Web
Account Life-cycle Management: Tightening Web Security
By
Annie Yu
|
|
|
CityU's central Web servers (www.cityu.edu.hk, www6.cityu.edu.hk
and www7.cityu.edu.hk) are mainly used for publishing university
Web pages for departments, but they also allow university Web
authors to develop Web applications that require the use of Common
Gateway Interface (CGI) and MS SQL database server. For the purpose
of maintaining and uploading files, server accounts have been
created for individual departments as well as on project basis.
Each Web account on CityU's primary Web servers must be managed
by the owner who is ultimately responsible for the content and
presentation of information placed therein. In addition, another
person for each site should be readily available to address technical
issues and to liaise with the university Web administrators of
the Computing Services Centre (CSC). Both the owner and the technical
person will be kept informed of any server upgrades, changes in
policies and procedures, superintend the regular maintenance of
the data, and respond to security issues raised by the Web administrators.
They are also the only people who are authorized to log into the
server for content management.
Over the years many accounts have been created on request basis.
Unlike the other computer accounts which have a complete life-cycle
management practice for them, a considerable number of inactive
accounts, probably due to terminations of projects or turnovers
of project staff without the CSC's knowledge, have been accumulating
over the years on the central servers which not only led to a
waste of space but most important of all, from a security point
of view, had become potential targets for hackers.
In order to keep track of any changes in the ownerships of these
web accounts as well as to eliminate obsolete accounts and materials
contained therein, web server accounts are now required to be
renewed once a year. The “Annual Renewal of Web Accounts” exercise
was initiated in mid June this year. A letter to the Departmental
Network Administrator (DNA) and Relief Network Administrator (RNA)
was sent to each department along with a proforma for them to
verify whether the accounts listed in the forms are still in use
or not. Most departments returned the completed forms before the
end of June and those who had not were again reminded in August.
With the cooperative help of departments, we have finally received
all their replies by the end of October. Inactive accounts will
be removed with departments’ consent. Now that the list of user
contacts has been updated, the CSC will be able to reach the owners
of the accounts in a timely manner especially when dealing with
critical matters. We will continue this annual exercise as one
of the life-cycle management practices developed for Web content
management.