Make sure that every account has a
password.
Make sure to change the password of every
"default" account that came with
your Unix system. If possible, disable accounts such as
uucp and daemon so that
people cannot use them to log into your system.
Do not set up accounts that run single commands.
Instead of logging into the root account, log
into your own account and use su
or sudo.
Do not create "default" or
"guest" accounts for visitors.
If you need to set up an account that can run only a few commands,
use the rsh restricted shell.
Think about creating restricted filesystem accounts for
special-purpose commands or users.
Do not set up a single account that is shared by a group of people.
Use the group ID mechanism instead.
Monitor the format and contents of the
/etc/passwd file.
Put time/tty restrictions on account logins as appropriate.
Disable dormant accounts on your computer.
Disable the accounts of people on extended vacations.
Establish a system by which accounts are always created with a fixed
expiration date and must be renewed to be kept active.
Do not declare network connections, modems, or public terminals as
"secure" in the
/etc/default/login or
/etc/ttys files.
Be careful who you put in the wheel group, as these
people can use the su command to become the
superuser (if applicable).
If possible, set your systems to require the
root password when rebooting in single-user
mode.
If your system supports the TCB/trusted path mechanism, enable it.
If your system allows the use of a longer password than the standard
crypt( ) uses, enable it.
Tell your users to use longer passwords.
Disable any login methods that expose cleartext passwords over a
network link. Use SSH or some form of one-time password or
token-based authentication, especially on accounts that may be used
across a network link.
Consider using the Distributed Computing Environment (DCE) or
Kerberos for any local network of single-user workstations, if your
vendor software allows it.
Enable password constraints, if present in your software, to help
prevent users from picking bad passwords. Otherwise, consider adding
password-screening or -coaching software to assist your users in
picking good passwords.
Consider cracking your own passwords periodically, but
don't place much faith in results that show no
cracked passwords.
If you have shadow password capability, enable it. If your software
does not support a shadow password file, contact the vendor and
request that such support be added.
If your system does not have a shadow password file, make sure that
/etc/passwd cannot be read anonymously over the
network via UUCP or TFTP.
If your computer supports password aging, set a lifetime between one
and six months.
If you are using a central mail server or firewall, consider the
benefits of account name aliasing.
Run a host-based intrusion detection system on every system; run a
network intrusion detection system on network gateways. Act on the
information.
