• F&A Home
• Search
• A-Z Index
• Directories
• MyRIT

• Students
• Faculty & Staff
• Systems Administrators Resources

• Resources
• Alerts/Advisories
• Digital Self Defense
• Safe Practices
• Projects & Services
• Standards & Policies
• Forms
• About Us/Contacts

Web Security Standard

• Standard
• Web Standard Compliance Checklist
• Web App Encryption
• Client Input Filtering
• SSLv2 Banner

The Web Standard provides measures to prevent, detect, and correct compromises on web servers that host RIT Confidential information or use RIT Authentication services. The standard includes configuration and documentation requirements. Here is a checklist of configuration and documentation requirements.

When am I required to follow the standard?

• If you own, administer, or maintain an official RIT web page that hosts or provides access to RIT Confidential or RIT Operationally Critical information.
• If you have a web page at RIT, official or unofficial, and you use RIT authentication services.

Scanning

• The RIT Information Security Office provides scanning services to support RIT web pages. Contact Paul Lepkowski, RIT Security Engineer, for more information.

Web Application Encryption and Other Best Practices

• If a username and password is used, encrypt the logins using SSL (https)
• Use Wireshark to capture network traffic while logging into web applications to verify that username/password are truly encrypted
• If your application is using RIT credentials, verify that all exchanges of usernames/passwords are encrypted from your web server to other RIT servers
• Validate all user input (especially in forms) for SQL Injection, Cross-Site Scripting (XSS), and buffer overflow issues
• Disable the ability to browse directories by placing index files in each of your web directories
• Keep web software (e.g., Apache, PHP, SAMBA) up to date with current patches
• Consider using a web application firewall such as ModSecurity
• If forms are used, consider the use of CAPTCHA to prevent form spam

3rd-Party Encryption Products:

The following 3rd-party encryption products are acceptable for use at RIT

• Pointsec
• TrueCrypt

Server-Side Client-Input Filtering

Refer to http://security.rit.edu/articles/client-filtering.html for instructions on how to filter client input.

Sample SSLv2 Banner

Use of this connection to the Rochester Institute of Technology is restricted to authorized users. You have requested an SSLv2 connection to a secured resource. This request may have occurred because you have an improperly configured or older version of your web browser. PRIVACY AND SECURITY OF INFORMATION (INCLUDING PASSWORDS) IS NOT GUARANTEED when using SSLv2. You assume all responsibility for information loss if you proceed with this connection.

Additional Resources

Additional technical resources may be found at http://security.rit.edu/saresources.html

Last Modified: 11.06.2008 Copyright © 2000 - 2009 Rochester Institute of Technology Contact Webmaster Privacy Statement