[2093] in WWW Security List Archive
Re: Macintosh Web Server Issues
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Tue May 14 19:39:56 1996
Date: Tue, 14 May 1996 14:22:12 -0700
From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
To: David Ray <daver@idiom.com>
CC: www-security@ns2.rutgers.edu, Karl Mitze <kgmlists@3rdmill.com>
Errors-To: owner-www-security@ns2.rutgers.edu
The less your machine is configured to do (capable of doing), the safer
it is.
David Ray wrote:
>
> Macintosh is inherently more secure than Unix or DOS based systems because
> there is no Unix shell or DOS prompt to execute commands from. The only
> vulnerabilities that I can think of are:
>
> (1) By far the most common Mactintosh security hole is NCSA Telnet's
> built-in FTP server. A lot of people configure it to allow connections with
> no passwords required. Your whole hard drive is at risk. Just make sure you
> turn off the FTP server if you use this software.
>
> (2) If your Web server is using MacPerl, and if your CGI's have been poorly
> written, it might be possible (though unlikely) to invoke Perl commands
> from URL's or POST data. Conceivably, you could use MacPerl to break into a
> Unix machine elsewhere on your network. This is very far-fetched, but
> technically possible.
>
> Other than that, Macs are vurtually bulletproof.
>
> -Dave
>
> At 10:19 AM 5/13/96, you wrote:
>
> > We are a small company running a primarily Macintosh network, and are
> > preparing to host a Web site using WebStar on a Macintosh machine connected
> > to our Internet provider via a router. I have poked around the Web and the
> > local technical bookstore looking for security-related information, but 99%
> > of what I have seen seems to relate very specifically to UNIX-based
> > systems. Thus, despite my initial research, I am still pretty much in the
> > dark as to what threats I need to concern myself with and how to
> > deter/prevent these threats. Our biggest fear is loss or disclosure of data
> > on our network.
> >
> > Does anyone know where I can find Macintosh-specific security information?
> > (Or perhaps the information I have been reading applies to any platform,
> > and I have just misunderstood it?) I need to be able to answer such
> > questions as the following: What are the vulnerabilities of our current
> > setup, and how can I minimize our exposure without unduly limiting public
> > access to our web site or internal access to the Internet? Do we need a
> > firewall? If so, what are the firewall alternatives available for the Mac?
> > Does running our own mail server (AIMS) increase our vulnerability? What if
> > we would like to add an FTP server, or other types of Internet servers?
> >
> > Basically, I want to get to the point where I have accomplished "due
> > diligence" and can feel relatively comfortable with our security
> > arrangements (although naturally security will be an on-going concern).
> >
> > Any help or pointers on this would be greatly appreciated!
> >
> > Karl
> >
> > --------------------
> > Karl Mitze
> > 3RD Millennium, Inc.
> > kmitze@3rdmill.com
