OIT Web Center

Contents

• Overview
• Navigation
• Naming Conventions
• HTML Coding
• Writing Content
• Design
• Stylesheets
• Multimedia
• Scripts and Databases
• Accessibility
• Testing and Validating
• Page Layout
• Marketing Your Site
• Maintenance
• Workflow and Business Processes
• Support
• Central Web Services
• Web Server Administration
• Resources
• Glossary

University Web Services

Best Practices

Web Server Administration

1-11-2007: This document is extremely sketchy at this time. The University Webmaster invites comments and contributions.

We strongly recommend you keep all your websites on central OIT servers. We recognize, however, that there can be specific reasons for needing a department or college-level server. This page is for you.

Note that everything here applies only to those web servers that can be accessed from the public Internet, outside the university firewall.

Server Policies

Any web server must follow all University policies regarding networked servers in general, and all University computer use policies. These include, but are not limited to, the following:

• Information Technology Resource Use
• Network Standards
• Server Administration
• University Web Pages and Electronic Publications
• Software Patch Management

Security

Employ standard server lockdown. Turn off all unused ports, disable unused services, remove all software not directly related to the operation of the server.

Concurrent user account logons should be limited. Any shares associated with a web server should be password protected.

All suspected policy violations; system intrusions, virus infestations and other conditions, which might jeopardize IT resources, should be immediately reported to the Director of OIT.

If scans or network monitoring identify security vulnerabilities, the cooperation of the system owners and Web server administrators will be solicited. If the appropriate contact cannot be determined, the department's administrative management will be notified. When a security breach (or potential security problem) is identified OIT will take steps to disable network access to those systems and/or devices until the problems have been rectified.

The server must be physically secured and physical access to it must be controlled and limited to designated university employees.

Availability

Since the server is on the public net, it must be available 24 hours a day. The server must be monitored and the server administrator notified if the machine goes down.

A maintenance cycle must be established and notification of down-time posted.

General Policies and Procedures

There must be a policies and procedures document for the server. A copy of this must be on file with OIT.

The policies must be enforced through a regular audit procedure.

Password Policies and Procedures

All root and system administrator accounts must adhere to strong password algorithms.

Accounts

Patches

Security patches and upgrades for the operating system, virus software, and any applications on the system should be kept current.

Hacking and Viruses

Anti-virus software must be used on all web servers.

Currency of Information

Quality of Information

Databases

Backups and Data Integrity

Systematic backup and restore procedures must be in place and must have been tested since the last backup software upgrade. The users of the web server must be notified as to the backup policy.

Scripting Languages

Web Services

Web Server Administrators

Every web server at Boise State must have a Web Server Adminstrator (WSA). The University Web Administrator (UWA) must be notified and given contact information.

The WSA must institute a backup procedure and must inform the users of that procedure.

The WSA is responsible for security of the data on the machine and for any hacks that exploit vulnerabilities in the server.

The WSA is responsible for the granting of accounts on the server, the account and password policy on the server, and for the Administrator password on the server.

The WSA is responsible for all services on the machine, whether or not they are web services, unless a separate system engineer position has also been designated.

The WSA must report to a division head.

All the above responsibilities may be delegated, but must be delegated explicitly and the UWA must be notified. If the responsible person leaves university employment, a replacement must be chosen, and the UWA be notified.

random notes

This page is very much a work in progress, as almost no one has discussed these matters at Boise State. When I see things worth collecting, I'm going to park them here.

Things a server admin does

1. Managing and setting up users
2. Managing and setting up customized services such as SSL, MySQL, PHP, etc.
3. Managing configuration of the web service itself
4. Managing Sendmail Configuration
5. Managing FTP Configuration
6. Managing FrontPage Configuration
7. Managing security and authorities for users

Establish a policy for log files. Let the users know when the log files roll over.

Require (?) use of log analysis software.

Site maintained by Skip Knox — sknox@boisestate.edu