[2084] in WWW Security List Archive
Re:Macintosh Web Server Issues
daemon@ATHENA.MIT.EDU (David Ray)
Tue May 14 04:27:44 1996
Date: Mon, 13 May 1996 23:31:31 -0700
To: www-security@ns2.rutgers.edu
From: daver@idiom.com (David Ray)
Cc: kgmlists@3rdmill.com (Karl Mitze)
Errors-To: owner-www-security@ns2.rutgers.edu
Macintosh is inherently more secure than Unix or DOS based systems because
there is no Unix shell or DOS prompt to execute commands from. The only
vulnerabilities that I can think of are:
(1) By far the most common Mactintosh security hole is NCSA Telnet's
built-in FTP server. A lot of people configure it to allow connections with
no passwords required. Your whole hard drive is at risk. Just make sure you
turn off the FTP server if you use this software.
(2) If your Web server is using MacPerl, and if your CGI's have been poorly
written, it might be possible (though unlikely) to invoke Perl commands
from URL's or POST data. Conceivably, you could use MacPerl to break into a
Unix machine elsewhere on your network. This is very far-fetched, but
technically possible.
Other than that, Macs are vurtually bulletproof.
-Dave
At 10:19 AM 5/13/96, you wrote:
> We are a small company running a primarily Macintosh network, and are
> preparing to host a Web site using WebStar on a Macintosh machine connected
> to our Internet provider via a router. I have poked around the Web and the
> local technical bookstore looking for security-related information, but 99%
> of what I have seen seems to relate very specifically to UNIX-based
> systems. Thus, despite my initial research, I am still pretty much in the
> dark as to what threats I need to concern myself with and how to
> deter/prevent these threats. Our biggest fear is loss or disclosure of data
> on our network.
>
> Does anyone know where I can find Macintosh-specific security information?
> (Or perhaps the information I have been reading applies to any platform,
> and I have just misunderstood it?) I need to be able to answer such
> questions as the following: What are the vulnerabilities of our current
> setup, and how can I minimize our exposure without unduly limiting public
> access to our web site or internal access to the Internet? Do we need a
> firewall? If so, what are the firewall alternatives available for the Mac?
> Does running our own mail server (AIMS) increase our vulnerability? What if
> we would like to add an FTP server, or other types of Internet servers?
>
> Basically, I want to get to the point where I have accomplished "due
> diligence" and can feel relatively comfortable with our security
> arrangements (although naturally security will be an on-going concern).
>
> Any help or pointers on this would be greatly appreciated!
>
> Karl
>
> --------------------
> Karl Mitze
> 3RD Millennium, Inc.
> kmitze@3rdmill.com
