Web Account Life-cycle Management: Tightening Web Security
CityU's central Web servers (www.cityu.edu.hk, www6.cityu.edu.hk and www7.cityu.edu.hk) are mainly used for publishing university Web pages for departments, but they also allow university Web authors to develop Web applications that require the use of Common Gateway Interface (CGI) and MS SQL database server. For the purpose of maintaining and uploading files, server accounts have been created for individual departments as well as on project basis.
Each Web account on CityU's primary Web servers must be managed by the owner who is ultimately responsible for the content and presentation of information placed therein. In addition, another person for each site should be readily available to address technical issues and to liaise with the university Web administrators of the Computing Services Centre (CSC). Both the owner and the technical person will be kept informed of any server upgrades, changes in policies and procedures, superintend the regular maintenance of the data, and respond to security issues raised by the Web administrators. They are also the only people who are authorized to log into the server for content management.
Over the years many accounts have been created on request basis. Unlike the other computer accounts which have a complete life-cycle management practice for them, a considerable number of inactive accounts, probably due to terminations of projects or turnovers of project staff without the CSC's knowledge, have been accumulating over the years on the central servers which not only led to a waste of space but most important of all, from a security point of view, had become potential targets for hackers.
In order to keep track of any changes in the ownerships of these web accounts as well as to eliminate obsolete accounts and materials contained therein, web server accounts are now required to be renewed once a year. The “Annual Renewal of Web Accounts” exercise was initiated in mid June this year. A letter to the Departmental Network Administrator (DNA) and Relief Network Administrator (RNA) was sent to each department along with a proforma for them to verify whether the accounts listed in the forms are still in use or not. Most departments returned the completed forms before the end of June and those who had not were again reminded in August. With the cooperative help of departments, we have finally received all their replies by the end of October. Inactive accounts will be removed with departments’ consent. Now that the list of user contacts has been updated, the CSC will be able to reach the owners of the accounts in a timely manner especially when dealing with critical matters. We will continue this annual exercise as one of the life-cycle management practices developed for Web content management.