Eos, Engineering Computing at North Carolina State University

Search, Stats, Security

Owners of web sites often want to put a search tool in place to help visitors find the information they need, particularly when a site grows large. They also want analytic services that collect and report on how their sites are being used. Finally, they need to know how to secure pages and apps at their site.

Google Search and Analytics

Google provides a free and specialized University Search.  Google can be easily set up to search a single domain, e.g., www.engr.ncsu.edu or across specified domains.

Get Started By Visiting
Implementing Google Custom Search

We also have instructions on how to add a Google search.

Google University Search will not allow banner ads or any other kinds of paid advertising on the search results pages. However, it may show a text link for Google products or services.

Google refreshes its entire index about once a month, so you may find that new content does not immediately appear in search results.

Web Statistics with AWStats

Site-use data and statistics are available to owners and webmasters of college and department web sites via the AWStats software. To access statistics for your web site, append your site's URL to http://webstats.engr.ncsu.edu/, e.g., for stats on the engineering undergrad site:

http://webstats.engr.ncsu.edu/www.engr.ncsu.edu/undergrad/

Web site statistics can only be displayed and read by the site owner and those with access to the site, see also http://webstats.engr.ncsu.edu/.

The college web infrastructure is designed to scale securely to a large number of users and employ cost-effective technologies, such as those from the open-source community.

WRAP

SSL-based authentication to secure web pages is through WRAP, or Web Realm Authentication Protocol, a web-security technology developed at NCSU. When you log in to WRAP, your username and password are sent to an SSL-secured server where they are verified. Additionally, some vhosts are SSL enabled as needed.

In AFS, you secure directories, not individual files. If you have content to restrict to certain users, create a .htaccess file and place it in the directory you want to secure. Put the following code in the .htaccess file to require a login with a campus Unity ID to any pages in the directory.

AuthType WRAP
require affiliation ncsu.edu
require known-user

Read more about creating .htaccess files at NC State.

Securing Web Apps

1. Know your security personnel and educate yourself in web security before installing applications.  For engineering web security questions, contact engr-webmaster@ncsu.edu.
2. Do not install applications, such as CMSs, in the root of site.
3. Remove any unecessary installation-specific files after you've completed the installation.
4. Avoid using administrative passwords directly in your code.
5. Configure the app to follow open-base dir restrictions, which reference down the tree and not up to keep scripts out of other web sites on the server.
6. Check for errors in your application using webtest.
7. Clean up errors that go into error log.
8. If you have an administrative interface for your web app, restrict access to as few people as possible using WRAP.
9. Use WRAP rather than applications accounts whenever possible.  Avoid being in charge of accounts and passwords.
10. Never store passwords in plain text within a database, use one-way encryption functions such as md5() within PHP to hash sensitive data.
11. Remove server write access from any database you request once it is no longer needed.
12. Monitor what goes into form fields.  Good input validation will prevent attacks and SQL injections.
13. Eliminate open redirects and symlinks.
14. Turn off all methods you don't use; get/post is generally all you need.
15. Remove old apps to prevent exploitation.