Web servers hosted on the University of Memphis network must adhere to established
system security guidelines and be maintained using system administration best practices
including keeping operating systems (OS) and server software patched, and removing
or disabling unnecessary services, applications, and ports. Only required web server
modules and/or extensions should be enabled.
Directory listing should be turned off so that search engines and web browsers can't
list and identify all of the files stored in the document root of the web server.
Web server logs must be maintained in a directory that is not web-accessible. Log
files should be reviewed regularly for signs of out-of-the-ordinary behavior.
Web Site Security
Web pages that display or collect sensitive or confidential information must be hosted
on a secure server supporting an encrypted web protocol (https) with a digital certificate
issued by a trusted certificate authority. The University of Memphis ITS Web Services
group (firstname.lastname@example.org) manages an account with a trusted root certification authority and will work with
clients from across campus who need to obtain an SSL certificate for official department
or unit web servers in the memphis.edu domain.
Scripts executed on Web servers are particularly prone to security breaches, especially
if they don't validate user-supplied data before accessing files or operating-system
services. Script code should be reviewed and scanned for known security risks.