conducted a thorough risk assessment on the UNC-Chapel Hill CloudApps infrastructure in 2016-2017 and approved it for use with sensitive information. When a customer requests space within CloudApps for use with sensitive information, they need to fill out a Data Access Questionnaire (DAQ) indicating what types of sensitive information will be in scope. In addition, they have certain responsibilities in managing their application properly.
As an owner, manager, or administrator of a website, it is important to know what is saved on a webserver, even files not necessarily linked to or ‘live.’ Any documents not required for business purposes to be online should be removed from the web server.
Identity Finder scans are available for owners or administrators who need to check multiple sites for University-owned sensitive information or are interested in verifying that the data they are responsible for does not contain University-owned sensitive data. Contact email@example.com for more information.
- Change Default Passwords Post-Installation (Use unique and strong passphrases)
- Implement SSL/TLS and verify using a 3rd party like Qualys: https://ssllabs.com
- Use Shibboleth for Authentication
- Directory Listing or Directory Browsing must be disabled
- Error Logging to clients must be disabled, should keep locally in a log folder
- Review and ensure that published folders have appropriate and limited WRITE permissions
- Implement an administrative process or program to manage and update plug-ins/themes/modules/extensions
- Web Services must run with limited rights, not SYSTEM or root
- Anti-Malware Software must be installed, running, self-updating, and monitored (e.g. SCEP)
- Web Access and ERROR Logs must be stored and should be forwarded to Splunk
- Scan Websites with Identity Finder to Detect Sensitive Documents
- Ask about a Web Application Scanning service such as Qualys WAS
- Consider implementing Web Application Firewall (e.g. modsecurity, f5 ASM, Automattic, or Sucuri)
- Implement Web Server Hardening
- Back up the website files and database
- Consider if TEST/DEV/PROD environments and/or N-Tier Architecture are appropriate for your site
- Qualys Vulnerability Management Scans
- OWASP: https://www.owasp.org/index.php/Cheat_Sheets
Basic Incident Handling
- Follow UNC security policies and implement/use configuration guidance and security tickets above
- If an incident occurs and Sensitive Information is at risk, contact 962-Help or the UNC Information Security Office immediately to initiate a Critical ticket
- Work with an Incident Handler and the ISO to Contain and Eradicate the problem
- Thoroughly test the system to ensure secure recovery before putting system back into production