There are many approaches you can take to securing an operating system and database and an equal number of views on what really fulfills the definition of a “secure operating system.” In a systems administration class we attended many years ago, the instructor drew a picture on the board. The picture was of a large room in which a very large computer and operator’s console had been placed. There was only one door leading into the room and in front of that door, he drew a picture of a guard with a gun. He explained that he had just drawn a system that was quite secure: the only truly secure system is the system that allows no one to ever interact with the computer inside. A friend of ours describes his vision of the truly secure computer as “a computer in a lead-lined vault (no EMF emissions to be sniffed) with no network connections and a Marine guard with `shoot on sight’ orders.”

Okay, these are not real-world solutions. However, both descriptions do bring home the point that as long as there are people interacting with a system, there is always the potential for a security breach. One of the most formidable threats to any system’s security is the user who does not log off the system at night and does not have password protection on his terminal or personal computer. In this section, we’ll look at ways of protecting logins to the system.