home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous Section Next Section

A.20 Chapter 19: Defending Accounts

  • Make sure that every account has a password.

  • Make sure to change the password of every "default" account that came with your Unix system. If possible, disable accounts such as uucp and daemon so that people cannot use them to log into your system.

  • Do not set up accounts that run single commands.

  • Instead of logging into the root account, log into your own account and use su or sudo.

  • Do not create "default" or "guest" accounts for visitors.

  • If you need to set up an account that can run only a few commands, use the rsh restricted shell.

  • Think about creating restricted filesystem accounts for special-purpose commands or users.

  • Do not set up a single account that is shared by a group of people. Use the group ID mechanism instead.

  • Monitor the format and contents of the /etc/passwd file.

  • Put time/tty restrictions on account logins as appropriate.

  • Disable dormant accounts on your computer.

  • Disable the accounts of people on extended vacations.

  • Establish a system by which accounts are always created with a fixed expiration date and must be renewed to be kept active.

  • Do not declare network connections, modems, or public terminals as "secure" in the /etc/default/login or /etc/ttys files.

  • Be careful who you put in the wheel group, as these people can use the su command to become the superuser (if applicable).

  • If possible, set your systems to require the root password when rebooting in single-user mode.

  • If your system supports the TCB/trusted path mechanism, enable it.

  • If your system allows the use of a longer password than the standard crypt( ) uses, enable it. Tell your users to use longer passwords.

  • Disable any login methods that expose cleartext passwords over a network link. Use SSH or some form of one-time password or token-based authentication, especially on accounts that may be used across a network link.

  • Consider using the Distributed Computing Environment (DCE) or Kerberos for any local network of single-user workstations, if your vendor software allows it.

  • Enable password constraints, if present in your software, to help prevent users from picking bad passwords. Otherwise, consider adding password-screening or -coaching software to assist your users in picking good passwords.

  • Consider cracking your own passwords periodically, but don't place much faith in results that show no cracked passwords.

  • If you have shadow password capability, enable it. If your software does not support a shadow password file, contact the vendor and request that such support be added.

  • If your system does not have a shadow password file, make sure that /etc/passwd cannot be read anonymously over the network via UUCP or TFTP.

  • If your computer supports password aging, set a lifetime between one and six months.

  • If you are using a central mail server or firewall, consider the benefits of account name aliasing.

  • Run a host-based intrusion detection system on every system; run a network intrusion detection system on network gateways. Act on the information.

    Previous Section Next Section