HP CIFS Server 3.0f Administrator's Guide verison A.02.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

141

142

143

144

145

146

147

148

149

150

One effective way to reduce the risk from this type of attack is to remove the execute permission from the

program's stack pages. This improves system security without impacting performance and has no negative

effects on the majority of legitimate applications.

The HP CIFS Server does not require execution on the stack. While the HP CIFS Server attempts to prevent

buffer overflow possibilities, you can set the HP-UX kernel tunable parameter, executable_stack , to

disallow stack execution to provide a layer of protection from malicious attacks. For details, refer to man

pages for chatr.

Restricting User Access

In addtion to authentication services, the HP CIFS Server provides the configuration parameters, valid

users and invalid users, in the smb.conf file, which you can use to further restrict access to your

CIFS server. You can configure the admin users parameter to provide administration capabilities only to

the users listed with this parameter, to restrict its use.

For example, you can configure the valid users option in the smb.conf file as follows:

[global]

valid users = @smbusers, jack

This restricts all server access to either the user, jack, and to members of the system group, smbusers.

Automatically Receiving HP Security Bulletins

You can subscribe to automatically receive future HP Security Bulletins or other technical digests from the HP

IT Resource Center (ITRC) via electronic mail.

Use the following steps to register for and subscribe to HP Security Bulletins:

1. Use your browser to get to the HP IT Resource Center web site at:

http://itrc.hp.com

2. Use your existing login or use the Register button to create a login for gaining access to many areas of

the ITRC. Remember to save your user ID and password.

3. Choose the Support Information Digests option under the Notification section (near the bottom of

page).

4. To subscribe future HP Security Bulletins or other technical digests, click the check box for the appropriate

digest and then click the Update Subcriptions button.

To review bulletins already released, choose the link for the appropriate digest.

You can find your ITRC account security bulletins at:

http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin

5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive". In the

archive, the third link is to the current Security Patch Matrix. This matrix categorizes security patches by

the platform/OS release, and by the bulletin topic. The Security Patch Check tool completely

automates the process of reviewing the patch matrix for HP-UX 11i v1 and v2 systems.

The Security Patch Check tool can verify that a security bulletin has been implemented on HP-UX

11i v1 and v2 systems providing that the fix is completely implemented in a patch with no manual

actions required. The Security Patch Check tool cannot verify fixes implemented using a product

upgrade.

For detailed information on the Security Patch Check tool, refer to the following web site at:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

The security patch matrix is also available via the anonymous ftp site at:

ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix

Reporting New Security Vulnerabilities

You can report new security vulnerabilities by sending an email to

security-alert@hp.com

You need to encrypt any exploit information by using the security-alert PGP key, available from your local

key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to

security-alert@hp.com

144 Securing HP CIFS Server