RFC 2179 (rfc2179) - Page 3 of 10
Network Security For Trade Shows
Alternative Format: Original Text Document
RFC 2179 Network Security For Trade Shows July 1997
Extra Privileged Accounts
Some system vendors have been known to ship systems with multiple
privileged accounts (for example, Unix systems with accounts that
have root privileges [UID=0]). Some vendors may include a separate
system administration account that places a user in a specific
administrative program. Each additional privileged account presents
yet another opportunity for abuse.
Generally, if a Unix system does not need additional root accounts,
these can be disabled by placing "*" in the password field of
/etc/passwd, or by using the administrative tool when a system
employees enhanced security. Verify all systems for extra privileged
accounts and either disable them or change their password as
appropriate.
Make certain that privileged accounts are inaccessible from anywhere
other than the system console. Frequently systems rely on files such
as /etc/securettys for a list of "secure" terminals. As a general
rule, unless a terminal is in this file, a root login is not
possible. Specific use of this feature should be covered in the
system's documentation files.
Tips:
* Check /etc/passwd on Unix systems and the user administration
application on other systems for additional privileged accounts.
* Disable remote login for privileged accounts.
* Disable any unnecessary privileged accounts.
* Limit logins from root accounts to "secure" terminals or the
system console.
Use of Authentication Tokens
Authentication tokens such as SecureID, Cryptocard, DES Gold and
others, provide a method of producing "one-time" passwords. The
principle advantage in a trade-show environment is to render
worthless, packets captured by sniffers on the network. It should be
treated as fact, that there are many packet sniffers and other
administration tools constantly (legitimately) watching the network-
-especially at a large network-oriented trade show. Typed passwords,
by default, are sent clear text across the network, allowing others
to view them. Authentication tokens provide a password that is only
valid for that one instance, and are useless after that. A logical
extension of the use of authentication tokens would be to use them
for "trips home" (from the show network to a home site) to minimize
the chance of off-site security problems.
Gwinn Informational