[PLUG] best practices

Sat, 23 May 2009 12:40:22 -0700 

I have an associate who consults for a living. He would
like objective feedback from a variety of other IT folks
so he can present his customer with recommendations that
are considered to be industry best practices. He would
appreciate it if knowledgeable IT people could comment
on the following items using language that he can
present to his customer. You could send me the comments
directly if you wish if this is not an appropriate topic
for this list. Thanks in advance.

Ed

1. The customer wants users to be able to contribute content
    to their Web server, which runs Apache and MySQL on Linux.
    Most of the time, this means users saving PDF documents
    to the Web server so other users can access them via their
    browsers.

    He has Samba running and has configured the Web site's
    DocumentRoot to be a Samba share. Every user in the
    company can now access all the Web site data. The
    MySQL tables are not in DocumentRoot but there are PHP
    files in the DocumentRoot that access the tables. I'm
    guessing he thinks he'll control security by only mapping
    drive letters for certain users.

    I mentioned to the customer that this is a significant
    security issue and that there are more secure ways for
    users to contribute content but he is unconvinced (see
    item 2).

2. The customer ignores security issues because:

a) He claims they are on a "private network"; they are safe.
    The Web server serves only internal users; it cannot be
    accessed directly from the Internet. However, their
    "private network" is not private in the sense of NAT
    and RFC1918 private addressing. Everyone in the company
    has a public IP address. Every desktop computer runs
    Windows with the usual complement of Windows applications.

    Their border gateway/firewall provides insulation from the
    outside but I'm able to use a variety of protocols, such as
    SSH, to make connections to hosts on the Internet from
    their network. He seems to be unaware of threats that
    originate from the inside.

b) Their virus scanners are up to date.

_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug

Reply via email to