Security - Non-Sensitive

Education Center on Computational Science and Engineering

Network Security Precautions

Prepared by: Tom Handal

Tommy@edcenter.sdsu.edu

16 July, 1999

Systems affected

SUN Ultra-2 System Running Solaris 5
Pentium-II PCs Running RedHat Linux 6.0, 3 each
Pentium-II Machines running Windows NT 4.0

Security Measures for SUN Ultra-2

1. Recommend upgrading Operating System to Solaris 7

The Solaris 7 Operating Environment includes an industry standard security framework, Generic Security Service API (GSS-API) allowing customers to "plug-n-play" their specific mechanism. This will enable authentication mechanism such as Sun Enterprise Authentication Mechanism (SEAM) to be plugged-in to GSS-API to secure NFS and network services such as ftp, telnet, rsh and rlogin. Other security features include enhancements to NIS+ authentication, and Berkeley Internet Name Deamon (BIND) version 8.1.2 for better network security through the use of access control lists (ACL's).

Source: SUN Microsystems - http://www.sun.com/solaris/faqs/sol7faqs.html#security

2. Recommend disabling TELNET on edcenter.sdsu.edu

SSH 1.0 and 2.0 are currently installed and running on

Sun Ultra-2 System

3. List of deamons running on Sun Ultra-2 must be obtained and analyzed for known security holes, namely open ports that are not used.

4. Recommend limiting users that have SENDMAIL access to Sun Ultra-2 System. This will help prevent spamming through our server and also prevent mail bombing and things of that nature.

5. Sociology Workbench Web Site Security Measures

SWB resides on the Sun Ultra-2 System and is potential target for hackers, therefore SWB web directory structure should be modified.
At this time, SWB development is done under the swb account on the Sun Ultra-2 System. Several developers have access to this account.
Recommend that each developer securely work under his/her own account.
File permissions should be such that the swb account can read the work of the developers so it can offer the data to the user, but is not able to have write access to this data.
Recommend that the developers of SWB double check all CGI scripts.
Be sure that all accounts on this machine have passwords that are at least 6 characters in length and are not dictionary words, names, or plain numbers. Have the passwords on the accounts changed every few months.

Security Measures for RedHat Linux 6.0 PCs

List of deamons running on these machines must be obtained and analyzed for known security holes, namely open ports that are not used.
SSH should be installed on all PCs running RedHat Linux 6.0
APACHE Web Server (httpd) should be shut down on these machines, due to the fact that we do not serve web sites from these systems.
Recommend disabling INETD on these machines. This will effectively disable TELNET and FTP.
Recommend disabling SENDMAIL deamon on these machines
Check with RedHat for possible updates/patches for versions of software, especially network software on these machines. This should be done periodically to maintain a high level of network security.
Be sure that all accounts on these machines have passwords that are at least 6 characters in length and are not dictionary words, names, or plain numbers. Have passwords on accounts changed every few months.

Security Measures for Windows NT 4.0 Machines

1. Recommend machines are updates with latest Service Packs and patches.

2. Microsoft Internet Explorer must be periodically checked for security issues by checking http://www.microsoft.com

3. Be sure that all accounts on these machines have passwords that are at least 6 characters in length and are not dictionary words, names or plain numbers. Have passwords on account changed every few months.