Re: question.....[VERY LONG AND INVOLVED]
Re: question.....[VERY LONG AND INVOLVED]
- Subject: Re: question.....[VERY LONG AND INVOLVED]
- From: "John C. Welch" <email@hidden>
- Date: Thu, 20 May 2004 11:23:42 -0500
On 5/20/04 9:00 AM, "Martha Espinosa" <email@hidden> wrote:
>
I work for the government and we are try to secure/tighten down the system.
>
>
We do the same for the Wintel Platform according to CIS standards.
>
>
Hope this clears up some of the questions I am asking....
>
>
-ME
>
>
>
At 7:11 PM -0500 5/19/04, John C. Welch wrote:
>
> On 5/19/04 5:27 PM, "Martha Espinosa" <email@hidden> wrote:
>
>
>
>> 1) Is there a way to add a password to the root account then disable it?
>
>>
>
>
>
> yes
>
>
>
HOW?
Don't yell, it gives me a headache.
You enable the root account in NetInfo Manager, give it a password and
disable it.
Of course, if you disable it, you won't be able to log in as root either at
the console or via su, but it will let you set a root password so that any
random administrator can't. You can also do this via the OS CD
>
>
>
>
>
>> 2) Is there a way to turn off Rendezvous?
>
>
>
> It's complicated and not guaranteed to work, and if you totally shut it off,
>
> you cripple DHCP functionality as well.
>
>
>
> *why* do you want to do this
>
>
>
TIGHTEN DOWN THE SYSTEM.... WE ARE NOT ALLOWED TO USE RENDEZVOUS...
Well, for one, Rendezvous is no more or less secure than DHCP or DNS.
Whomever thinks it isn't doesn't understand how it works.
Anyway, as far as COMPLETELY disabling Rendezvous...that's impossible...let
me explain why:
Rendezvous is a marketing name for Zeroconf.
Zeroconf consists of three things:
Link-Local IPv4 addressing, aka LLv4.
Multicast DNS
DNS Service Discovery, aka DNS-SD
Now, by the numbers:
1) To disable LLv4, you have to disable DHCP. That's because LLv4 is also a
part of DHCP. (ever wonder where that address you get when you can't find a
DHCP server comes from? LLv4. It's a part of the DHCP spec. So, to disable
this, you have to disable all DHCP services. I'm going to guess that's not
an option.
2) MDNS has been around for a while, and is only now being used. However,
when people talk about "disabling Rendezvous", this is what they mean most
often. If you look at the Web Setup for any newer HP printer, you'll see an
mDNS entry. That's their zeroconf support. All this does is allow machines
on the local link to see available services without needing a central
unicast/"regular" DNS server. To disable this you have to do two things:
1) disable the "Rendezvous" plugin in the Directory Access Application
2) move the "mDNSResponder" folder out of /System/Library/StartupItems/
Note...after doing this, you will essentially kill the abilty to do things
like easy printer discovery, etc. If you do this on a laptop, warn people
that this service is disabled for all logins and all locations. Period. If
they were using it, they aren't anymore. This kills a LOT of stuff.
Note: this is no more or less secure than any form of DNS. It just doesn't
need a central server, and isn't routable.
3) DNS-SD; To kill this would require the complete banning of
unauthenticated DNS at your location. Why? Because it's a part of standard
DNS. No, really.
So, if they want complete disabling of Rendezvous, that means:
No DHCP
No mDNS
No DNS at all
Which I'm guessing isn't what they mean.
Maybe if you got the specific problems they see with it, we could answer it
better?
>
>
>>
>
>> 3) Can I check if the person logged on is an admin, user or root?
>
>
>
> Logged in how?
>
>
THAT'S WHAT I WANT TO CHECK. IF I'M LOGGED IN AS AN ADMIN THEN I CAN
>
DO CERTAIN THINGS THEN IF I WAS LOGGED ON AS AN ADMIN...
Martha...there are two methods for logging in. At the physical console, or
remotely.
Do you need to check JUST the local console, JUST remote or BOTH?
john
--
"If the enemy is in range, so are you."
Infantry Journal.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.