Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B982

computers. When you use NIS, the encrypted password is transmitted in clear-text

and made available to anyone on the network, compromising this defense

measure. Because of this, the HP-UX trusted mode and password shadowing security

features that Bastille can enable, are incompatible with NIS. If you choose to

convert to trusted-mode or shadow passwords, you should also disable NIS.

We recommend that you deactivate NIS server programs.

Alternatives include NIS+, LDAP, and Kerberos.

Miscellaneous

Daemons

Q: Would you like to deactivate NIS client programs? [Y] [Y]

An NIS (Network Information System) client is used to receive

network naming and administration information from a server machine on its

network.

NIS is a system used for synchronizing key host information, including account

names and passwords. It is a clear-text protocol, and can be easily compromised

to gain access to accounts on the system. If you are really interested in using

NIS, you should configure your firewall to block NIS traffic coming in or going

out of your network.

Also, if you plan to use a host-based network firewall, be sure to disable NIS

client. If your NIS client is left configured but the NIS traffic is blocked at

your firewall, your machine will bog down trying to connect to the NIS server.

NIS is not a well-behaved protocol and the ports it needs are hard to

characterize. It also needs to initiate connections from both client and server.

On many systems, including trusted-mode HP-UX systems, passwords are not only

encrypted but also readable only by the super-user. These measures were taken

because given the encrypted string an attacker can attempt to determine valid

passwords for users on your system by using dictionary or brute force password

cracking programs. When you use NIS, the encrypted password is transmitted in

clear-text and made available to anyone on the network, compromising this defense

measure. Because of this, the HP-UX trusted mode and password shadowing security

features that Bastille can enable, are incompatible with NIS. If you choose to

convert to trusted-mode or shadow passwords, you should also disable NIS.

We recommend that you deactivate NIS client programs.

Alternatives include NIS+, LDAP, and Kerberos

Miscellaneous

Daemons

Q: Would you like to disable SNMPD? [Y] [Y]

SNMP, or the simple network management protocol, is

used to aid in management of machines over the network. This

can be a powerful method of monitoring and administering

a set of networked machines. If you use network management

software to maintain the computers on your network then you

should audit the way in which SNMP is used by that software.

You should (1) use SNMPv3 wherever possible, (2) set restrictive