"Davis, Donald" <donald.davis AT firstcitizens DOT com> writes:
> Does anyone have any experience running NetView on a "Hardened" AIX
> (4.3) server. My Risk Management department wants to implement the
> guidelines doccumented by the University of Waterloo (Canada).
> [[http://ist.uwaterloo.ca/security/howto/2001-01-15]] ;
> The recommendations are simple; "If you don't need it, dont' run
That's an excellent policy.
> However, there is a long list of services that they recommend not
> starting. Some give me great concerns with NetView. For example,
> they recommend stopping SNMP, ftp, inetd, named, portmap, nfsd,
> biod, exec, and telnet.
Well, SNMP you need to have. NetView is an SNMP manager, and not
surprisingly replies on SNMP rather extensively.
ftp and telnet are quite insecure as passwords fly over the wire
unencrypted. Replace both with openssh. Then you'd use ssh for
telnet-like access, and scp will give you the file transfer capability
you might need. If you need a free windows telnet client, try putty.
If you need a windows scp command line utility, use pscp. If you need
a best in class ssh client, try VanDyke SecureCRT.
inetd, portmap, I'm not sure. I'd be hesitant to remove those. named
you don't need on your local box, though running a caching DNS
instance gives you a performance boost. Not a big deal if you run the
latest patched named from bind9 or better. nfsd you only need if you
are relying on external nfs mounts somehow. nfs is a risky service.
biod I'm not familiar with. exec, I don't think you need with
> Changing the default shell to /bin/false for daemon, bin, sys, adm
> and nobody. Remove compilers and interpreters.
None of these should affect netview. NetView runs as user root.
If you reference any extrenal scripts, those scripts need their own
interpreters. There's no need for any compilers on your netview