Consider setting your users' UMASK to 027 to ensure that new directories they create won't give the world read permission by default.
To the extent possible, keep people form logging in as root. It may not seem to matter until you're trying to trace back through something that happened on a hurting system and find that you simply can't tell who was logged in when or who ran which commands because eleven people log in as root. Ideally, all privileged commands will be logged and a good log of privileged commands can provide an invaluable record of a system's history.
Avoid shared accounts, if you can, and don't allow default passwords under any circumstances.
Make sure you have an easy and reliable way of shutting down accounts when someone moves on (leaving the organization of just switching roles). Creeping privilege remains a leading contributor to security breaches. Adopt the practice of double checking now and then to be sure that all the accounts
remaining on your systems really need to be there. Expiring passwords at least limits the chance that an old account will be abused.
And, of course, disable all those insecure protocols that we should have disabled twenty years ago. I'm surprised at how many people still use telnet and ftp routinely. The warnings about these protocols have been around as long as many of the people using them today.
Much has changed in the security landscape in the past ten years or more, but the basics are still critically important. And many break-ins occur not because hackers are getting smarter ever minute, but because sysadmins and the users they support are still making the same dumb mistakes.
- ‹ previous
- 1
- 2
Follow Sandra on Google+
