Guide to secure web service/servers

When you deploy, manage or operate a web presence, it's essential to follow these best practices to secure your environment and prevent incidents for which your department or faculty could be held liable.

  1. Patch and upgrade operating systems and applications regularly to ensure these are up-to-date with vendor(s) security updates. In cases of critical exploits, apply security patches or workarounds immediately according to vendor’s security alert subscriptions or announcement.
  2. Configure operating systems and applications according to best practices provided by the vendor(s), including but not limited to:
    • changing default passwords and managing passwords according to the ITS Standard for Privileged Password Management and User Password Standard
    • disabling accounts, services and applications that are not needed & decommissioning unused servers
    • managing accounts following the principle of least privilege and the ITS Standard for Role Based Access Control
    • restricting access and data to authorized parties only
  3. Implement web authentication and encryption technologies according to ITS Standards for Cryptography and Authentication
  4. Back up content, application configurations and operation system regularly following  the ITS Standard for Data Security Lifecycle controls
  5. Set up and monitor access log files properly to enable incident investigation according to the ITS Standard for Logging and Secure Error Logging
  6. Define change control processes to ensure all changes are justified, documented and tracked
  7. Follow other ITS Standards as applicable, such as for API Security



  • IT Services will launch pilot for the vulnerability management and scan services in 2020. If you are interested to be part of the pilot, please contact IT Security on the IT support site


Back to top