NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
Identify who should be resp<strong>on</strong>sible for creating, publishing, and maintaining this particular<br />
informati<strong>on</strong><br />
Create or format informati<strong>on</strong> for <strong>Web</strong> publishing<br />
Review the informati<strong>on</strong> for sensitivity and distributi<strong>on</strong>/release c<strong>on</strong>trols (including the sensitivity of<br />
the informati<strong>on</strong> in aggregate)<br />
Determine the appropriate access and security c<strong>on</strong>trols<br />
Publish informati<strong>on</strong><br />
Verify published informati<strong>on</strong><br />
Periodically review published informati<strong>on</strong> to c<strong>on</strong>firm c<strong>on</strong>tinued compliance with organizati<strong>on</strong>al<br />
guidelines.<br />
Any policy or process for determining and approving the informati<strong>on</strong> to be published <strong>on</strong> a <strong>Web</strong> server can<br />
benefit from the use of automated tools. Tools can scan incoming c<strong>on</strong>tent for keywords, formatting, or<br />
metadata, and flag it for review, easing the burden of those required to verify c<strong>on</strong>tent. Similarly, an<br />
internal automated system that allows users to post potential material to an internal <strong>Web</strong> site and notifies<br />
approving pers<strong>on</strong>nel (possibly via e-mail) of the posting allows material to be reviewed and posted to the<br />
public <strong>Web</strong> site more quickly through a repeatable process. Using an automated system also aids<br />
accountability because logs track who submitted the document and who approved it.<br />
An often-overlooked area of <strong>Web</strong> c<strong>on</strong>tent is the informati<strong>on</strong> sometimes hidden within the source code of<br />
a <strong>Web</strong> page. This informati<strong>on</strong> can be viewed from any <strong>Web</strong> browser using the “view source code” menu<br />
opti<strong>on</strong>. The source code can, for example, c<strong>on</strong>tain points of c<strong>on</strong>tact and reveal porti<strong>on</strong>s of the directory<br />
structure of the <strong>Web</strong> server. Organizati<strong>on</strong>s often do not pay attenti<strong>on</strong> to the c<strong>on</strong>tents of the source code<br />
<strong>on</strong> their <strong>Web</strong> sites, even though this code may c<strong>on</strong>tain sensitive informati<strong>on</strong>. Attackers scour not <strong>on</strong>ly the<br />
obvious c<strong>on</strong>tent of the <strong>Web</strong> site but also details within the source code. Thus, <strong>Web</strong> administrators or<br />
<strong>Web</strong>masters should periodically review code <strong>on</strong> their public <strong>Web</strong> server.<br />
6.2 Observing Regulati<strong>on</strong>s about the Collecti<strong>on</strong> of Pers<strong>on</strong>al Informati<strong>on</strong><br />
Federal and state laws and regulati<strong>on</strong>s apply to the collecti<strong>on</strong> of user informati<strong>on</strong> <strong>on</strong> publicly accessible<br />
government <strong>Web</strong> sites. In additi<strong>on</strong>, many government agencies have privacy guidelines that address the<br />
type of informati<strong>on</strong> that could be collected about users. Governmental organizati<strong>on</strong>s with <strong>Web</strong> sites<br />
should be aware of the appropriate and applicable laws, regulati<strong>on</strong>s, and agency guidelines. Private<br />
organizati<strong>on</strong>s may wish to use these guidelines and examples of sound security practices but should<br />
c<strong>on</strong>sult appropriate legal counsel and their privacy officials for the applicable legal and policy<br />
implicati<strong>on</strong>s. However, Federal laws, regulati<strong>on</strong>s, and applicable agency guidelines do apply to<br />
commercial organizati<strong>on</strong>s that operate <strong>Web</strong> sites <strong>on</strong> behalf of Federal agencies. Organizati<strong>on</strong>s should be<br />
aware of changes to legal, regulatory, and c<strong>on</strong>tractual requirements and seek advice from knowledgeable<br />
legal and policy experts.<br />
Federal agencies that collect PII must do so in accordance with Federal law and the C<strong>on</strong>stituti<strong>on</strong>. The<br />
Privacy Act, for example, requires agencies to minimize the informati<strong>on</strong> collected to that which is<br />
6-3