CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.3  Application Hardening

3.5.3.6  NNTP Servers 1 3.5.3.8  DHCP Servers

In most cases, the file and print server software you’re running was supplied as part of the OS, so there’s usually no need to update it separately from the OS. Generally, if there’s a security (or other) issue with file and/or print services, the patch will appear as an OS update.

In the UNIX world, common network file server applications are NFS, the traditional UNIX Network File System originally from Sun, and Samba, a Windows File Sharing-compatible application. The BSD “lpd” subsystem is often used for printing. RPC (the underlying technology used by NFS) and lpd both appear in the SANS/FBI Top 20 list of UNIX vulnerabilities.

In the Microsoft world, the overwhelming choice for file and print services are the Windows File and Printer Sharing features supplied with the OS. You can also run NFS client and server software, and Novell-Netware-compatible software (plus numerous other less-well-known packages). The technologies underlying various Windows File Sharing features appear on the SANS/FBI Top 20 list of Windows vulnerabilities.

The most important point here, in addition to watching for vulnerabilities and patches, is to pay attention to configuration details. Make sure you haven’t made any directories or devices available to the world that you didn’t want to be available to the world.

When determining what access a client has to files in a shared directory, the operating system starts with the permissions that client would have if accessing the file locally on that machine. It then overlays the permissions on the share, and the “most restricted” level of permission wins. For example, if the OS would allow the user to read and write the file, but the directory is shared read-only, the user could only write to it. If the OS allowed the user to only read the file, and the directory is shared read/write, the user could still only read the file.

Some file systems allow for the server to validate specific client user credentials, so that each user accessing a file could potentially have different permissions to access information on that remote system. Others map all remote accesses to a single user with minimal privileges, similar to the way that anonymous FTP works.

3.5.3.6  NNTP Servers 1 3.5.3.8  DHCP Servers