Support User Manuals

Apple 10.6 Server User Manual

Open as PDF

of 197

Chapter 4 Enhancing Security 77

Do not use administrator (UNIX “admin” group) accounts for daily use. Â

Restrict the use of administration privileges by keeping the admin login and

password separate from daily use.

Back up critical data on the system regularly, with a copy stored at a secure o-site Â

location.

Backup media is of little use in recovery if it is destroyed with the computer during

a re. Test your backup and recovery contingency plans to ensure that recovery

actually works.

Review system audit logs regularly and investigate unusual trac. Â

Disable services that are not required on your system. Â

A vulnerability that occurs in any service on your system can compromise the entire

system. In some cases, the default conguration (out of the box) of a system leads to

exploitable vulnerabilities in services that were enabled implicitly.

Turning on a service opens up a port that users can access your system from.

Although enabling Firewall service helps avoid unauthorized access, an inactive

service port remains a vulnerability that an attacker might exploit.

Enable Firewall service on servers, especially at the network frontier and DMZ. Â

Your server’s rewall is the rst line of defense against unauthorized access. For

more information, see the onscreen help or Mac OS X Server Resources website at

www.apple.com/server/macosx/resources/. Consider also a third-party hardware

rewall as an additional line of defense if your server is highly prone to attack.

If needed, install a local rewall on critical or sensitive servers. Â

Implementing a local rewall protects the system from an attack that might

originate within the organization’s network or from the Internet.

For additional protection, implement a local Virtual Private Network (VPN) that Â

provides a secure encrypted tunnel for communication between a client computer

and your server application. Some network devices provide a combination of

functions: rewall, intrusion detection, and VPN.

Administer servers remotely. Â

Manage your servers remotely using applications like Server Admin, Server Monitor,

RAID Admin, and Apple Remote Desktop. Minimizing physical access to the systems

reduces the possibility of mischief.

Password Guidelines

Many applications and services require that you create passwords to authenticate.

Mac OS X includes applications that help create complex passwords (using Password

Assistant), and securely store your passwords (using Keychain Access).

previous next