IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.38 Secure integration of DOS PC's into a UNIX
network
Initiation responsibility: Head of IT Section, IT Security Management,
Administrators
Implementation responsibility: Administrator, IT users
DOS PC’s can be integrated into UNIX networks in various ways. In general,
PCs have weaker security mechanisms than UNIX systems. Everyone with
access to a PC can administrate it, thus being able, for example, to change
settings or install software.
By installing the appropriate software, a networked PC can be used to
eavesdrop the network. Therefore only authorised users may have access to a
PC (see also S 1.23 Locked doors and S 2.6 Granting of site access
authorisations). Moreover, measures must be taken to ensure and regularly
monitor that software cannot be loaded without supervision (see also S 2.9
Ban on Using Non-Released Software and S 2.10 Survey of the software held).
In addition, it is easily possible by changing the configuration of a PC, to fake
any computer ID and thus carry out a masquerade. This means that when
using RPC on the UNIX server no trusted hosts must be defined. Trusted hosts
are systems which are regarded as trustworthy and from which you can log in
(using rlogin) or perform a command (using rsh) without giving a password.
This is set in the $HOME/.rhosts and /etc/hosts.equiv files on the UNIX
server. It must be ensured that the $HOME/.rhosts and /etc/hosts.equiv files
are not available or are empty and that the user does not have access
permission to them (see also S 5.20 Use of the security mechanisms of rlogin,
rsh and rcp).
If PC’s are connected to a UNIX network via NFS, the following points
should be noted:
- On an NFS server every file system or directory which can be mounted by
other computers must be entered in a file (e.g. /etc/exports or
/etc/dfs/dfstab). The access rights of the NFS clients to the released file
systems are also set in this file. When using NFS, care must be taken on the
UNIX server that directories are only released for mounting where
absolutely necessary.
- In order to avoid root rights being acquired through NFS, no root access
must be granted for exported file systems on the UNIX server as would be
possible using the ”root=” option. Under no circumstances may root
access be given to a PC in this way.
- When copying files from a PC to a UNIX system via NFS or ftp it can
happen that the attributes are set too freely. You must always check
whether this is the case and change the umask if necessary.
Computer viruses occur mainly on DOS PC’s. When PC’s are networked with
UNIX systems, viruses can spread by infected programmes passing from PC
to PC. The same measures should therefore be taken here as when exchanging
programmes using data media or remote data transfer (see also S 4.3 Periodic
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000