|Don’t let the Web get the better of you. Register your web servers and directories. Photo: Derek Harper|
Fermilab takes great pride in presenting the laboratory and our scientific results to the public. Much of this is accomplished through publicly viewable Web pages. At the same time, some Fermilab Web pages are meant only for internal communication or to be accessed only by certain groups.
The cybersecurity team is in the process of modifying several cybersecurity practices to provide additional control over what is publicly viewable on the web. These measures, which will go into effect in October, include:
Registration of Web servers. It has long been laboratory policy that any Web servers meant to be visible from off site must be registered. Unregistered websites are blocked at the site border. Until now, enforcement of this policy has concentrated on web servers using standard Web ports (80 and 443). New tools will allow us also to block websites using non-standard ports, so these sites must also be registered and renewed annually. Site owners can register their websites through the Service Desk.
Forbidding directory browsing. Websites that support directory browsing (making Web content visible in the same manner as a file system) are a common cause of exposed content not intended to be made public. Lab policy forbids configuring Web servers to enable directory browsing by default. Web server managers who require this functionality must separately register each directory that allows browsing. This registration form is available through the Service Desk.
Directory browsing will be disabled on the central Web servers on or about Oct. 1. Therefore, those hosting Web pages on the central servers that need directory browsing will need to both register their site and configure .htaccess files in their Web areas (instructions for which will be provided by the Web support team).
Regulation of content. Each website owner is responsible for the content of his or her site servers. In the past, this site owner was ordinarily the same individual who registered the website for external visibility. However, content owners are becoming increasingly distinct from the Web server managers. The security team is developing procedures to ensure all laboratory Web pages have a specific individual who takes responsibility for the Web content. Again, the ownership information will be renewed annually.
Further details about each of these processes will be made available through the Service Desk and to Web server managers as they go into production.