Workstation and Server Security

• What to do in case of intrusion
• Linux Workstation Security
• SANS Top Twenty Security Problems

Operators of Unix workstations and servers -- as well as Windows computers offering network services -- must keep security in mind at all times when administering these systems. Attacks against Unix and Windows network services have increased dramatically in the recent past, and show no signs of abating.

The time to start thinking about system security is before installing a new system. The CERT/CC has written a checklist of steps to improve system security on Unix hosts, from initial installation to ongoing maintenance. The SANS Institute offers a similar Top Twenty List of Windows and Unix vulnerabilities. Checking for these vulnerabilities can make significant inroads into preventing successful attacks.

Windows servers, like Windows desktop systems, can be affected by viruses and other hostile programs. Worms -- virus-like programs that spread via network services -- can attack servers with security vulnerabilities. Check regularly for Microsoft hotfixes and patches to Windows and Windows services.

Whenever you set up a server system, or a Unix workstation, take care to disable any unneeded network services. Programs such as Unix netstat and lsof -i can help you identify currently running services. Every service running is a potential avenue of attack; by turning off those you don't need, you cut off attacks before they happen.

On System V Unix systems and Linux systems, look to shut off daemon services by removing or altering startup scripts in /etc/init.d or /etc/rc.d. On Unix and older Linux systems, check /etc/inetd.conf for services run from the inetd superserver -- or /etc/xinetd.d on systems that use xinetd.

A commonly exploited service is the SMTP, or email, server. Unix systems are often set up to run sendmail as a daemon, which is usually unnecessary. Sendmail has a long history of vulnerabilities, and older versions commonly allow "open relaying", which lets spammers abuse your system to send spam to other sites. Windows server systems may also have an SMTP server installed unnecessarily, especially alongside the IIS Web server.

Every user account on your system needs a password -- and passwords need to be complex enough to foil automated password guessing programs! Use combinations of letters, numbers, and punctuation symbols to make passwords harder to guess. If you have trouble remembering compelex passwords, try using the initials of a phrase, modified suitably: for instance, tWm|n-1R from Abraham Lincoln's "the world may little note nor long remember", with | and 1 standing in for the letter L.

Restrict access to network services with TCP Wrappers, xinetd, or other access filtering utilities. Linux users should look into Bastille Linux, a system for hardening Linux system security.

Web server administrators: Beware of "test" CGI scripts! Many Web servers, including versions of Microsoft IIS and some Unix vendors' distributions of Apache, come with CGI scripts intended to test or demonstrate the Web server features. Many of these scripts are badly programmed and, if exposed to the world, can provide attackers with easy access to your system. Remove all sample and test CGI scripts before starting up your Web server.

Please use Secure Shell (SSH) rather than Telnet or rlogin for remote login to Unix and Linux hosts. Telnet is unencrypted and allows eavesdroppers to intercept your password. rlogin and rsh are worse, allowing anyone who can forge packets to gain access to trusting systems. Many current systems come with some form of SSH installed; CIS recommends the OpenBSD Project's OpenSSH server and client. Windows users can use OpenSSH with the Cygwin Unix emulation environment. Non-Unix SSH implementations can be found at FreeSSH.

When in doubt, ask CIS! We're here to help you and will happily review your system for known security problems. CIS staff can provide advice as well as hands-on assistance in improving the security of your system. Contact the CIS support staff for your computing platform for more information on securing your system.

Keep in mind -- securing your system can be a lot of work, but the payoff in protection against attacks is well worth it. Just as having insurance costs a little money but pays off by covering large expenses in case of accident, securing your system may cost time (and money) today, but prevents much greater costs in the future.