Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
1234567
8
910
Next Page
3.7  Success Questions
Next Topic/Section

3.6  Summary
(Page 8 of 10)

Hardening FTP Servers



FTP servers are used to exchange data internally and between internal and external sources. FTP uses ports 20 and 21 for its data and control connections, so those ports must be open in your firewall to allow transmission of data between external and internal sites. As with other application servers, keep up to date with patches and consult vendor-specific and user community documents describing secure configuration of your particular software. When securing an FTP server, consider:

  • User authentication (limit access to only those users who really need it; avoid “Anonymous” access if you can, and use a secure FTP variant such as S/FTP to avoid transmitting passwords across the network in cleartext; when the original FTP protocol is used, you are susceptible to password and data sniffing and man-in-the-middle attacks).

  • File permissions (carefully set file permissions on your server to ensure that users have access to only those files you wish them to have access to).

  • Restricting uploads (restrict upload permission to only those users who need it; this reduces the number of accounts which if compromised can upload unauthorized files to your server).

  • Disk quotas (setting a disk quota for users allowed to upload reduces the likelihood that they can DoS your FTP server by filling up its disk space).

  • If you run your FTP server and web server on the same machine (bad idea), do not allow the FTP server access to web-server-related directories (scripts, HTML pages, etc.
Hardening DNS Servers

DNS servers provide domain name service information to clients who need to map hostnames to IP addresses. DNS uses TCP and UDP port 53 for communication with clients and other nameservers on internal and external networks. The most widely used UNIX DNS software, BIND, has historically had many security issues (as have most other DNS servers), so keep up with software updates to your DNS server. Some actions to consider taking when hardening a DNS server, in addition to the obvious actions of securing the underlying OS, include:

  • Follow vendor and community-provided guidelines for secure configuration; this can help guard against spoofing and DNS cache poisoning (the insertion of invalid information in the DNS cache, which can be used to redirect traffic to non-legitimate sites).

  • Run the DNS server as an unprivileged user, so that if it is compromised via a buffer overflow, the attacker cannot run code with administrative privileges.

  • Restrict zone transfers (batched DNS info updates) from your primary name server to your secondary name servers, to minimize DoS vulnerability and risks of other exploits.

  • Configure redundant DNS servers, so that an outage on one machine doesn’t remove access to DNS information for your entire network.

  • Locate a secondary DNS server in a distant area (both in terms of wire topology, and in terms of geography) for fault tolerance.

Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
1234567
8
910
Next Page
3.7  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.