Security FAQs


Why can't I reference documents outside the document directory ?

For security reasons, only documents within the documents directory can be referenced by users of the Sambar Server, unless document aliases are used. With document aliases, you redirect requests to documents outside the document directory.

What security holes should be plugged prior to putting up the demo server ?

The Sambar Server ships with the following security breaches:
  • security.ini Make sure the proxy accept/deny and directory security are tailored to your needs.
  • users Delete the sample users (anonymous and guest).
  • admin user Put a password on the admin user account.

What are the basic steps to securing my NT Server ?

There are some obvious openings in Windows NT that should be closed before putting your server on the internet.
  • Disable the Guest account.
  • Rename the Administrator account (username).
  • Set "good" passwords on all accounts, mixing numbers and characters.
  • Allow administrative access by local log-on only.
  • Remove the Everyone group from directories.

How can I secure the Sambar Server against external hacking ?

Most hacks to WWW sites result from unauthorized users gaining access to your machine via telnet, ftp, sendmail or some other utility that allows them to upload data. The Sambar Server supports two features that are succeptible: HTTP PUT and FTP. You can eliminate the possiblity of either of these features being exploited by:

    1) Removing all users from the config.ini line: Allow HTTP PUT =
    2) Turn off the FTP Server (if it is running): Act as FTP Server = false

After these two steps, you will have to manually copy any new files you need up to your server.

The last security step to consider, is to secure the admin account so that someone can't re-open one of the above security holes and restart the server. You can provide "modest" security by setting a good password and having no other users configured -- definitely remove the "anonymous" user. The second, more secure mechanism is to remove users from the system altogether (simply remove the passwd file -- or rename it); you will need to manually edit the config.ini file for all modifications to the server -- or put the passwd file back in place prior to logging in as admin.

Important! These steps will help reduce the threat of system attacks but will not eliminate all vulnerabilities. Additional recommendations are welcome.

Is the Sambar Server secure from mis-behaved CGIs ?

There are no security mechanisms in place to prevent a mis-behaved CGI from performing unwanted activities. You should excersize caution before deploying any CGI script on the server.

How do I require a username/password to access a directory ?

You can restrict access to a file or directory to authenticated clients by adding a restrict rule via the Security configuration. When you use authentication, no access is permitted unless a valid username and password are supplied.

Note: The Sambar Server only supports basic authentication. Basic authentication does not encrypt transmissions between the client and server; Intruders could use protocol analyzers to read the usernames and passwords.

Why can't I put the tilde (~) character in URL names ?

The valid characters associated with URL names is restricted by the Valid Characters configuration parameter in the config/config.ini file. By default, the tilde (~) character is on the list of restricted characters because of the CERT Advisory CA-98.04 (overview below). Many thanks to Boyd Johnson for bringing this to my attention. 
When Win32 stores a file with a short name (i.e., 8.3-compliant), it
associates only that short file name with the file. However, when Win32
stores a file with a long name (i.e., greater than 8 characters), it
associates two versions of the file name with the file--the original, long
file name and an 8.3-compliant short file name that is derived from
the long name in a predictable manner.

Example:

   The 8.3-compliant short file name "Abcdefgh.xyz" is represented
                  (1) as is: "Abcdefgh.xyz".

   However, the long file name "Abcdefghijk.xyz" is represented:
                  (1) as is: "Abcdefghijk.xyz" and
                  (2) as 8.3-compliant: "Abcdef~1.xyz".

Some Win32-based web servers have not compensated for the two file name    
versions when restricting access to files that have long names. The web
servers attempt to restrict access by building an internal list of
restricted file names. However, for files with long names, only the
long, and not the short, file name is added to this internal list. This
leaves the file unprotected by the web server because the file is still
accessible via the short file name.

© 1998 Sambar Technologies. All rights reserved. Terms of Use.