Setup guide

UNCLASSIFIED

should be as restrictive as possible. Only administrative users should be able to log

directly onto a directory server. Examples of directory services are: Apple’s LDAP-

based Open Directory Server included with Mac OS X Server, Microsoft’s Active

Directory, and Sun’s NIS/NIS+.

A typical network also includes servers for network services such as e-mail, file

sharing, logging, and web. To the maximum extent possible, each network service

should be hosted on a separate server. Physical access should be restricted to

administrative personnel wherever possible, network access should be restricted to

only that which is operationally necessary, and only administrators should be able to

log directly into a server.

Client systems provide user access to the network but do not provide any services to

the rest of the network. Security-relevant settings on the client should be enforced to

the maximum extent possible. Configuration guides from NSA exist for Mac OS X,

Solaris, and Microsoft Windows. The Center for Internet Security publishes

configuration guidance for systems running Linux, FreeBSD, and HP-UX.

Client Systems