Checklist for a secure ftp anonymous site – HP Integrity NonStop H-Series User Manual

Make note of the following:

•

The /E (Expand) or any directory on a remote system is not supported for access by the
anonymous user.

•

The /G (Guardian initial directory) is considered invalid for the anonymous user.

•

The FTP command, quote Guardian/OSS, is disabled for the anonymous user.

The anonymous user can logon to the Guardian environment using the NULL.FTP user ID. For this
to occur, the user ID must be thawed through Safeguard. This logon is also checked against the
contents of the FTPUSERS file. System administrators allowing this capability should be versatile
in configuring Safeguard ACLs. HP recommends that the NULL.FTP user ID remain frozen at all
times. This capability (the NULL.FTP user ID) should be used only if all the proper steps have been
taken to secure the system.

Checklist For A Secure FTP Anonymous Site

Note that the following checklist does not preclude the usage of additional information found in
the Safeguard Administration Manual and Safeguard Reference Manual.

•

The anonymous user NULL.FTP should be configured in the Safeguard database as shown:

SAFECOM
=add user NULL.FTP, 0,15, owner 255,255, PASSWORD guest, &
Guardian security “OOOO”, Guardian volume <$vol.subvol>
=info user NULL.FTP, detail.

The password “guest” is entered in lowercase. The password attribute is not required if this
account is to be frozen and not used (recommended by HP).

The user ID of NULL.FTP must designate a <group-num> of zero and the <user-num>
must be a number from 1 to 255. Zero should not be used for the <user-num>.

The Guardian default disk file security is restricted to owner access only.

The Guardian volume is the name of the default volume and subvolume (that is, $guest.ftp)
specifically setup by the system administrator for the NULL.FTP anonymous user.

The info command is used to display the attributes stored in the user’s authentication record.

•

After the Guardian anonymous user NULL.FTP is added, the OSS anonymous user can be
configured using the ALIAS command, as shown:

SAFECOM
=add alias anonymous, NULL.FTP, PASSWORD guest, &
INTIAL-DIRECTORY <dir-path>
=info alias anonymous, detail
=add alias ftp, NULL.FTP, PASSWORD guest, &
INITIAL-DIRECTORY <dir-path>
=info alias ftp, detail

Note that the “anonymous” and “ftp” aliases are only required to be entered in lowercase.
The FTP server is case insensitive when checking for the OSS anonymous user logon.

The password “guest” is entered in lowercase.

The INITIAL-DIRECTORY is the directory pathname (that is, /guest/ftp) specifically setup by
the system administrator for the anonymous FTP user.

The INFO command is used to display the attributes stored in the alias authentication record.

•

To disable the anonymous user support (recommended by HP) in the Guardian environment,
the system administrator should freeze the Guardian NULL.FTP user as shown:

SAFECOM
=freeze user NULL.FTP

Checklist For A Secure FTP Anonymous Site

153