Minimising Damage

As well as preventing exploit it's worth ensuring that if your machine is exploited the cracker can do as little damage as possible: avoid running processes with unnecessary privilege and try to split things into compartments - for example don't run all services as `nobody' because that way cracking one service can lead to control over the other services that are running. Instead try to run different services each as their own user.

As I've already said, the best way to minimize the risk is not to run the service at all!

The same principle applies not only to the services you run but also software you run. When you run Netscape each page you download comes from an untrusted third party and could contain code to try and exploit bugs Netscape - and there have been many examples of such bugs. Of course you may feel you can't get on without Netscape, so you have to try to minimize the risks:

• Don't enable facilities you don't really need .. can you disable JAVA, JAVAScript, other plugins, etc. In IE you might want to disable other forms of Scripting.

• Don't run the program with more privileges than it needs - don't run Netscape as root, or IE as administrator!

Some good Not doing things as root/administrator:

• Win2K telnet problem.
• Netscape 4.74 JAVA Bug (Brown Orifice)
• Netscape 4.75 JPEG Handling Bug.
• Microsoft .DLL problems
• /tmp races, or symlink handling bugs