Have all BNL FTP servers, Web servers, and other externally facing services capable of accepting content, configured to prevent the anonymous upload and subsequent download of inappropriate material.
Recent Red Team activities identified porn material hosted for download on BNL FTP servers. The servers were configured to allow anonymous upload of material with no involvement of administrators prior to having the files available for download, and no alteration of file names or directories to hinder downloads. Though the FTP servers were outside the BNL perimeter and the clean up of the files is a minor activity, the risk to BNL operations is quite large due to the political sensitivity of these kinds of incidents to BNL and the DOE. The perception of BNL hosting porn files becomes a political issue in the upper echelon of DOE Office of Science and damages the reputation of both BNL and DOE. The reactions from the DOE Office of Science and higher levels in the government are unpredictable and can be seriously damaging to BNL operations for extended periods of time. Because of these political ramifications the configurations of FTP servers need to be tightly controlled to avoid the unpredictable consequences.
Other services that allow anonymous uploads include submission of content through a wiki or web forum, web applications that accept submissions (Indico), and web servers. The policy statement is being written to cover all externally facing services that accept anonymous content.
Externally facing services must be configured with mitigating controls in place to prevent the anonymous upload and subsequent download of inappropriate materials. Anonymous uploads from unauthorized sources without mitigating controls must have a documented business justification approved by the local DOE Site Office.
Externally facing services configured to allow unimpeded anonymous uploads and downloads without mitigating controls will be blocked from the network upon discovery.
Recommended mitigating controls for FTP servers include:
FTP - File Transfer Protocol - Common Internet file transfer mechanism.