103 lines
6.2 KiB
HTML
103 lines
6.2 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Administration considerations" />
|
|
<meta name="abstract" content="This article provides recommendations for securing the Internet server." />
|
|
<meta name="description" content="This article provides recommendations for securing the Internet server." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvtcpcontrolhttp.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="tcpadminhttp" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Administration considerations</title>
|
|
</head>
|
|
<body id="tcpadminhttp"><a name="tcpadminhttp"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Administration considerations</h1>
|
|
<div><p>This article provides recommendations for securing the Internet
|
|
server.</p>
|
|
<p>Following are some security considerations for administering your Internet
|
|
server.</p>
|
|
<ul><li>You perform setup and configuration functions by using a Web browser and
|
|
the *ADMIN instance. For some functions, such as creating additional instances
|
|
on the server, you must use the *ADMIN server.</li>
|
|
<li>The default URL for the administration home page (the home page for the
|
|
*ADMIN server) is published in the documentation for products that provide
|
|
browser administration functions. Therefore, the default URL will probably
|
|
be known by hackers and published in hacker forums, just like the default
|
|
passwords for IBM-supplied user profiles are known and published. You can
|
|
protect yourself from this exposure in several ways:<ul><li>Only run the *ADMIN instance of the HTTP server when you need to perform
|
|
administrative functions. Do not have the *ADMIN instance running all the
|
|
time.</li>
|
|
<li>Activate SSL support for the *ADMIN instance (by using Digital Certificate
|
|
Manager). The *ADMIN instance uses HTTP protection directives to require a
|
|
user ID and password. When you use SSL, your user ID and password are encrypted
|
|
(along with all the other information about your configuration that appears
|
|
on the administration forms). </li>
|
|
<li>Use a firewall both to prevent access to the *ADMIN server from the Internet
|
|
and to hide your system and domain names, which are part of the URL.</li>
|
|
</ul>
|
|
</li>
|
|
<li>When you perform administration functions, you must sign on with a user
|
|
profile that has *IOSYSCFG special authority. You might also need authority
|
|
to specific objects on the system, such as the following:<ul><li>The libraries or directories that contain your HTML documents and CGI
|
|
programs. </li>
|
|
<li>Any user profiles that you plan to swap to within the directives for the
|
|
server. </li>
|
|
<li>The Access Control Lists (ACLs) for any directories that your directives
|
|
use. </li>
|
|
<li>A validation list object for creating and maintaining user IDs and passwords.</li>
|
|
</ul>
|
|
</li>
|
|
<li>With both the *ADMIN server and TELNET, you have the capability to perform
|
|
administration functions remotely, perhaps over an Internet connection. Be
|
|
aware that if you perform administration over a public link (the Internet),
|
|
you might be exposing a powerful user ID and password to sniffing. The ″sniffer″
|
|
can then use this user ID and password to attempt to access your system using,
|
|
for example, TELNET or FTP.</li>
|
|
<li>The HTTP directives provide the foundation for all activity on your server.
|
|
The shipped configuration provides the capability to serve a default Welcome
|
|
page. A client cannot view any documents except the Welcome page until the
|
|
server administrator defines directives for the server. To define directives,
|
|
use a Web browser and the *ADMIN server or the Work with HTTP Configuration
|
|
(<span class="cmdname">WRKHTTPCFG</span>) command. Both methods require *IOSYSCFG special
|
|
authority. When you connect your system to the Internet, it becomes
|
|
even more critical to evaluate and control the number of users in your organization
|
|
who have *IOSYSCFG special authority.</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Notes:</span> <ol><li>TELNET, the Sign On display is treated like any other display. Although
|
|
the password does not display when you type it, the system transmits it without
|
|
any encryption or encoding. </li>
|
|
<li>With the *ADMIN server, the password is encoded not encrypted. The encoding
|
|
scheme is an industry standard, and thus commonly known among the hacker community.
|
|
Although the encoding is not easily understood by the casual ″sniffer,″ a
|
|
sophisticated sniffer probably has tools to attempt to decode the password.</li>
|
|
</ol>
|
|
</div>
|
|
<div class="note"><span class="notetitle">Security tip:</span> If you plan to perform remote
|
|
administration over the Internet, you should use the *ADMIN instance with
|
|
SSL, so that your transmissions are encrypted. Do not use an insecure application.
|
|
If you are using the *ADMIN server across an intranet of trusted users, you
|
|
can safely use this for administration.</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpcontrolhttp.htm" title="This article discusses considerations for protecting the contents of your Web site.">Control access to the HTTP server</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |