New User Access and Security Policy

Purpose:

This document outlines the updated policy regarding user access to any or all of the following:

1. FTP/SFTP/SSH access to web servers
2. Access to web-based server control panels (Webmin, Cpanel, etc.)
3. Access to web-based control panels for third-party services (Unfuddle, site24x7, etc)

The changes outlined within will help to mitigate the risk of accounts being compromised due to viruses or malware, and will facilitate an easier transition in the event that a user with server access is no longer employed with noise.

FTP Policy:

FTP will no longer be used when SFTP is an option. SFTP is an extension of SSH, and passwords are encrypted before being sent to the server. For most existing accounts, SFTP is already available, so developers simply need to switch their settings to SFTP fro FTP in their FTP client.

Root/Admin Access:

Root or admin account access will no longer be permitted. Users that require the ability to execute superuser commands via SSH on the web server will be granted appropriate sudo rights.

New Web Site User Accounts:

When new web space is allocated on a Linux server managed by noise, access controls will be handled via linux group memberships. We will no longer be issuing shared login accounts specific to each web site. An example of a virtual server setup process would look something like this:

• Space allocated for the web site:
  mkdir /home/example/html/
  
  
• New group set up for that web space:
  sudo groupadd examplegroup
  
  
• New user created for that web site and added to group:
  sudo useradd -g examplegroup exampleuser
  
  
• Allocated web space ownership altered so that the directory is owned by the group:
  chown –R exampleuser /home/example
  chgrp –R examplegroup /home/example
  
  
• Fix directory settings to allow multiple members of a group to write to the directory and over each others files:
  chmod -R 775 dirname
  chmod g+s dirname