Checking OS Security

By Peter Galli  |  Posted 2006-01-11 Print this article Print

But the security work does not stop there. Another ongoing lab research project is analyzing security across various operating systems, and Hilf and his team routinely do a security screen when they install any operating system in the lab. "Like many other Linux folks, we use a tool called nmap to scan the operating system as soon as we install it and put it on the network. So, after a fresh install, we port scanned Red Hat Enterprise Linux 4, Novell SUSE Linux Enterprise Server 9, IBM AIX5L, Sun Solaris 10 and Windows Server 2003 SP1," Hilf said.
What surprised the team most was how many services they found open after a fresh install on the commercial Unix systems. Both Red Hat Enterprise Linux 4 and Windows Server 2003 SP1 had four open services; Novell SUSE had nine open services; AIX5L had 18; and Solaris 10 had 20.
"So, for example, we found services like FTP, exec, login, telnet and finger enabled and open by default. Typically, these should be disabled by default for most environments due to both their security mechanisms and security track records. Most environments should use something much more secure than telnet for remote console access," he said. But, Hilf stressed, it is important to note that IT administrators would rarely deploy a default server "out-of-the-box" into a production environment. Most IT professionals would do a similar audit and configure the security of their server for their environmental needs. "But, since we do this analysis, we found it interesting to note this default profile. From a Microsoft perspective, I think this is a good demonstration of our investments in trustworthy computing and improving our security development lifecycle," he said. But Chris Ratcliffe, director of marketing for Suns Solaris, countered that the standard Solaris 10 install profile leaves certain services switched on for compatibility reasons. "Having said that, there are two other things to bear in mind: Firstly, with Solaris 10, system administrators have a choice of installation profiles. For example, the Reduced Networking Metacluster install option [also known as Warm Brick Mode] creates a minimized Solaris image to which security administrators can then add the functionality and services they actually need," he said. Solaris 10 also has a Service Manager Profile known as Generic Limited Networking, which turns off almost all unencrypted remote communications to the system, Ratcliffe said. Click here to read eWEEK Labs review of Solaris 10. Secondly, not all services "are created equally. In Solaris 10, remote applications such as rsh, rcp, telnet, Solaris Secure Shell and others are Kerberos-enabled. They make use of a standards-based common API for high-performance, systemwide cryptographic routines. This framework provides a single point of administration and uniform access to hardware-accelerated cryptographic functions when available," he said. In addition, most Solaris users perform system installs and configurations in an environment where this is not an issue. "In todays environment, any vendor not taking a systemwide approach to security is making a big mistake. Any vendor that hasnt really considered the implications of security in the networked environment in their operating system design has a lot of catching up to do," he said. Trustworthy Computing is about far more than just what ports or services are open, Ratcliffe said, adding that while this is certainly a factor, more than 80 percent of security violations come from inside companies, so vendors have to take a much broader view. Click here to read a timeline of Microsofts Trustworthy Computing initiative. Solaris 10 provides a host of security features previously only found in Suns military-grade Trusted Solaris. Sun has also digitally signed the operating system, automatically checked file integrity and has made its services more secure, he said. "In an upcoming update to Solaris, well add the ability to lock a system down so that only valid, signed executables from a list of sys admin configurable trusted authorities will be allowed to run. Rogue applications, Trojan horses and viruses simply will not execute," Ratcliffe said. Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Peter Galli has been a financial/technology reporter for 12 years at leading publications in South Africa, the UK and the US. He has been Investment Editor of South Africa's Business Day Newspaper, the sister publication of the Financial Times of London.

He was also Group Financial Communications Manager for First National Bank, the second largest banking group in South Africa before moving on to become Executive News Editor of Business Report, the largest daily financial newspaper in South Africa, owned by the global Independent Newspapers group.

He was responsible for a national reporting team of 20 based in four bureaus. He also edited and contributed to its weekly technology page, and launched a financial and technology radio service supplying daily news bulletins to the national broadcaster, the South African Broadcasting Corporation, which were then distributed to some 50 radio stations across the country.

He was then transferred to San Francisco as Business Report's U.S. Correspondent to cover Silicon Valley, trade and finance between the US, Europe and emerging markets like South Africa. After serving that role for more than two years, he joined eWeek as a Senior Editor, covering software platforms in August 2000.

He has comprehensively covered Microsoft and its Windows and .Net platforms, as well as the many legal challenges it has faced. He has also focused on Sun Microsystems and its Solaris operating environment, Java and Unix offerings. He covers developments in the open source community, particularly around the Linux kernel and the effects it will have on the enterprise.

He has written extensively about new products for the Linux and Unix platforms, the development of open standards and critically looked at the potential Linux has to offer an alternative operating system and platform to Windows, .Net and Unix-based solutions like Solaris.

His interviews with senior industry executives include Microsoft CEO Steve Ballmer, Linus Torvalds, the original developer of the Linux operating system, Sun CEO Scot McNealy, and Bill Zeitler, a senior vice president at IBM.

For numerous examples of his writing you can search under his name at the eWEEK Website at


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel