IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.175 Setting up a WWW server
Initiation responsibility: Agency/company management
Implementation responsibility: Head of IT Section, Administrator
Commissioning a WWW server
In order to set up a WWW server, in addition to appropriate hardware it is also
necessary to procure corresponding software. A large number of products are
available for this purpose. When the products are selected, apart from stability
particular importance must be attached to the security mechanisms (for notes
on procurement and installation see also Chapter 9.1 Standard software).
Adapting the organisational structure
Consideration must be given to what information is to be made available on
the Internet or in an intranet. It is also necessary to clarify how and where
documents are compiled, who produces which documents, which documents
are used where, and who requires these documents. Guidelines on presenting a
uniform identity for documents, file names and directory names should then
be drawn up on the basis of these findings, and if possible standardised
development tools should be specified.
Nominating responsible personnel
During operation of a WWW server, whether internally or externally, it should
not be possible for every user to load files at will. One responsible member of
staff should therefore be nominated for loading information, and this person
should also check new files to ensure that they conform to the guidelines.
Depending on the size of the organisation, other staff members can also be
given subsidiary responsibility for individual organisational units or specific
areas of the WWW server. The assignment of rights and the directory
structure on the WWW server must also be specified in accordance with the
chosen organisational structure. In particular, every person responsible for a
subsection should have access only to those subdirectories which they are
managing.
In order to ensure that the files and directories that are created always meet the
respective guidelines, observance of the guidelines should be checked
automatically, for example using appropriate scripts or macros. A prepared
program should be made available to everyone, and should be invoked every
time a change is made. Particular attention should be paid to checking the
following points:
- Whether the access rights have been correctly set for all directories
- Whether the access rights have been correctly set for all files
- Whether the access rights have been correctly set for all CGI scripts (if set
up)
A file detailing the changes that have been made should also be generated
directly.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000