The security of the system that manages the data is essential when running a mission critical application such as the Calendar Server. This appendix describes a number of security safeguards that could be put in place if you want to further protect the sensitive data that the Calendar Server is managing.
We recommend that the Calendar Server, if financial resources permit, be placed on a dedicated computer. Additionally, turn off all TCP and UDP services on the Calendar Server which are not critical to the application (e.g., ftp, NFS server and client, X server, etc.) There should be only two accounts configured on the system: unison and root (UNIX) or administrator (NT).
The following are Policy/Procedure recommendations on the operations and maintenance of passwords:
Even if the server is dedicated to the Calendaring application, there are still additional security safeguards to consider:
If you have security servers within your organization, consider sending audit trail information from the Calendar Server to your central security server. Turn on auditing on the server and conduct spot audits of the commands issued by unison. The Calendar Server protects a great deal of aggregate data, make sure that your backups are protected from theft. Consider separate ownership of the root/administrator (auditing account) and the unison (Calendar Server management) accounts. This would allow root/administrator to detect potential abuses by the unison owner.
It is more secure to run mission critical applications within firewall-protected intranets. Make sure that the dial-up connections to your intranet are protected. This can be improved by using one-time password technology (e.g., SecurID). As with many TCP/IP protocols, promiscuous listening (where the attacker monitors network traffic) is a threat in any broadcast network. A number of steps can be performed to reduce the risk of this threat:
Physically protect hubs and routers. Use switched hubs when possible, especially on the server itself. Some hubs will block unauthorized, or unregistered MAC (or Ethernet addresses) on the LAN. Consider router filtering between untrusted internal networks. Commercial firewalls also allow more complex TCP/IP filtering rules.
The Calendar Server generates a number of useful audit trails. It is important to become familiar with these audit trails, and to check them regularly. Some commands, on error conditions, create log files. Check for the existence of new log files, and review their contents. Monitor the /users/unison/log/act.log for login attempt abuses. You can detect login attempt abuses from the originating IP addresses. After the application is initially installed, note the file dates and sizes of all the binaries. Periodically check that none of the binaries have been edited. Review <temp> directories, looking for any suspicious files. Hackers have been known to cover their tracks by using <temp> directories as work areas.
The Calendaring data is very important data, and should be backed up regularly.
Be sure to delete confidential or sensitive temporary attachment files saved in <temp> directories. Have a local contact in your organization for reporting and investigating suspicious or fraudulant calendar entries.
Avoid placing Calendar client downloaded schedule files on public or shared disk drives. Even though the data is unreadable, it could still be subject to password guessing attacks.
The Calendar Server supports a very rich set of user controlled access privileges (or rights). It is important to train end-users on how these capabilities can be managed, so that the users' information is protected from unauthorized access.
Try to limit who you give designate rights to. You should only give designate rights to trusted individuals.
Review the Options|Access Rights that an individual has established:
The default designate rights should be no designate rights. Set the viewing rights to least privilege, and add privileges as needed.
There are a number of overall limits that can be set for all Calendar Server users, which are set by the Calendar Server administrator.
Disabling attachments can prevent users from propagating proprietary information improperly. Setting maximum attachment size can help prevent denial of service attacks, where a hacker can send very large files that would cause a server to run out of disk space.
Many companies consider their personnel directory to be a proprietary asset that should be carefully protected. Avoid putting confidential or proprietary information into the public directory. The server allows for a public directory search. The directory can be used for the discovery of user names (e.g., to determine the correct spelling of a meeting attendee).