How to request a web server exemption

Intended for:

Administrators of web servers.

Scenario/Use case:

This article provides instructions on how to request a web server exemption. ALL web servers that are visible offsite (including non-standard ports) will require a web server exemption.

Instructions:

To request for a web server exemption, follow these steps:

1. Log in to ServiceNow.
2. Once logged in, submit a Web Hosting Request. (Note that registering a Web server does not automatically grant access; you must receive an approval on the Web server exemption.)

We recommend that you consider the following - we will likely ask you the same questions during this exemption process:

• What service does my web server provide that is necessary to open up to the Internet?
• Can my web service be hosted on the central web servers instead?
• Does my web service NEED to be visible to the entire internet?
• Can my web service instead be restricted to FNAL addresses and accessed from offsite via a VPN connection instead?
• Can my web service instead be restricted to only a few IP networks, rather than the entire Internet?

Please ensure the following are completed prior to submitting this exemption request. ALL requirements need to be met before an exemption may be given.

1. The web server needs to have a registered system administrator.
2. The web server needs to have a static IP address and run on a dedicated server or virtual machine.
3. Both operating system and web software need to comply with the applicable Fermilab baseline configurations. As such, both OS and web software need to be currently supported (and patched), and both need to be centrally managed.
4. If the web server offers authenticated access, it needs to abide by the Fermilab Authentication Policy and should utilize central authentication (such as LDAP). The web server should NOT offer self registration.
5. The web server content needs to be staged and ready to be accessed.
6. The web server needs to be sending both system and web logs to the CST central syslog server (clogger.fnal.gov).

Upon submission of this request, the Computer Security Team (CST) may engage in a short conversation with you regarding any questions about the web service. In addition, a Nessus or other vulnerability scan may be performed, and will be performed periodically throughout the year. After CST approval, the request will be forwarded to the Network Services group to modify the access controls. At this point, you will be notified of the completion of the request and the request will be then be closed.

This web server exemption is valid for one year. At time of expiration, this exemption may be renewed. Failure to renew this exemption will result in this web server no longer being visible to the Internet.

See Also:

• Fermilab Central Web Hosting: Documentation for Site Owners and Content Editors