Storage News
Security News
Networking News 
 FREE NEWSLETTERS
search
 

internet.commerce
Be a Commerce Partner
Build a Server Rack
Imprinted Promotions
Hurricane Shutters
Online Universities
Web Design
Promote Your Website
Logo Design
Cell Phones
PDA Phones & Cases
Promos and Premiums
Prepaid Phone Card
Compare Prices
Find Software
Laptops

internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers


  Managing the Modern Network
Sponsored by HP
In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »
 
  Business Service Management: Generate Revenue Through IT
Sponsored by HP
IT must now help organizations attract, retain and grow customer relationships and increase customer satisfaction. Business service management (BSM) helps lay the foundation by managing services in dynamic support of business requirements. Learn more. »
 
  Evaluating Software as a Service for Your Business
Sponsored by Webroot
Is Software as a Service just hype, or is something really going on here? See if your company can benefit as SaaS tries to change the face of the enterprise. »
 
  Storage Networking: Configuration and Planning
Sponsored by HP
The most critical part of setting up a SAN is configuring each individual disk array. This guide examines configurations for SAN-attached servers and disk arrays, and looks at the future of IP storage. »
 
  Is Your Disaster Recovery Plan Good Enough?
Sponsored by HP
Preparing for a disaster is more often than not part of the storage planning process, and it is one of the most difficult tasks, since it includes local hardware and software, networking equipment, and a test plan. Learn how to get disaster recovery right. »
 

Related Articles
Data Security for Mobile workers
Gaining Control with Parity
Summer's Over, Now the Real Fun Begins
Security Products
 Mazu Profiler (Mazu Networks, Inc)
 MHZ2 CJ Series (Fujitsu Computer Products of America, Inc)
 Secure Mail / Secure DOX (Echoworx Corp)
 Enterprise Security Reporter (ScriptLogic Corp)
 AlgoSec Firewall Analyzer (Algorithmic Security, Inc)
 Gatekeeper / Firestick (Yoggie Security Systems)
» Enterprise IT Planet » Security » Security Features

Tips for Operating System Deployments. Listen to an audio cast about operating system deployment.

Secure Desktops = Happy Networks

By Lyne Bourque
October 17, 2006

Email Print Digg This Add to del.icio.us

Last month I talked about some basic concepts that seem to be falling by the wayside, specifically performing backups and having a test environment to ensure that updates, patches and other roll-outs are sufficiently vetted. This month I’d like to discuss two other basic concepts that seem to have fallen by the wayside of late: password strengths and lockouts, as well as standardized desktops.

These aren’t new concepts and yet, people still haven’t figured out how to best implement them. Lockouts are straightforward. After a certain number of attempts – usually 3 or 5 – lock the account from further attempts.

People have forgotten about things like wardailing. This activity doesn’t happen as often due to the lack of modems in use (although some still use them and are susceptible this kind of attack). But variants of it, such as wardriving and account dictionary attacks, still occur on the physical networks of today.

Tough Nut to Crack

For Windows systems, this kind of attack can easily prevented by enabling account lockouts. Active Directory can be used to easily enable this. The use of security policies through the security configuration editor (SCE) can enforce this across your whole domain with little fuss.

For many Linux and Unix systems, you can use PAM (pluggable authentication modules) to enforce lockout after too many attempts. Adding two lines like the following in the /etc/pam.d/system-auth will help lock out the account.

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

This line will keep track of each failed login and failed su attempts for each user. This information will normally be stored in /var/log/faillog (unless you redirect logs to a different location).

account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

This second line is the one that specifically locks out the account after 5 attempts. If the user successfully logs in prior to hitting the magic number 5, the account will reset. The per_user option will help to avoid locking out system accounts after too many tries because it tells PAM to ignore the deny=n on accounts where the maximum number of login failures is set specifically.

You can specify this for the GUI interface and system specific accounts (e.g., FTP, mail, etc.) in addition to regular user accounts. Other areas that could be locked down specifically include /etc/pam.d/sshd or /etc/pam.d/login.

As a side note, $ISA is Instruction Set Architecture. This variable exists to allow for both 32-bit and 64-bit applications to take advantage of PAM.

In addition, the use of minimal password length and a certain amount of complexity helps secure an account from attack. Some administrators are still under the delusion that 8 characters is sufficient strength for passwords.

It's not.

Let's start with the obvious: get rid of those dictionary passwords. That is, we still see use of basic words to protect our important assets, namely user accounts into the network. Surveys of password usage have historically shown that “password,” “letmein” and “blank” remain the top picks for passwords. Perhaps attempting to perform regular “cracking” of company passwords -- under company approval, of course-- would help eliminate those.

Now the question becomes: how long should good passwords be?

Today's standard should be at least 12 different characters (i.e., lower and upper case characters, digits and special characters). The challenge remains how to get users to remember these. One idea that Microsoft put forward -- yes, even they have good ideas now and again -- was the use of whole phrases. A password of “The answer to security is 42!” is far stronger than “password”. We need regular reminders to users about how to create good passwords, that they should change their password regularly and that their password will be challenged regularly to verify strength.

Conformity Is a Good Thing

The last basic of a system security is to ensure that it is setup in accordance to company policy. This means that a user cannot install software nor can they disable any software that has been installed on the system.

You can use some of the features of Active Directory’s security policy editor but it would be far more effective to use something like Faronics Deep Freeze Enterprise or VMware’s ACE products. VMware’s ACE is a relatively newer product but also provides a good opportunity to lock down the common platform of challenge, namely Windows.

Deep Freeze’s legacy, however, is from the school system protection and has evolved into a robust and viable enterprise product. Given that they had to prevent curious young minds from compromising their software, it actually bodes well as to how secure the product is. What’s even more impressive is that it now supports OS X and it appears that Faronics is looking toward Linux as it’s next platform.

Nonetheless, the importance of standardizing desktops seems to be lost on many. Remember, as long as everyone has the same desktop it’s easier to troubleshoot and sort out issues. This can help ensure faster ticket resolution should a problem crop up.

This is one of the reasons why many companies choose a specific vendor and purchase en-masse desktops, laptops and servers. It’s easier to find problems when you know what and where to look for them. Additionally, using tools like ACE or Deep Freeze means that users are less able to and less likely to install “malware” or other nasties on your network.

So save yourself some time and headaches by dealing with the basics. This will mean more opportunity to do the important things, like get in a game of Lego Star Wars II. May the force be with you.

Resources:

Get to know PAM

User Authentication HOW-TO

Linux Security and

System Hardening

Securing Desktops

Faronics Deep Freeze

Faronics Linux sign-up

VMware ACE

Article Discussion

Discuss this article in this AntiOnline thread.

Email Print Digg This Add to del.icio.us

Security Features Archives

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Download: Solaris 8 Migration Assistant. Run Solaris 8 apps on the latest SPARC systems and Solaris 10.
14-Day Qualys Trial: Find Out in Minutes if Your Network is Vulnerable!
Increase your reach with unlimited Webinars for one low rate. Try GoToWebinar FREE.
Stay up to date! Get real-time news and reviews about the latest innovations in internet technology.





JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
 Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
 Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES