New York University Skip to Content Skip to Search Skip to Navigation Skip to Sub Navigation


General i4 Account Information

A good starting point for new webmasters with sites on the non-CMS web server is to first familiarize yourself with the environment on which you will be developing your site. The Tutorials section presents a series of instructions for working with the UNIX operating system and also how to use a Secure File Transfer application to manage your files.

Account sharing is a violation of ITS policy.

If someone else needs to access your site, they will need to obtain their own account on the i4 server. Instructions on how to apply for an account are available on the NYU IT Webmaster Account page.

Keep in mind that your i4 account password is your NetID password. Your NetID password authenticates you for a number of secure services at NYU - including your email, your grades (if you're a student) and your paycheck information (if you're an employee).

If you have let someone use your i4 account information, we recommend that you change your NetID password immediately by visiting the Start Page.

To make your connections to the web server more secure, you should use secure software clients.

Secure Shell (SSH) Software
The machine, which provides shell access to the main NYU Web server, only supports SSH (not Telnet). In a secure shell session, the information being sent back and forth (such as your password) is scrambled, so that if a mischief-maker intercepts your keystrokes, the data will be unreadable. This is especially useful if you are connecting from off-campus.

NYU IT currently supports PuTTY (for PC). Mac OSX users may use the Terminal program that ships with OSX.

Additional information on establishing a secure connection to is available in the tutorials section.  

Secure File Transfer Protocol (SFTP) Software
At NYU, we require SFTP for file transfers, and recommend using a graphical SFTP program for access to the web server. NYU IT distributes Fetch software (for Macintosh), and the NYU Web Team supports Fugu for Macintosh, and WinSCP for PC. While you may use other programs, such as Cyberduck, Dreamweaver, and Transmit, they are not supported by the NYU Web Team.

Visit our SFTP Guide for more information.

For information on how to request a departmental or organizational Group, please see the ServiceLink Knowledge base.

Security Concerns

It is absolutely essential to confirm that all NYU-related websites are operating in a secure manner.

A general rule: Be aware that the main NYU Web server,, is a publicly accessible server. You must consider any file stored there to be generally available. As search engine technology has become more sophisticated, there may be no such thing as a "hidden" directory or file. Data files containing sensitive information should NOT be stored on the web server.

Perform a Site Review
If you're being asked to collect sensitive information through your website, you must get written approval for doing so from a senior officer in your school or area and also get technical certification from NYU IT before you implement any application. Contact for more information.

Information that may be considered "sensitive": social security numbers, driver's license number (DLN), date of birth (DOB), mother's maiden name, bank account numbers, employee numbers. Review the Data Classification Table to see additional information about data classification at NYU.

NYU is subject to various federal, state and local regulations. Among these are the Federal Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act as well as NY State consumer protection regulations. You should also be aware of any NYU policies that impact your site. For these reasons and the general security concerns above, do not collect or store highly sensitive information on your site(s). Where necessary, use the NYU NetID as a unique identifier and consult NYU IT on proper use of the NetID.

Regularly review all contents of the Web site(s) you maintain. You should remove outdated and irrelevant files and directories (for example, files and directories called "old"), including any backup (.bak) or archive files (.zip, .sit). A production Web server is not an appropriate place for such files. You must also remove any executable files (.exe).

Deactivate any application or form that asks for Student ID or other sensitive personal information. Before reactivating any such application, you must contact for approval.

Review the access privileges on all files on your site(s). Ensure that the privileges are set appropriately to protect sensitive files from publication and from indexing by search engines. You can get more information about properly setting UNIX file permissions in our Tutorials section.

NYU IT uses many methods to protect the security of the web server, so it is unlikely that your site will be attacked. However, there are times when webmasters notice unexpected and unauthorized changes to their site.

The most common cause of these unexpected changes are incorrectly set UNIX permissions, which allow set your files or directories to be "world-writable". If you use a Secure FTP (SFTP) program to upload files to your page, or if you use an authoring program, it's a good idea to log in periodically to check that the permissions on files are correctly set.

The other common cause of changes is not closing out accounts of former webmasters. If someone is no longer an authorized webmaster, you need to notify the NYU Web Team immediately, so that we can terminate their access to your site and transfer the necessary privileges to the correct person.

To prevent the harvesting of your or your organization's email address from your web pages on NYU Web (non-CMS), we recommend that you implement one of the two solutions offered below to replace your "mailto" links on html pages.

1. JavaScript Replacement
For example, if your email address is, you would insert the following code, replacing user with the information to the left of the @ sign and replacing site with your host name.

<script type = "text/javascript">
<!-- Begin
user = "";
site = "";

document.write('<a href=\"mailto:' + user + '@' + site + '\">');
document.write(user + '@' + site + '</a>');
// End -->

2. ASCII Code Replacement
You can replace the @ sign in your "mailto" links with the ASCII code equivalent: &#064;

For example, if your email address is, you would do the following:

<a href=";">;</a>

This will produce a link that says

From The Web Robots FAQ:

What is a WWW robot?
A robot is a program that automatically traverses the Web's hypertext structure by retrieving a document, and recursively retrieving all documents that are referenced. Web robots are sometimes referred to as Web Wanderers, Web Crawlers, or Spiders. These names are a bit misleading as they give the impression the software itself moves between sites like a virus; this not the case, a robot simply visits sites by requesting documents from them.

How do I prevent robots scanning my site?
On the non-CMS based web server, the quick way to prevent robots from visiting your site is put the following 2 lines into a file called robots.txt in the root directory of your site:

User-agent: *
Disallow: /

This will signal to the robot that the directory contents in which the robots.txt file is placed may not be scanned.

Technical Information

UNIX is a computer operating system, like Windows or Macintosh OS; a master program that coordinates other programs' activities and manages files.

The server uses Solaris, a proprietary version of UNIX from the Sun Corporation.  The NYU Web server cluster uses Linux, a Unix-like operating system.

UNIX allows a number of people to work on the same machine at once and have access to shared files. This allows hundreds of members of the NYU community to develop and maintain content for NYU Web; you and your colleagues may even have been put into a web permissions group on the i4 machine so you can share file access to content in your web directory.

UNIX allows you to designate, on a file-by-file basis, who has permission to read the file and and/or write to the file. This is known as setting file permissions. When you upload a file, you become the owner of that file and it is assigned (usually) to the default web permissions group that you are in. But, unless you say that other group members have permission to write to the file, they cannot make modifications, they'll only be able to read the file.

See our tutorials on Viewing and Modifying UNIX Permissions and Viewing and Viewing and Modifying Permissions with SFTP for more information.

To ensure that your Web directory is secure, you can install a restriction file called .htaccess.

A .htaccess file allows you to protect your web page, site, or directory from being accessed by unwanted public users. This file will prevent web access by anyone who does not have permission to view your site.

For example, you could deny access to machines outside the NYU network or allow access for only the machines in the NYU Information Technology (NYU IT) subnet. You could also create a username and password scheme so that only select individuals who know the username and password can access your site. Another option is to restrict the site to only those with NYU NetIDs and passwords.

Learn how to Restrict User Access in our Tutorials section...

NYU uses a statistics analysis program called Urchin that provides detailed reports about who is visiting your website.

Visit the Analytics section of the Digital Communications website for more information.


The main NYU web server is a shared resource. Please do not upload or implement any (open source, commercial, or self-created) scripts without first consulting the NYU Web Team (this includes bulletin board software, blogs and wiki applications).

We have made a basic formmail script available for use within web sites.

However, if you wish to implement or create your own Perl or PHP scripts, you must first send an email to with the following information:

  1. Provide a brief history of your scripting/programming experience.
  2. Provide a description of how you plan to implement scripting into your site.
  3. For each script you plan to use, please include:
  4. The name of the script (including version, if applicable)
  5. The script author (if not yourself)
  6. An outline of the script's purpose (what does it do?)
  7. Location of where you obtained the script (e.g. -URL of Web site from which you downloaded the script if you did not write it yourself)
  8. Timeline of script's use - for example - are you adding an application for a specific event with a deadline?

Requests will be reviewed and if approved, you will be enabled for cgiwrap on the web server to run Perl scripts. Keep in mind that we run PHP in safe mode; it is "locked-down" for security purposes. Safe mode disables or restricts a number of common functions, most of which involve reading from or writing to the filesystem (e.g. file uploads). We don't display any error messages and register_globals is turned off.

Please note, the NYU Web Team cannot write or modify scripts for your site and can only provide limited technical support. If you don't know what the script does, think twice about implementing the script. If you have more complicated site needs, you may wish to consult with Digital Communications.

Secure Sockets Layer (SSL)
Secure Sockets Layers (SSL) can increase the security of your data. When you use SSL, information is encrypted as it leaves your computer.

If your page is publicly available, it makes little sense to encrypt it for transfer over the network; everyone can already see it.

Sometimes, however, a page may accept sensitive data, for example, usernames and passwords. In this case, sending the information over the network in an unencrypted form permits snooping, i.e., the act of "spying" on network traffic as it passes from point A to point B. (Remember that when you download a page from, say,, that page passes through possibly many other networks before reaching your computer.)

When you use SSL, information is encrypted as it leaves your computer. Anyone snooping the data while it's on the network will see only random characters, not the information as it was originally formatted.

Once the traffic reaches its final destination, the destination computer decrypts the encrypted data, returning it to its original state. It then forwards the decrypted data to the recipient. To both the sender and the recipient of the data, the encryption/decryption process is transparent.

Activating SSL on requires changing any intra-site http links into https links. If you’re using relative links in your pages (links that do not include the full URL), then SSL-enabling your entire site might mean having to change only the entrance URL from http to https. Experienced webmasters may know that a http-style URL maps to port 80 on the server machine, while https-style URLs map to port 443. If you want to selectively activate SSL within your site, you will need to use full http or https URLs in your pages. (Don’t forget to test the links.) SSL-capable browsers that follow your https links will use the encryption layer SSL provides.

If you're using .htaccess restriction files with NetID/NetID password authentication, you are required to have SSL in place.

Use the code below within your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-HTTP} !NYUhttps
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]


Write to: if you have any questions.

Design Information

New York University understands the importance and value of clear, coordinated, and consistent communications in contributing to our reputation as a leader in the field of higher education and our emergence as the world's first Global Network University -- allowing us to attract the best students, premier faculty, and strategic partnerships.

Digital Communications provides a University Identity and Style Guide for those who wish to review design standards.

Questions? Write to for assistance.


Each NYU school has its own Webmaster who manages the site as a whole, and each school handles the management of its departmental sites differently.

If you've been assigned to manage a departmental site, before you begin to redesign your pages, check with your school's webmaster first to see if there are any required design elements. 

See our list of School Webmasters for more information.

Note: Do not lift graphics from other web sites, including any NYU web sites, and use them on your site. Many of these images are either purchased for a specific use or have been commissioned by a department for their use. If there is a graphic on another NYU web site that you are interested in using, contact the administrators of that site to ask for permission. If permission is granted, please request the appropriate quality artwork.

Please consult the University Identity and Style Guide for information about available NYU logos, business kits, and other helpful resources.

Questions? Write to for assistance.

Need Assistance?

Many of the resources in this guide are specific to the main (non-CMS) NYU Web server,, accessed through an account on the machine. If you have questions about a site that is not on this server, please contact your school's webmaster or write to for more information.

Photo of Questions? Written on a Piece of Paper


NYU Webmasters Discussion Forum

To subscribe to the NYU Webmasters discussion forum, visit the Google Groups page at:

Note: This is a private forum for official NYU Webmasters and all membership requests must first be approved.

NYU Footer