Contents
|
Computer Security Changes: Recent and PlannedDenise Heagerty , IT/DI AbstractThe following security changes are being implemented: Off-site FTP closure, Off-site X11 protections, and AFS password expiry. Off-Site FTP Closure To reduce the number of regular break-ins on CERN machines due to passwords exposed on the network in clear text, OFF-SITE FTP ACCESS TO CERN WILL BE BLOCKED in the CERN firewall from Tuesday 20th January 2004 Users are recommended to install and use SSH (Secure SHell) as an alternative to ftp as soon as possible for off and on site access. Links to further details about SSH and other alternatives are at http://cern.ch/security/ftp. Off-site X11 Firewall Protections Following some serious incidents, X11 firewall protection, which already covered most CERN systems, was extended to the whole site from Tuesday 4th November 2003. All CERN systems running X displays (such as X terminals or Exceed) must start off-site X applications securely, as described at: http://cern.ch/security/X11. AFS Password Expiry Enforcement To ensure that passwords are regularly changed, annual password expiry will be enforced for AFS users. Warning messages will be sent by email and users will be required to change their passwords using the command "kpasswd". This mechanism is already in place for NICE passwords. Recommendations for choosing good passwords are at http://cern.ch/security/passwords |