Web Page Security

Here at CSU, there are two types of security available on Web sites residing on our main Web server: access security and data encryption. These two types are really independent of each other; each serving their own purpose.

With access security, we can control who accesses our sites. For example, if we wanted only certain individuals to access a course Web site, we could implement a system that would require a user to enter a valid user name and password before they could gain access. Once an individual has gained access to the page/site, there's nothing to indicate the site is secure.

With data encryption, we can encrypt information as it is transferred between the user's browser and the Web server. This is done with additional, special software on the Web server and is typically implemented when collecting sensitive information (such as social security numbers) to keep that information from being viewed when transmitted across the Internet. Web pages in which this encryption has been enabled will display a "lock" image typically in the bottom right-hand corner of the browser.

Implementing Access Security

Although there are multiple ways to implement access security, here's the general process you would use as a Web developer here at CSU:

Put everything you want secured in one folder on your Web site.
Decide on a user name and password.
Complete a Web Services Request Form.
If you're using FrontPage, modify the security settings.

Here's a more detailed description of the process:

Place all the files and/or folders you want to secure in a separate folder on your web site. If you're using FrontPage, convert this folder to a sub-web (note: one of the reasons for creating sub-webs is to apply different security).
Decide on a user name and password that will be used to access the page/site.
Complete a Web Services Request Form detailing the location you want secured and the user name and password you've decided on.

The CSU Webmaster will receive the form results, create the user name and password, and apply the security on the Web server so that the security will work for Netscape users. Normally at CSU, we assign users to groups, then assign group permissions to Web pages and/or sites. This way the actual permissions do not have to be changed, only the members of the groups. As such, the CSU Webmaster will most likely assign the user to a group, then respond to the person who initiated the Web Services Request, indicating that the user name and password have been set up as well as providing the group name the user has been assigned to.
If you're using FrontPage:
1. Open the Web site you're securing directly on the Web server (for example, to open the MySite Web site on the server, in FrontPage 98 you would select File > Open FrontPage Web > More Webs, then type in http://mysite.colstate.edu, click on List Webs, and double-click on <root web>; in FrontPage 2000, you would select File > Open Web then type in http://mysite.colstate.edu (if it's not already listed; if it is, simply select it), then select Open).
  
  Note: opening a Web site directly on the server allows you to change the permissions for the site; opening a local copy of your site doesl not.
2. In FrontPage 98, select Tools > Permissions; in FrontPage 2000, select Tools > Security > Permissions. Then, if requested, type in your user name and password. This will open the Permissions dialog box.
3. If the site is a newly created sub-web, you'll need to select Use unique permissions for this web, then click on Apply to be able to apply specific permissions to the sub-web.
4. Select the Users tab, then select Only registered users have browse access.
5. Click on the Groups tab, select "Everyone" from the list, then select Remove.
6. On this same Groups tab, select Add, then in the Obtain list from box, select "Thor," then from the displayed list of groups select the group given to you by the Webmaster in the Names box. Finally, verify Browse the web is selected, then select OK, then OK again.
  
  The above will cause a "Enter user name and password" box to display whenever the page/site is accessed which will prevent the page/site from being displayed until the correct user name and password is entered.
If you're not using FrontPage, the above can be done at the server by the Webmaster.

For you FrontPage users, if the user and/or group has already been created, you might be asking yourself, "Why do I need the Webmaster? Why can't I just open my Web site on the server and assign the permissions?" The answer is that you could, but the secured page will only be accessible via Internet Explorer; Netscape users will continue to get a "Enter user name and password" dialog box regardless of whether they put in the right information or not; they can only gain access after the Webmaster has made changes on the Web server itself.

Another method of implementing access security on our main Web server is via Active Server Pages (ASP), but this is not necessary given the simplicity of using FrontPage.

About Data Encryption Security

With "data encryption" security, data is encrypted as it is transferred back and forth between a user's browser and the Web server. This is normally done when collecting sensitive information (such as a person's social security number or a credit card number) via a form. Again, the purpose of doing this is to prevent the information from being viewed as it is transmitted across the Internet. Although there are multiple ways to do this, it is most easily accomplished on the Web server using special software.

The special software we use here at CSU is from a company called VeriSign. Unfortunately, the software we purchased is only good for one Web site. As such, we have applied the software to www.colstate.edu. This means that any pages/forms which need this type of encryption security must be placed on the main Web site for now. Once placed on this site, the Webmaster enables the encryption on the server for that particular page, thereby making the page only accessible using the "https://" protocol (as apposed to the normal "http://" protocol). For example:

Web Services Request Form

is a form which anyone can access, but which asks the user for his/her social security number. As such, we have moved it from the CINS Web site to the www.colstate.edu website. Everything else about the form remains the same: the same header, the same footer, the same theme, the same background, etc., as the rest of the CINS Web site. The only difference is that the links on the page are absolute rather than relative (for example, the CINS search page link on that page is http://cins.colstate.edu/search.htm rather than just "search.htm").

Notice in this type of security, a "lock" symbol does appear on the page to indicate the information submitted via the form will be encrypted when transmitted back to the server.

Implementing Data Encryption Security

Implementing data encryption security here at CSU using the VeriSign software is a simple process:

Create the form/page in which you want the submitted data encrypted (see Using Forms at CSU for more information on creating forms).
Submit a Web Services Request form detailing the fact that you want the data from the form encrypted; also state the location of the current form.

The Webmaster will create the location on the www.colstate.edu site, move the form to that location, and set up the form so submitted data is encrypted, then provide this information back to you.
Set up links to the form in its new location (be sure to include https in the address), and test the form to verify that it works as expected.

That's all there is to it!

One final note: since these two types of security are independent of each other, you can also combine them. That is, you can have a page which has limited access and which uses encryption in communicating information to the server.