67 lines
4.2 KiB
HTML
67 lines
4.2 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
|
<!DOCTYPE html
|
|||
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
|
<head>
|
|||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
|
<meta name="security" content="public" />
|
|||
|
|
<meta name="Robots" content="index,follow" />
|
|||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
|
<meta name="DC.Type" content="concept" />
|
|||
|
|
<meta name="DC.Title" content="Secure the TFTP server" />
|
|||
|
|
<meta name="abstract" content="This article provides recommendations for securing the TFTP server." />
|
|||
|
|
<meta name="description" content="This article provides recommendations for securing the TFTP server." />
|
|||
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcptftp.htm" />
|
|||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
|
<meta name="DC.Identifier" content="tcpsectftp" />
|
|||
|
|
<meta name="DC.Language" content="en-us" />
|
|||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
|
<!-- US Government Users Restricted Rights -->
|
|||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
|
<title>Secure the TFTP server</title>
|
|||
|
|
</head>
|
|||
|
|
<body id="tcpsectftp"><a name="tcpsectftp"><!-- --></a>
|
|||
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
|
<h1 class="topictitle1">Secure the TFTP server</h1>
|
|||
|
|
<div><p>This article provides recommendations for securing the TFTP server.</p>
|
|||
|
|
<p>By default, the TFTP server provides very limited access to your system. It is specifically configured to provide the initial code for thin
|
|||
|
|
clients. As a security administrator, you should be aware of the following
|
|||
|
|
characteristics of the TFTP server:</p>
|
|||
|
|
<ul><li>The TFTP server does not require authentication (a user ID and password).
|
|||
|
|
All TFTP jobs run under the QTFTP user profile. The QTFTP user profile does
|
|||
|
|
not have a password. Therefore, it is not available for interactive sign-on.
|
|||
|
|
The QTFTP user profile does not have any special authorities, nor is it explicitly
|
|||
|
|
authorized to system resources. It uses public authority to access the resources
|
|||
|
|
that it needs for the thin clients. </li>
|
|||
|
|
<li>When the TFTP server arrives, it is configured to access the directory
|
|||
|
|
that contains thin client information. You must have *PUBLIC or QTFTP authorized
|
|||
|
|
to read or write to that directory. To write to the directory you must have
|
|||
|
|
*CREATE specified on the <span class="parmname">Allow file writes</span> parameter
|
|||
|
|
of the <span class="cmdname">CHGTFTPA</span> command. To write to an existing file you
|
|||
|
|
must have the *REPLACE specified on the <span class="parmname">Allow file writes</span> parameter
|
|||
|
|
of <span class="cmdname">CHGTFTPA</span>. *CREATE allows you to replace existing files
|
|||
|
|
or create new files. *REPLACE only allows you to replace existing files. <p>A
|
|||
|
|
TFTP client cannot access any other directory unless you explicitly define
|
|||
|
|
the directory with the Change TFTP Attributes (<span class="cmdname">CHGTFTPA</span>)
|
|||
|
|
command. Therefore, if a local or remote user does attempt to start a TFTP
|
|||
|
|
session to your system, the user’s ability to access information or cause
|
|||
|
|
damage is extremely limited.</p>
|
|||
|
|
</li>
|
|||
|
|
<li>If you choose to configure your TFTP server to provide other services
|
|||
|
|
in addition to handling thin clients, you can define an exit program to evaluate
|
|||
|
|
and authorize every TFTP request. The TFTP server provides a request validation
|
|||
|
|
exit similar to the exit that is available for the FTP server.</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
<div>
|
|||
|
|
<div class="familylinks">
|
|||
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcptftp.htm" title="These articles discuss methods for securing the TFTP server for authorized users and preventing access to the TFTP server.">Security considerations for using TFTP server</a></div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</body>
|
|||
|
|
</html>
|