Server lockdown locks out end users

By Mathias Thurman, Computerworld |  Security, Network access control, Servers

Some standard Web server ports are reserved for special uses. This link is handy when you're trying to determine which service runs on which port. It divides port numbers into three groups: well-known ports (0 to 1023), registered ports (1024 to 49151) and dynamic or private ports (49152 to 65535).

RSA Security's registration and download page for the Ace/Agent for Linux.

Visit this link to download Idled, Mike Crider's free utility that tracks idle user accounts and automatically logs them out. You can also use it to restrict multiple log-ins under the same account or to block accounts.

Next I installed the Ace/Agent for SecurID token-based authentication from RSA Security Inc. in Bedford, Mass. SecurID tokens provide two-factor authentication. In other words, after users provide a valid user identification and password to a system, they must then input an additional level of authentication that consists of a personal identification number followed by the number displayed on the SecurID token. The displayed number changes every 60 seconds and is tied to a central server I've installed on a protected secure network, rightfully dubbed SecNet. In addition, I installed the latest commercially supported version of Secure Shell (SSH) for encrypted administration.

Then I installed a little freeware utility called Idled (pronounced idle-dee). Idled is really cool. One of my fears is that an administrator will get access to Gateway 1 and then leave for lunch or for the night without logging out of the system. If the user isn't using a password-protected screen saver, then it would be easy for someone, such as a cleaning person, contractor or disgruntled employee, to walk up to that person's desktop and access the production environment. Idled tracks idle sessions and times them out after a specified interval.

I then had one of the network engineers configure the firewall so the gateways would be the only servers that could access the production environment. Prior to the firewall configuration, I contacted each department to discuss their requirements for access to that network. For example, the operations center needs to monitor the production network. Engineers need to push code updates to certain production machines. Database administrators need to access certain ports for database administration. Our application has a special administrative tool for setting up and administering customer accounts. And the list goes on. I spent about 150 hours working on this, until all the necessary access to the production network was addressed. Or so I thought.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness