Securing the OS

• Ditch NetWare 3.x

  UF's Novell Site license provides the right to use the latest versions of NetWare. NetWare 4.2 or 5 are appropriate for everyone. See http://www.health.ufl.edu/novell/ for more info on the contract.

• Patch the OS

  Whatever OS you run it should be patched to the current patches from Novell. Either iwspX.exe or nw5spX.exe will patch all Novell products installed on the server. See http://support.novell.com/

• Secure the Console
  • Physical

    Put your servers behind a door with a lock, close the door and lock.

  • Logical

    Console locks and screen locks offer some protection of physical security is not possible. This is an additional layer of protection of you have physical security.

  • Remote

    Limit use of remote console. Remote console authentication is encrypted but the session is not. Use remote encrypt forlimited protection of the rconsole password.

    An admin password entered into install, dsrepair, nwconfig, unicon, etc. are transmitted as clear text.

  • Secure remote access

    Use SSH to a terminal server with something like Compaq's Integrated Remote Console.

  • Secure all NDS consoles

    With NDS any server that carries a replica of a DS partition can be exploited to gain access to accounts in that partition.

• Secure the File System
  • Protect SYS: by relocating or quota limiting directories:
    • print queues
    • mail spool
    • mail stores
    • backup software DBs and cataloges
    • log files

    This will limit the risk of DOS attacks from inside and out.

  • Rights to SYS dirs

    system	none
    public	RF
    login	RF
    etc	none
    mail	Delete it!

  • Auditing Rights

    Use NetWare's rights or JRB Utilities' trstlist. See www.software.ufl.edu.

    Check rights granted by apps. E.g. BackupExec, ArcServe, ftpd, web server.

Securing NDS

• Don't put replicas on an insecure server.
• Check rights granted by apps. E.g. BackupExec, ArcServe, ftpd, web server.
• Audit DS rights with NWAdmin.

Securing the Clients

• Use modern clients. See http://www.novell.com/download/
• Use packet signaturing
• Patch the client OS
• Blank out WIN95 passwords
• Novell's WinNT password synching tools can place NDS password at risk.

  Workstation Manager will write your NDS password on the local machine in an NT password hash exposing it to the vulnerabilities of NT.

• Use Dynamic Local User in Workstation Manager

  Workstation Manager can generate an NT account on the fly after NDS authentication. Turning on Dynamic Local User option will delete the account after logout. If the account is not deleted, it remains forever on the NT workstation as potential point of compromise for the corresponding NetWare account.

• Avoid administrator rights on user accounts
• Use passwords longer that 16 characters for admin accounts when using Workstation Manager.
• Use ZEN Works for workstation management.

  Workstation management tools allow security patches to be applied to all PCs in a quick, efficient, uniform way. Without management tools, some machines will likely be missed if patches are applied at all.

  Do you have problems keeping your anti-viral software up-to-date? How do you plan to close the many security holes found in Win NT? What will crackers and spammers do with your NT workstations if you do not close the security holes?

Addressing IP

• Assume every account can be attacked from the Internet

  NetWare 4.2, NetWare 5, and Linux can allow this even if you are running NetWare 3.x. Popular ftpds for NetWare can also gateway to your server.

• Beware clear text passwords.

  ftpd, pop servers, imap servers and xconsole send clear text passwords.

Securing Default Accounts and Groups

• guest - delete it!
• unix service handler
• unused print server accounts

  NetWare print server objects are created passwordless. A properly written client can authenicate to one of these objects as easily as a user object and acquire the same kind of rights as a user object.

  JetDirects authenticating to a print server object will change the password on first authentication.

• everyone

  JetAdmin will automatically populate this group for you, so you can't trust it. Don't use it for anything!

• passwordless accounts - station restrict them or delete them.

Auditing Accounts

• Check account properties with JRB's getrest.

  Check last login date, minimum password length, password expiration frequency, grace logins allowed

• adjust properties or disable accounts with JRB's setrest
• Strong password tools
  • SmartPass www.egsoftware.com
  • BindView NDS www.bindview.com

Closing Mail Relays

• Mercury

  See mguide.exe in Mercury 1.44 distribution. The latest Mercury is always available at http://risc.ua.edu/pegasus/mercurynlm/.

• GroupWise

  See Novell TID 2946887 Blocking Mail Relay or Spamming (security)

• Internet Messaging System (IMS)

  Stay tuned.

Displaying Banners

• login scripts
• send messages
• ftpd welcome screens

Using NetWare Auditing to Monitor Activity

• Login/logout events
• File rights changes
• Modifications to critical files

  Files can monitored for changes by running checksums of those files at regular intervals and comparing those values to historical values. Ken Sallot has written a modification of Tripplite (a version ot TripWire) that does this work on NetWare volumes NCP mounted on a Linux box.

• Auditlog.nlm from Condrey Consulting