Central Web Hosting — Policy on Central Hosting of Web and SFTP Services

Background

Central Web Hosting and Secure FTP Services are set up to provide a consolidated, fully monitored and managed environment for hosting departmental websites or project websites, or Secure FTP sites. As highly reliable and secure central servers will be used to host these services, web site owners or Secure FTP service providers can then concentrate on the development of their Web contents or Secure FTP applications without worrying about the server management or operational support of the servers. It also relieves these owners from the burden of keeping the servers secure and the effort to manage them.

It is hoped that this centralized support arrangement can eradicate the levels of risk of having many web servers distributed around the campus with different security protections. The consolidated infrastructure to host these websites also leverages economies of scale, thereby creating significant cost savings.

In order to guarantee the stability of the server and to protect the Web and Secure FTP services, the Web Hosting and Secure FTP Policy has to be established.

The Central Web Hosting Policy

  1. The Central Web Hosting service is a tightly integrated service environment with carefully selected hardware and software being standardized to maintain consistency. Websites which conform to this environment can migrate from any self maintained servers to this centrally managed and maintained environment. The original server hardware can be kept back for development purpose. 

  2. Website to be developed should make prior arrangement with the CSC to get more information about the web hosting environment and to ensure conformance to the environment of the central web service. The central support and the website owner concerned will then mutually agree on the standard tools to be used for developing the Web services. Otherwise, there will be no guarantee on the compatibility of tools and the proper delivery of Web service.

  3. Compatibility advices will be provided to assist migration of existing web sites. In order to provide a stable environment for the Web services already hosted, no development activities will be allowed in these Web servers. Users are expected to do all developments and testing on their own machines before uploading to the central Web hosting servers.

  4. To achieve the best security protection, the server will timely apply security patches issued by the vendors of software. Although the patches normally will not affect the user's web applications hosted in the server, however, should this occur, it will be the responsibilities of the user to ask the developer to resolve the problem. To protect the server and the other web applications hosted, security patches applied will normally not be removed even though they cause problem with some web applications. 

  5. Secure FTP and Web account owners will be allocated a default directory to hold their contents. Accounts will be given out for Web or Secure FTP content owners for maintenance purpose. It is the sole responsibility of the account owners to protect the account information including the use of proper password and regular password change. It is not recommended for web site owners to pass the account information to external developers. However, if it is unavoidable, web site owners are reminded to change their account passwords once the developers have finished their work.

  6. If the Web service developed is expected to generate heavy loading on bandwidth such as video/audio streaming or serve a large number of concurrent access, full details on the service must be provided and prior arrangement must be made.

  7. Website or Secure FTP account owners are solely responsible for the accuracy and the propriety of their Web contents. They should also conform to the University Web guidelines and the related University policies.

  8. All Secure FTP account owners are solely responsible for all information stored under the default directories. Where possible leave files and directories read-only. The account owners will be held liable legally for the contents of their Secure FTP files.

  9. Daily and Weekly system backup of central Web hosting servers will be performed for disaster recovery and individual Web service recovery purposes. However, web site owner are advised to maintain a copy of their own (both program and data).

Service Rights and Termination

  1. With proper justification, the central support staff may examine system accounting logs and/or access any account's directories to investigate and/or resolve system problems. 

  2. Should the Web or Secure FTP sites hosted become the target of a network attack or a target of the investigation arisen from a security incident, the central support reserves the right to take any necessary actions (including, but not limited to, temporary suspension of the account holder's account) in order to restore normal server or network operation.

  3. The central support may, without prior notice, terminate a centrally hosted Web or Secure FTP service, if such service violates of the University policies. The central support will not be liable for any damages or loss resulted from such termination.

Arrangement for Central Web and Secure FTP Hosting Environments

Tthe standard platforms for Web Hosting runs on a server farm of Intel based servers. The Web environment will be supported by the Microsoft Windows Server 2008 R2 and the Microsoft IIS Web Server with SSL support (2048 bit). 

Microsoft SQL server will be used to support the database requirement.

Basic programming environment supported are the ASP, ASP.NET script and JAVA programming.

Regular review will be performed on the Web hosting environment with an aim to enhance its support by including new features, new tools, new versions, and better.


Departments would need to submit CSC Work Request for the Web site hosting.

  • An initial storage 100 Mbytes will be allocated for the Web service and 100 Mbytes for the database if required. If insufficient, departments can apply for additional quota by providing an initial requirement and an estimated growth of storage size required.
     
  • Each hosted web site will be provided a user account for uploading Web pages and/or applications. A user database account for read and a user database account for write will also be created for the users if the Web application requires database support.