> Workstation and Server Security
Workstation and Server Security
Operators of Unix workstations and servers -- as well as Windows
computers offering network services -- must keep security in mind
at all times when administering these systems. Attacks against
Unix and Windows network services have increased dramatically
in the recent past, and show no signs of abating.
The time to start thinking about system security is before installing
a new system. The CERT/CC
has written a checklist
of steps to improve system security on Unix hosts, from initial
installation to ongoing maintenance. The SANS
Institute offers a similar Top Twenty List of Windows and Unix
vulnerabilities. Checking for these vulnerabilities can make
significant inroads into preventing successful attacks.
Windows servers, like Windows desktop systems, can be affected
by viruses and other hostile programs. Worms -- virus-like
programs that spread via network services -- can attack servers
with security vulnerabilities. Check regularly for Microsoft
hotfixes and patches to Windows and Windows services.
Whenever you set up a server system, or a Unix workstation,
take care to disable any unneeded network services. Programs
such as Unix netstat and lsof -i can help you
identify currently running services. Every service running is
a potential avenue of attack; by turning off those you don't need,
you cut off attacks before they happen.
On System V Unix systems and Linux systems, look to shut off
daemon services by removing or altering startup scripts in /etc/init.d
or /etc/rc.d. On Unix and older Linux systems, check
/etc/inetd.conf for services run from the inetd
superserver -- or /etc/xinetd.d on systems that use xinetd.
A commonly exploited service is the SMTP, or email, server.
Unix systems are often set up to run sendmail as a daemon,
which is usually unnecessary. Sendmail has a long history of vulnerabilities,
and older versions commonly allow "open relaying", which lets
spammers abuse your system to send spam to other sites. Windows
server systems may also have an SMTP server installed unnecessarily,
especially alongside the IIS Web server.
Every user account on your system needs a password -- and passwords
need to be complex enough to foil automated password guessing
programs! Use combinations of letters, numbers, and punctuation
symbols to make passwords harder to guess. If you have trouble
remembering compelex passwords, try using the initials of a phrase,
modified suitably: for instance, tWm|n-1R from Abraham
Lincoln's "the world may little note nor long remember", with
| and 1 standing in for the letter L.
Restrict access to network services with TCP Wrappers,
xinetd, or other access filtering utilities. Linux users
should look into Bastille
Linux, a system for hardening Linux system security.
Web server administrators: Beware of "test" CGI scripts!
Many Web servers, including versions of Microsoft IIS and some
Unix vendors' distributions of Apache, come with CGI scripts intended
to test or demonstrate the Web server features. Many of these
scripts are badly programmed and, if exposed to the world, can
provide attackers with easy access to your system. Remove all
sample and test CGI scripts before starting up your Web server.
Please use Secure Shell (SSH) rather than Telnet or rlogin
for remote login to Unix and Linux hosts. Telnet is unencrypted
and allows eavesdroppers to intercept your password. rlogin
and rsh are worse, allowing anyone who can forge packets
to gain access to trusting systems. Many current systems come
with some form of SSH installed; CIS recommends the OpenBSD Project's
server and client. Windows users can use OpenSSH with the Cygwin
Unix emulation environment. Non-Unix SSH implementations can be
found at FreeSSH.
When in doubt, ask CIS! We're here to help you and will
happily review your system for known security problems. CIS staff
can provide advice as well as hands-on assistance in improving
the security of your system. Contact the CIS support staff for
your computing platform for more information on securing your
Keep in mind -- securing your system can be a lot of work, but
the payoff in protection against attacks is well worth it. Just
as having insurance costs a little money but pays off by covering
large expenses in case of accident, securing your system may cost
time (and money) today, but prevents much greater costs in the