Department SGI – Service Group IT

System security requires that each account in the system is protected as well as possible against unauthorized use. Every user must feel responsible for the security of his account. This is because once a badly secured account has been broken into, not only can the system resources be misused on behalf of that user, but all other users are also threatened by the burglar's new options.

General rules

  • report identified safety deficiencies and not take advantage of them
  • do not allow any "good friend" to use your own account
  • Log off (log out) after session end
  • lock the computer or lock the room, even if you are absent for a short time

Tips for a secure password

  • at least 8 symbols long
  • do not use a single word that can be found in a dictionary
  • do not use personal information to create the password
  • do not use common abbreviations
  • the password should contain:
    • capital letters
    • small letters
    • numbers
    • extra symbols (careful with non ASCII symbols)
  • keep your password secret
  • use different passwords for different systems
  • do not safe your password in a textfile on your pc

A useful technique for good passwords:
Choosing a phrase with a meaning that you can remember. Take the first letters of each word in order (including upper/lower case) and the punctuation marks as your password.

rules for unix users

  • no world-write-access to the home directory and all own files

  • no world access to point files like .login, .cshrc, .profile, etc.

  • no world-exec access to own programs (risk for the caller)

  • World-Read access to own files only in exceptional cases

  • no set-UID programs with World Exec access

  • no set-UID or set-GID scripts

  • set umask to value 077

  • check own files for plausibility (name, owner, access protection, date) from time to time using "ls -alc

  • include only secure directories in the definition of the command search path (CSH variable path, SH variable PATH, environment variable PATH)

  • Do not enter the current directory (".") at all or only as last directory in PATH or path

  • no "+" in the .rhosts file

  • no computer and user from another security cluster in the .rhosts file

  • no entry without user specification in the .rhosts file

  • no "old" entries (Hosts, User) in the .rhosts file

  • in .netrc file only entries for access to anonymous FTP, no passwords

  • Caution when executing programs from other user directories (unwanted side effect, Trojan horse)

  • do not enter the command "xhost +" or "xhost +computer name

  • Make password entries via xterm only in Secure-Mode (Option Secure-Keyboard or secureonpwd)

[Partly taken over from Saarland University]