Secure Account Management Across Production and Development Environments

Secure Account Management Across Production and Development Environments

or example, a number of financial institutions seem predetermined to use NIS to manage large numbers of accounts across a multitude of systems. So what’s the problem with that? Anyone who issues the command ypcat passwd can gain access to the encrypted passwords for all users on the network, including administrators’ accounts and possibly the root account itself.

Generally, a quick review of that password file will turn up numerous development accounts. A number will have the username as the password, a large number will have the company’s acronym as the password, and—the intruder’s favorite—one or two will have no password at all. If the intruder isn’t lucky enough to find any accounts without passwords, he or she can always run them through a password cracker. Either John the Ripper, or the old favorite Crack, will crack bad passwords within 15 minutes to an hour, and the larger the user environment, the greater the chance of bad passwords.

Administrators should be using these tools on a regular basis, but none seem to be. Some systems I’ve come across have OS-level controls for password checking, but they aren’t being used, either. Given that the majority of machines use regular password authentication, password cracking is an easy means for an attacker to gain access to systems without using any fancy exploits—or even their infamous scripts.

Reduce Cross-Environment Access
What can be done? Initially, administrators should get rid of NIS. They might be able to use NIS+, but support across a heterogeneous Unix environment is spotty and will require some custom scripting. But in the end, it should prove no more painful.

For this scenario, I discuss how best to split the development and production areas. Administrators must carefully determine who in their environments need (and are given) access to both environments. They should ask themselves the following:

  • Do they have separate administrator groups for development and production systems?
  • If so, do any of them need access across environments?
  • Do any other users need access to either environment?

In a clear-cut case, no developers should have access to production systems, and very few administrators should be allowed to work between the two environments. Production systems should consist of only applications and software that have been tried and tested in the development or staging environment. (Administrators whose environments actually work this way are a rarity in my experience.) The challenge is to devise a way to work close to this ideal, while allowing for the exceptions that most environments require. Step one is having the administrator answer the questions above. In general, fewer users should require access to systems in the development environment than systems in the production environment. The number of people who require administrator access should be smaller too. If your administrative group is large enough, responsibilities can be divided among smaller groups that administer each machine type.

Developer Pushback
As security conscious as it may be, developers generally aren’t thrilled with a policy that denies them access to production boxes. They often will push back, claiming tight security will make their jobs near impossible or will increase development time. It may make development difficult at first, but developers eventually will get used to it; with any new aspect to a system, a learning curve can be expected. The most important thing is that systems ultimately will be much less susceptible to exploitation.

Setting the security expectation early is the smoothest way to get developers on board, particularly at a startup. Bringing up the security concept late in the development process generally means delays. Since no one really has been thinking about security ramifications, the processes in place will need to be retrofitted. Trying to retrofit a solution becomes very costly in terms of both time and money. Also, most solutions should be able to grow as the environment grows. For both startups and established entities, the introduction of security concepts prior to the first (or yearly) security audit will make the audit much less painful.

Next, administrators will need to download a couple of tools: SSH Secure Shell and Sudo (superuser do). Administrators who aren’t familiar with SSH had better become familiar with it very quickly. I’ve yet to find it in an environment I’ve reviewed, but SSH should eventually replace Telnet for communication between all Unix boxes, as well as routers. The closest I have seen to such an environment is one where SSH was installed and used by the administrators but Telnet also was enabled and used (often by non-administrators).An SSH implementation should eliminate all unencrypted network logins, which will help protect the network from the various password-sniffing vulnerabilities, as well as protect the data going back and forth across the connection. SSH also can replace all of the r* services on Unix servers (not that unauthenticated rlogins should be allowed anyway), as well as FTP.

The real benefit of SSH, however, is its ability to either replace services such as rdist (a utility for distributing files across systems) or allow them to tunnel through itself. For the sake of demonstration, I describe how I take a very secure system and make it the central password server. Then, from this server, I will generate custom password (and shadow) files for the other systems and distribute user accounts as required to the systems to which the users need access.

A general security rule is to have unique passwords across every system. But following this rule generally isn’t practical when you’re talking about the administration of 15 or more servers. Good password selection is difficult enough, but when a user has to create more than one and may have to change it every 30 to 90 days, the quality and the uniqueness generally drop—dramatically.

Rather than get into a holy war over it, the administrator should assume that if he or she can’t find a way to use a one-time, token-based authentication system, users are going to need to reuse passwords across systems. It’s the only way for users to come up with decent passwords that they aren’t going to write on yellow Post-It notes and place next to their monitors. Thus, one solution is having them use different passwords across different types of systems (front-door web servers, back-end servers, database servers, mail servers, DNS servers, SSL servers, etc.). Given that often times these systems will be maintained by different groups of users, this often will follow existing segmentation. Next, rdist (as well as many other services) connections can be tunneled through SSH to distribute the password files to each of the servers. That way, administration can be done from a central server, user accounts are placed only on systems for which access is required (to a point, this can almost be a web-based application), and system security features such as shadowed password files are still in use. In addition, even if the administration server dies, user access to the machines should not be interrupted because the local password files are accurate.

However, these applications—as with all applications—have drawbacks. Constructing the proper password or authentication files for a heterogeneous environment has its difficulties. While BSDs, Linux, and Solaris variations are generally simple and very similar, HPUX and AIX variations will require a review of a number of main pages to refresh oneself with all of the fields. (Hopefully, the applications allow for the use of the Trusted Computing Base (TCB) on the HPUX servers.) This isn’t the easiest way for managing user-password changes either, since changes made locally on a server will not be propagated through the rest of the environment.

Sudo: The Best Available Option
Now that the accounts are distributed across systems, let’s look at Sudo. For a given environment, if someone gets enough pieces of the “root” puzzle (i.e., access to the users who can create accounts or change passwords, along with access to the users who can adjust the configuration files of the “root” distribution program), that person can acquire the equivalent of root access. So I refuse to give any credence to programs that claim to remove the “root” account. Thus, I am left with the best available option, and Sudo is a great tool in a number of ways. It is free, it has been ported to most systems, and it can be configured with a great deal of granularity.

Now, assume that I don’t allow direct logins to the root account from anyplace other than the console. I’m also in an environment that has more than one administrator. (Every environment should be this way, just in case of the “hit-by-bus” scenario.) How can the functions of the root user be shared among multiple administrators while logging the actions that each user performs on the system? How do I limit who has the ability to run programs as root? How do I limit who can switch users to root?

These tasks can’t all be done through system configurations on every operating system I have. However, I can add in functionality for the operations group so they can perform some of the more mundane tasks or error-checking routines on the production servers, and the administrators don’t need to be called or paged with the dreaded 4 a.m. wakeup call.

With Sudo, the administrator can grant users the ability to run commands (typically as root) from an extremely granular single command or to a range as broad as any command on the system. One of its most important benefits is the increased logging. The standard practice is SU-ing to root and then executing a command or commands, where only the action of the SU may be logged. Sudo, on the other hand, logs each command and the user who ran it. It also helps prevent the occasional mistake that a user who is always logged in as root makes, like accidentally running commands or deleting files because they forget they are logged in as root.

By using the granular ability of Sudo, I can grant user-level access to users of other machine groups so that they can test connectivity between servers on the network, and I can grant users who administer those machines access to administrative commands. Access to these other accounts should be used only as a troubleshooting tool, not as a replacement for a realistic development environment. Proper testing should be taking place prior to rollouts to production.

As I alluded to earlier, Sudo is simply a tool, not an end-all, be-all security tool. If administrators get used to using it, a number of stupid mistakes will be prevented. But this won’t prevent access to root or keep the server from buffer overflows. It will help administrators limit and log general system activity as well as determine who did what when they troubleshoot a system failure. And they can distribute the Sudo configuration files the same way that I distributed the password files.

devx-admin

devx-admin

Share the Post:
Web App Security

Web Application Supply Chain Security

Grace Phillips October 2, 2023

Today’s web applications depend on a wide array of third-party components and open-source tools to function effectively. This reliance on external resources poses significant security

Thrilling Battle

Thrilling Battle: Germany Versus Huawei

Lila Anderson October 2, 2023

The German interior ministry has put forward suggestions that would oblige telecommunications operators to decrease their reliance on equipment manufactured by Chinese firms Huawei and

iPhone 15 Unveiling

The iPhone 15’s Secrets and Surprises

Jordan Williams October 2, 2023

As we dive into the most frequently asked questions and intriguing features, let us reiterate that the iPhone 15 brings substantial advancements in technology and

Performance Camera

iPhone 15: Performance, Camera, Battery

Johannah Lopez October 2, 2023

Apple’s highly anticipated iPhone 15 has finally hit the market, sending ripples of excitement across the tech industry. For those considering upgrading to this new

Battery Breakthrough

Electric Vehicle Battery Breakthrough

Grace Phillips October 2, 2023

The prices of lithium-ion batteries have seen a considerable reduction, with the cost per kilowatt-hour dipping under $100 for the first occasion in two years,

Web App Security

Web Application Supply Chain Security

Grace Phillips October 2, 2023

Today’s web applications depend on a wide array of third-party components and open-source tools to function effectively. This reliance on external resources poses significant security risks, as malicious actors can

Thrilling Battle

Thrilling Battle: Germany Versus Huawei

Lila Anderson October 2, 2023

The German interior ministry has put forward suggestions that would oblige telecommunications operators to decrease their reliance on equipment manufactured by Chinese firms Huawei and ZTE. This development comes after

iPhone 15 Unveiling

The iPhone 15’s Secrets and Surprises

Jordan Williams October 2, 2023

As we dive into the most frequently asked questions and intriguing features, let us reiterate that the iPhone 15 brings substantial advancements in technology and design compared to its predecessors.

Chip Overcoming

iPhone 15 Pro Max: Overcoming Chip Setbacks

Noah Nguyen October 2, 2023

Apple recently faced a significant challenge in the development of a key component for its latest iPhone series, the iPhone 15 Pro Max, which was unveiled just a week ago.

Performance Camera

iPhone 15: Performance, Camera, Battery

Johannah Lopez October 2, 2023

Apple’s highly anticipated iPhone 15 has finally hit the market, sending ripples of excitement across the tech industry. For those considering upgrading to this new model, three essential features come

Battery Breakthrough

Electric Vehicle Battery Breakthrough

Grace Phillips October 2, 2023

The prices of lithium-ion batteries have seen a considerable reduction, with the cost per kilowatt-hour dipping under $100 for the first occasion in two years, as reported by energy analytics

Economy Act Soars

Virginia’s Clean Economy Act Soars Ahead

Lila Anderson October 2, 2023

Virginia has made significant strides towards achieving its short-term carbon-free objectives as outlined in the Clean Economy Act of 2020. Currently, about 44,000 megawatts (MW) of wind, solar, and energy

Renewable Storage Innovation

Innovative Energy Storage Solutions

Jordan Williams October 2, 2023

The Department of Energy recently revealed a significant investment of $325 million in advanced battery technologies to store excess renewable energy produced by solar and wind sources. This funding will

Renesas Tech Revolution

Revolutionizing India’s Tech Sector with Renesas

Noah Nguyen October 2, 2023

Tushar Sharma, a semiconductor engineer at Renesas Electronics, met with Indian Prime Minister Narendra Modi to discuss the company’s support for India’s “Make in India” initiative. This initiative focuses on

Development Project

Thrilling East Windsor Mixed-Use Development

Johannah Lopez October 2, 2023

Real estate developer James Cormier, in collaboration with a partnership, has purchased 137 acres of land in Connecticut for $1.15 million with the intention of constructing residential and commercial buildings.

USA Companies

Top Software Development Companies in USA

Johannah Lopez October 1, 2023

Navigating the tech landscape to find the right partner is crucial yet challenging. This article offers a comparative glimpse into the top software development companies in the USA. Through a

Software Development

Top Software Development Companies

Noah Nguyen September 30, 2023

Looking for the best in software development? Our list of Top Software Development Companies is your gateway to finding the right tech partner. Dive in and explore the leaders in

India Web Development

Top Web Development Companies in India

Jordan Williams September 30, 2023

In the digital race, the right web development partner is your winning edge. Dive into our curated list of top web development companies in India, and kickstart your journey to

USA Web Development

Top Web Development Companies in USA

Johannah Lopez September 30, 2023

Looking for the best web development companies in the USA? We’ve got you covered! Check out our top 10 picks to find the right partner for your online project. Your

Clean Energy Adoption

Inside Michigan’s Clean Energy Revolution

Grace Phillips September 29, 2023

Democratic state legislators in Michigan continue to discuss and debate clean energy legislation in the hopes of establishing a comprehensive clean energy strategy for the state. A Senate committee meeting

Chips Act Revolution

European Chips Act: What is it?

Lila Anderson September 29, 2023

In response to the intensifying worldwide technology competition, Europe has unveiled the long-awaited European Chips Act. This daring legislative proposal aims to fortify Europe’s semiconductor supply chain and enhance its

Revolutionized Low-Code

You Should Use Low-Code Platforms for Apps

Jordan Williams September 29, 2023

As the demand for rapid software development increases, low-code platforms have emerged as a popular choice among developers for their ability to build applications with minimal coding. These platforms not

Cybersecurity Strategy

Five Powerful Strategies to Bolster Your Cybersecurity

Noah Nguyen September 29, 2023

In today’s increasingly digital landscape, businesses of all sizes must prioritize cyber security measures to defend against potential dangers. Cyber security professionals suggest five simple technological strategies to help companies

Global Layoffs

Tech Layoffs Are Getting Worse Globally

Jordan Williams September 29, 2023

Since the start of 2023, the global technology sector has experienced a significant rise in layoffs, with over 236,000 workers being let go by 1,019 tech firms, as per data

Huawei Electric Dazzle

Huawei Dazzles with Electric Vehicles and Wireless Earbuds

Johannah Lopez September 29, 2023

During a prominent unveiling event, Huawei, the Chinese telecommunications powerhouse, kept quiet about its enigmatic new 5G phone and alleged cutting-edge chip development. Instead, Huawei astounded the audience by presenting

Cybersecurity Banking Revolution

Digital Banking Needs Cybersecurity

Johannah Lopez September 29, 2023

The banking, financial, and insurance (BFSI) sectors are pioneers in digital transformation, using web applications and application programming interfaces (APIs) to provide seamless services to customers around the world. Rising

FinTech Leadership

Terry Clune’s Fintech Empire

Grace Phillips September 29, 2023

Over the past 30 years, Terry Clune has built a remarkable business empire, with CluneTech at the helm. The CEO and Founder has successfully created eight fintech firms, attracting renowned

The Role Of AI Within A Web Design Agency?

DevX Editor September 29, 2023

In the digital age, the role of Artificial Intelligence (AI) in web design is rapidly evolving, transitioning from a futuristic concept to practical tools used in design, coding, content writing

Generative AI Revolution

Is Generative AI the Next Internet?

Lila Anderson September 29, 2023

The increasing demand for Generative AI models has led to a surge in its adoption across diverse sectors, with healthcare, automotive, and financial services being among the top beneficiaries. These

Show More