RFC 2179 (rfc2179) - Page 3 of 10


Network Security For Trade Shows



Alternative Format: Original Text Document



RFC 2179            Network Security For Trade Shows           July 1997


Extra Privileged Accounts

   Some system vendors have been known to ship systems with multiple
   privileged accounts (for example, Unix systems with accounts that
   have root privileges [UID=0]). Some vendors may include a separate
   system administration account that places a user in a specific
   administrative program. Each additional privileged account presents
   yet another opportunity for abuse.

   Generally, if a Unix system does not need additional root accounts,
   these can be disabled by placing "*" in the password field of
   /etc/passwd, or by using the administrative tool when a system
   employees enhanced security. Verify all systems for extra privileged
   accounts and either disable them or change their password as
   appropriate.

   Make certain that privileged accounts are inaccessible from anywhere
   other than the system console.  Frequently systems rely on files such
   as /etc/securettys for a list of "secure" terminals.  As a general
   rule, unless a terminal is in this file, a root login is not
   possible.  Specific use of this feature should be covered in the
   system's documentation files.

   Tips:

   * Check /etc/passwd on Unix systems and the user administration
     application on other systems for additional privileged accounts.
   * Disable remote login for privileged accounts.
   * Disable any unnecessary privileged accounts.
   * Limit logins from root accounts to "secure" terminals or the
     system console.

Use of Authentication Tokens

   Authentication tokens such as SecureID, Cryptocard, DES Gold and
   others, provide a method of producing "one-time" passwords.  The
   principle advantage in a trade-show environment is to render
   worthless, packets captured by sniffers on the network.  It should be
   treated as fact, that there are many packet sniffers and other
   administration tools constantly (legitimately) watching the network-
   -especially at a large network-oriented trade show. Typed passwords,
   by default, are sent clear text across the network, allowing others
   to view them. Authentication tokens provide a password that is only
   valid for that one instance, and are useless after that.  A logical
   extension of the use of authentication tokens would be to use them
   for "trips home" (from the show network to a home site) to minimize
   the chance of off-site security problems.




Gwinn                        Informational