Web servers policy

Policy 1340

All Web servers, both "primary" (centrally-managed) and "secondary" (managed by dispersed UM offices and units) located on the UM network must meet standards regarding the approval, creation, and deletion of accounts for individuals who manage Web content, and the appropriate use of those accounts.

The Information Technology Office has the responsibility of coordinating with other campus organizations to implement standards and to outline a system by which the standards shall be adopted across campus.

Discussion & Procedures

Primary (central) web servers

  • At theUniversity there will be one or more primary campus Web servers, operated by the central technology staff. Accounts on the primary campus Web server(s) will be given only to persons having the need for such accounts, either to provide technical or operational support for the Web server(s) or to post information relating to specific campus programs. Accounts will be established within the guidelines below.

    1. Accounts intended for posting information will be authorized only for approved University programs. Requests for such accounts will identify the program and the person designated to post information about that program. Decisions about which programs shall be authorized to post information on the campus Web server(s) are made by the management of the campus central IT organization; disputes are resolved up the chain of command, ultimately by the campus chief executive officer.

    2. Once a program is approved, the person designated as responsible for that program must complete training on the rights and responsibilities of Web content contributors, following which a user account will be created for that person. Once created, the user account shall be maintained in such a manner that the user's ability to upload and/or modify Web contents is limited to the pages associated with his/her identified program responsibility.

    3. Within each approved program, Web postings shall be the responsibility of a single person. Material may be developed and tested by any number of people off-line or on a non-public development server, but uploading such material to a "live" Web server shall be the responsibility of a single individual. Each program may designate a "backup" person to perform this function when required, provided that backup person also completes the same training as the primary designee.

      Exceptions may be made for Web sites which are managed through content management systems or software. In these cases, multiple individuals may be given access to server space in order to update content relevant to their job description. These individuals will still need to pass the training and certification program.

      Under NO circumstances should user account(s) be shared by multiple users.

    4. After a user account is created, the user must complete re-certification training every twelve months. Failure to complete this training shall result in the user account being disabled. The account will be re-enabled only when the required training has been completed.

    5. A user should place on any Web server only information that is related to his/her program account responsibility and is intended to be publicly available. Under NO circumstances should confidential or private information ever be placed in a user account on any Web server. Personal information should NEVER be placed in a user account on a Web server, except for simple account parameters needed to customize the account to that user's "tastes.

    6. If email responses to a program are part of the activity generated by a program page, then related email can be maintained on the Web server. However, each user should carefully distinguish between email related to a program and personal email - personal email should NEVER be maintained on the Web server(s). (See also BOR Policy 1303.3)

    7. If a person having a user account leaves the University or becomes disassociated from the program for which the account was established, or if the program removes authorization from that person for any reason, it is the responsibility of the program to notify the central technology staff and request that the account be disabled immediately.

Secondary web servers

In addition to the primary UM Web server(s) on each campus, campus entities may elect to operate additional (secondary) Web servers, but only under the conditions described below. Because Web servers must offer "open doors" to outside Internet users, they represent a major potential security risk for the campus network as a whole.

  1. Each secondary Web server must be identified to the central campus IT office, to permit orderly, centralized security management. An unidentified Web server detected by or reported to campus IT staff will be immediately isolated from the campus network.

  2. Each secondary Web server must be managed and maintained by professional staff who must constantly monitor a variety of sources for information related to Web site security and who will assure that the server is kept up to date relative to known security problems and security "patches". A secondary Web server detected by or reported to campus IT staff that is operating with a known security "hole" will be immediately isolated from the campus network.

  3. Accounts on a secondary Web server will be created, certified, and periodically recertified in a manner consistent with the requirements for accounts on the primary Web server(s). Specifically, this means that users on secondary Web servers must complete the same training as users on the primary Web server(s).

  4. In electing to operate a secondary Web server, a unit assumes the responsibility for assuring and documenting compliance with standard account management policies. Units which fail to comply with this requirement risk having their Web server, or even possibly their whole subnetwork, isolated from the campus network.

To facilitate the University's ability to post timely and pertinent information related to its various programs and opportunities, the University may, and historically does, "distribute" the right to post information to a variety of users from a variety of programs. With this distribution of right-to-post information comes increased risk that one (or more) of those users will misuse his/her account (either accidentally or intentionally) to the embarrassment of the University. A standard, somewhat rigid approach to account management, coupled with periodic user (re)training on the appropriate use of the account is a reasonable compromise that reduces the risk while allowing a number of people to contribute content.

Similarly, the variety and volume of information posted by various programs suggests that the University's interests are served by allowing units to operate secondary Web servers, but only if they are willing and able to operate those servers in a manner that assures network security and minimizes the risk of "embarrassment" that comes with account misuse. With the rapid evolution of the Web has come the equally rapid evolution of automated mechanisms which exploit "security holes" in Web servers and Web accounts, to the detriment of the entire network on which that Web server resides. The status quo, which allowed units and individuals to operate Web servers with little central control or attention to security and account management, is no longer acceptable because of the risks it imposes on all campus users. Though the changes implied above are dramatic, they are the minimum that will offer a reasonable level of security, and fall short of a much more highly constrained scenario which would allow only centrally operated Web servers. If both central staff and unit staff take the responsibilities outlined above seriously, we think this is a workable compromise that balances the need for central security against unit needs for flexibility.

For both the primary Web server(s) and secondary Web servers, the UM-M IT Office has developed an online Web rights and responsibilities training course, thus allowing user certification to be completed with minimal disruption.