If you want to setup NIS server, you should know few things:
    1) NIS will transmit account data unencrypted through network
    2) They are easily spoofed
    3) With portmap you can tell open ports to someone you wouldn't like

So, what we can do! We can:
    1) Use TCP wrappers and packet filtering for portmap
    2) Restrict hosts that have access to NIS
    3) Don't give any RPC data out of network
    4) USE KERBEROS with NIS

For now we will setup NIS server which will use to provide centralized information about user accounts.

In this point, you should install ypserv and open ports what you need in firewall. Use portmap to see which ports you should open.

[root@security1 ~]# yum -y install ypserv
[root@security1 ~]# /etc/init.d/portmap restart
[root@security1 ~]# rpcinfo -p localhost
    program vers proto   port
     100000     2    tcp     111   portmapper
     100000     2    udp    111   portmapper
     100024     1    udp    711   status
     100024     1    tcp     714   status

In this point, you should change ypserv so he can use always same port. You should add line in /etc/sysconfig/network like I do

YPSERV_ARGS="-p 808"
NISDOMAIN="SETENFORCE.COM"

After this you should setup your server to be client also. I will use same as my hostname. Add this in /etc/yp.conf

domain SETENFORCE.COM server security1.setenforce.com

You are now setup NIS server. Don't forget to open ports in firewall. Do initialize for NIS maps, as I do now:

[root@security1 /]# /usr/lib/yp/ypinit -m

You can see that this will work. Try:

[root@intruder1 ~]# ypcat -d SETENFORCE.COM -h security1 passwd

OK, we are setup now NIS server, but we doesn't want to this can be accessible by external (untrusted) networks. We can change few things here:
    1) Reduce client's which can access to service
    2) Setup firewall rules

According to first point, you should create /var/yp/securenets file with next content:

255.0.0.0 127.0.0.0
255.255.255.0 192.168.100.0

First is netmask, and second is IP addresses from exact pool. Look for setup in firewall also (especial for port 111), you should add access to trusted network only. Restart service, and try now command from intruder1. It will failed.

We setup permissions now, but we need to setup NIS for proper use. On security2 you should start

[root@security2 ~]# system-config-authentication

And in part for NIS Domain add SETENFORCE.COM and for NIS host add security1.example.com Save your work. Now we need to add user on NIS server, in this case that will be testing After this you should rebuild your NIS maps.

[root@security1 /]# useradd -u 6000 testing
[root@security1 /]# passwd testing
[root@security1 /]# make -C /var/yp rebuild NIS maps

Also, do setup in client side.

[root@security2 home]# mkdir testing
[root@security2 /]# cp -a /etc/skel/.[!.]* /home/testing/
[root@security2 home]# chown -R testing:testing testing/

Test your configuration, as we can see, you can ssh to security2, but user testing doesn't exist in passwd (security2) file.

[root@security2 home]# ssh testing@security2
[testing@security2 ~]$ getent passwd testing
testing:$1$8DIb9Uax$TM7cexH0G5ZHyqsq2pGRx0:6000:6000::/home/testing:/bin/bash
[testing@security2 ~]$ cat /etc/passwd | grep testing

Now you see that this is working, but it is easy to spoof. So you should lock user testing on security1, and of course should rebuild your NIS maps .

[root@security1 /]# usermod -p '!!' testing
[root@security1 /]# cd /var/yp
[root@security1 yp]# make