 |
||||||||||||
 |
About IR&C | | | Services | | | Resources | | | What's New | | | Search | | | Home | |
Unauthenticated and Unauthorized E-mail Relays
Open relays are e-mail servers that are configured to accept and transfer e-mail on behalf of any user anywhere, including unrelated third parties. If a server acts as an open relay, it allows third parties to use it to redistribute a large volume of e-mail messages. An increasing number of spammers are exploiting open e-mail relays to send spam and disguise the true source of their messages.Unauthenticated and Unauthorized Proxy Services
A proxy server is a server that sits between a client application, such as a Web browser, and a destination server. It intercepts all requests to the destination server and passes them on to the destination server after applying any prespecified filtering rules. These rules limit what the client application can access, monitor various destinations a client application accesses, and/or allow a client application to access destinations limited to those reachable from the proxy server. In the latter case, a proxy server may be used to make a remote system appear as though it is on the same subnet as the server, opening the possibility for spoofing legitimate IP addresses.Remote Access to Desktop Computers
Software such as pcAnywhere and GoToMyPC that allows remote access to a desktop PC require the PC to be left on, thereby exposing the system to possible compromise.Remote Access to Microsoft Servers
Remote access to UCOP Microsoft servers is not supported. Remote access to MS servers requires certain firewall ports to be open, making them vulnerable to unauthorized access. Of special concern is an MS-SQL server, which continues to be an attractive break-in target since many programs install the MS-SQL gateway code without user knowledge.Remote Access to Networked Printers
Many printers incorporate open telnet/ftp/http servers for remote printer configuration or file use and therefore can be broken into and used to attack other systems.Installation of Public Domain Software
Installation of public domain or other unauthorized software, such as some file sharing programs, runs the risk of exposing the system to unauthorized access. Further, this type of software may contain "malware," such as spyware or other programs that compromise security and privacy.Unsecured FTP or Telnet Access to UCOP systems
The original FTP and telnet protocols for accessing files or terminal sessions pass information (including login userids and passwords) "in the clear" (unencrypted), allowing login information to be intercepted and used to gain unauthorized access to UCOP systems. FTP or telnet access should be established using client software that incorporates SSL (secure socket layer) protocols.Unauthorized Server Installation
Departments may not connect any server to the network or configure their desktop or other computers to offer services to other users without prior consultation with IR&C. In order to maintain and protect the security of the UCOP network, servers must be configured to certain standards (specific ports shut down, latest patches and critical updates installed, unnecessary services and ports turned off, etc.) before being inserted into the UCOP network.Unauthorized Wireless Access Points
At present, UCOP does not support secure wireless network access in any of its buildings. Departments are prohibited from installing wireless access routers and similar rogue access devices.Indiscriminate Assignment of Administrator Rights and Privileges
Administrator rights and permissions to a computer should rarely if ever be assigned to a typical user's account. Assigning these rights and permissions where they are not required exposes an entire networked environment to potential risks should that user's account be compromised. Removing administrator rights and privileges from that user restricts the exposure to only the compromised computer.
Unsafe Practices
LAN Administrators, and other technical support staff should be aware that the practices listed below may make a computing environment vulnerable to compromise. UCOP departments are strongly discouraged from implementing or deploying any of these functions without prior consultation with IR&C. Individual users should not enable the functions under any circumstances.
|
|
Please submit your questions, comments, and suggestions at feedback.html