220.127.116.11 File/Print Servers
In most cases, the file and print server software youre running was supplied as part of the OS, so theres usually no need to update it separately from the OS. Generally, if theres a security (or other) issue with file and/or print services, the patch will appear as an OS update.
In the UNIX world, common network file server applications are NFS, the traditional UNIX Network File System originally from Sun, and Samba, a Windows File Sharing-compatible application. The BSD lpd subsystem is often used for printing. RPC (the underlying technology used by NFS) and lpd both appear in the SANS/FBI Top 20 list of UNIX vulnerabilities.
In the Microsoft world, the overwhelming choice for file and print services are the Windows File and Printer Sharing features supplied with the OS. You can also run NFS client and server software, and Novell-Netware-compatible software (plus numerous other less-well-known packages). The technologies underlying various Windows File Sharing features appear on the SANS/FBI Top 20 list of Windows vulnerabilities.
The most important point here, in addition to watching for vulnerabilities and patches, is to pay attention to configuration details. Make sure you havent made any directories or devices available to the world that you didnt want to be available to the world.
When determining what access a client has to files in a shared directory, the operating system starts with the permissions that client would have if accessing the file locally on that machine. It then overlays the permissions on the share, and the most restricted level of permission wins. For example, if the OS would allow the user to read and write the file, but the directory is shared read-only, the user could only write to it. If the OS allowed the user to only read the file, and the directory is shared read/write, the user could still only read the file.
Some file systems allow for the server to validate specific client user credentials, so that each user accessing a file could potentially have different permissions to access information on that remote system. Others map all remote accesses to a single user with minimal privileges, similar to the way that anonymous FTP works.
377. Toxen, Bob, Real World Linux Security, Prentice-Hall, November, 2000, http://www.nerdbooks.com/item.html?id=0130281875
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.