University of Virginia
ITC Windows Web Services
Site navigator

Application And Server Security

Application Security

Each developer's application is, where possible, protected from other developers' applications. The Windows 2003/IIS 6.0 security model allows each application to run in a separate user context with only the rights available to that user context. This model is being enforced by design on the server. An application written in ASP and Perl cannot read or access data outside of the directories belonging to the application.

It is important to note that Cold Fusion developers must put forth additional effort to secure their data. Cold Fusion does not participate in the standard IIS security model. All Cold Fusion applications run as a single user on the server. That means that every Cold Fusion developer has the same rights on the server as every other Cold Fusion developer in any Cold Fusion-enabled directory. A malicious developer or compromised application could use certain Cold Fusion functionality to enumerate data in other developers' directories. The developer could then retrieve or destroy that data using Cold Fusion. Cold Fusion developers should at the least password protect their databases, and make regular offline copies of their data.

Server Security

The security levels on www.web.virginia.edu were designed to ensure a resonable amount of security that does not restrict the functionality of the development environment. The latest operating system service pack and applicable hotfixes have been installed. The file system on the server has been restricted and unnecessary services have been removed. All best-known security principles have been followed where they did not conflict with the development environment. For addtional security, files that are deleted from the file system are intercepted and temporarily stored on the server's disks for quick retrieval by administrators. The system is also fully backed up on a weekly basis, with incremental backups daily.

The Micro Systems group will continue to apply up-to-date security at the server level. www.web.virginia.edu clients should recognize that it is necessary to build security into their web site and applications where data security is imperative. Departments should consider increased security for their sensitive data. Current security models in place should be used as guidelines, and data stewards should be consulted. Specific departmental security configurations will be considered on a case-by-case basis. Please note: ITC's Policy is that no student data or medical records should be stored on www.web.virginia.edu.

 

Home | Request Web Account | Policies | Services | Getting Started | Support
ITC Windows NT/2000 Services | ITC Web