Chapter 5 Using Netra j Security Administration

This chapter describes the Security Administration modules:

• "Administration Web Server"

• "Network Service Access Administration"

• "Root Password Administration "

Administration Web Server

The Administration Web Server serves the administration pages through which the Netra administration modules are configured. To protect access to administration web server from unauthorized users, access to the web server is protected through a password (mandatory), and an access list (optional). If an access list is specified, connections from machines that are not on the list are refused. Connections from machines on the list are permitted access, provided the user knows the password.

To Change the Administration Password

1. From the Main Administration page, under "Security Administration," click Administration Web Server.

   The Administration Web Server Administration page is displayed.

2. Click Change Administration Password.

   The Administration Password page is displayed.

3. Complete the form using the information in Table 5-1.

   Table 5-1 Web Server Password Administration

   Option	Description
   Current Administration Password	Type existing administration password. The administration password for an unconfigured Netra system is setup. A password can be a combination of any characters.
   New Administration Password	Type a new password that will be used to access your Netra server. The password is not echoed as you type it.  If you change the existing password, you must re-authenticate the browser connection using the new password you provide.
   Re-enter New Administration Password	Type the new administration password. Because the password is not echoed as you type it the first time, you must verify it by typing it a second time.

To Modify Host Access Control

The Host Access Control enables you to set the hosts that may access the administration web server. There are two possible access modes. Administration access can be granted to all hosts; or access can be restricted to a specified list of hosts and networks (an access control list). The Netra system is always allowed administration access, even when not specified in the access control list. It is recommended that restrictions be set, particularly when the Netra system is connected to the Internet.

1. From the Main Administration page, under "Security Administration," click Administration Web Server.

   The Administration Web Server Administration page is displayed.

2. Click Modify Host Access Control.

   The Host Access Administration page is displayed.

3. Complete the form using Table 5-2 for reference.

   Table 5-2 Host Access Control Administration

   Option	Description
   All hosts	Access to the administration web server is permitted to all hosts. Any specified host or network addresses are ignored.
   Specified host and network addresses	The host and network addresses that are allowed access to the administration modules.

   ---

   Note -

   If you do not specify any hosts, all hosts will be allowed access.

   ---

UDP-based services which are not connection oriented may linger after the client has disconnected. Reboot the Netra j server after modifying the access control to these services.

Network Service Access Administration

The Netra server provides a number of generic network services that do not have administration modules associated with them. These services enable users to access information and facilities on the server. You can restrict access to any or all of these services using the Network Service Access module. Restricting access to all services helps ensure the security of your network.

For each network service there are three access modes. The service can be denied to all hosts; the service can be made available to a specified list of hosts and networks (using a control list); or the service can be made available to all hosts. All services using the control list access mode share one access control list.

The following network services are available on your Netra server:

• File Transfer Protocol (FTP). Enables an authorized user to transfer files between a remote machine and the Netra server.

• TELNET Protocol (telnet). Enables an authorized remote user to log in to the Netra server and interact as a normal user.

• Remote User Information (finger). Enables network users to display information about users logged in to the Netra server.

• Remote Shell (rsh). Enables an authorized remote user to open a command-line interpreter (shell) on the Netra server and run commands there.

• Remote Login (rlogin). Enables an authorized remote user to log in to the Netra server and interact as a normal user.

• Remote Execution (rexec). Enables a library routine to be run on a remote machine and return streams to the local machine.

• Remote System Statistics (rstat): Enables a remote user to get performance data from the Netra server.

• Mail Notification (comsat). Enables the Netra server to detect incoming mail and notify local users logged into the Netra server.

• Talk Program (talk). Enables users on remote systems to enter lines of text on one machine and display them on the terminal of someone logged into the Netra server. (Remote users can thus "chat" with users on the Netra server.)

• Distributed System Admin (sadmind). Enables remote users to perform distributed system administration operations on the Netra server.

• Network File System Quota (quotad). Enables for notification if users use more than an allocated amount of disk space on the Netra server.

• User Info (rusers). Enables a remote user to check which users are logged into the Netra server.

• Diagnostic Packet Tester (spray). Enables a remote user to send a one-way stream of packets to the Netra server to see how many are received and at what rate.

• Broadcast Messages (rwall). Enables a single message from a remote user to be sent to all users logged into the Netra server.

• UNIX-to-UNIX Copy (uucp). Enables remote copy exchanges between a remote machine and the Netra server.

• Trivial Name Server (tnamed). A server that supports the DARPA trivial name server protocol.

• Calendar Manager (cmsd). Enables remote users to check the Calendar Manager entries of a user with an account on the Netra server.

To Control Access to Network Services

1. From the Main Administration page, under "Security Administration," click Network Service Access.

   The Network Service Access Administration page is displayed with a list of the server's network services and corresponding access levels.

2. Choose the access mode for each network service using the information in Table 5-3.

   Table 5-3 Security Levels for Network Services

   Option	Description
   None	Denies access to all hosts for this service.
   Control List	Permits access by hosts and networks specified in the Control List Host and Network Addresses field.
   All	Allows access to all hosts.
   Control List Host and Network Addresses	The host or network addresses of the hosts and networks of hosts that are allowed access to the services. This field is required for services using the Control List access mode.

Root Password Administration

In addition to regular user accounts, which are created with the User Accounts module, there is a superuser account that has special privileges when it accesses the Netra server. This account is called root. When the Netra server is accessed by the root user, many of the restrictions that apply to regular user accounts are removed. For example, the root user can read, write, or delete any file, or change the system configuration. To protect these privileges, the root account also has a password.

To Set the Root Password

1. From the Main Administration page, under "Security Administration," click Root Password.

   The Root Password Administration page is displayed.

2. Complete the form using information in Table 5-4.

   Table 5-4 Root Password Administration

   Password option	Description
   Current Root Password	Type existing root password for your Netra server. When the Netra server is unconfigured, there is no root password, so leave this field empty. The password can be composed of any combination of characters.
   New Root Password	Type new password that will be used to access your Netra server.
   Reenter New Root Password	Type the new password again. Because the password is not echoed as you type it the first time, you must verify it by typing it a second time.