Best Practices for NetWare Security - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Best Practices for NetWare Security

Description:

Put your servers behind a door with a lock, close the door and lock it. Logical ... With NDS any server that carries a replica of a DS partition can be exploited to ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 22
Provided by: philip136
Category:

less

Transcript and Presenter's Notes

Title: Best Practices for NetWare Security


1
Best Practices for NetWare Security
Iain Moffat, NERDC Philip Chase, VPHA Ken Sallot,
CLAS ITSA Day October 20th, 1999
2
Agenda
  • Iain
  • Securing the OS
  • Securing NDS
  • Addressing IP
  • Displaying Banners
  • Closing Mail Relays

3
More Agenda
  • Philip
  • Securing the Clients
  • Securing Default Accounts and Groups
  • Auditing Accounts
  • Monitoring Activity

4
Even More Agenda
  • Iain Philip
  • Q A

5
Securing the OS
  • Ditch NetWare 3.x
  • UF's Novell Site license provides the right to
    use the latest versions of NetWare. NetWare 4.2
    or 5 are appropriate for everyone. See
    www.health.ufl.edu/novell/ for more info on the
    contract.
  • Patch the OS
  • Whatever OS you run it should be patched to the
    current patches from Novell. Either iwspX.exe or
    nw5spX.exe will patch all Novell products
    installed on the server. See support.novell.com

6
Securing the OS
  • Secure the Console
  • Physical
  • Put your servers behind a door with a lock, close
    the door and lock it.
  • Logical
  • Console locks and screen locks offer some
    protection if physical security is not possible.
    This is an additional layer of protection if you
    have physical security.
  • Remote
  • Limit use of remote console. Remote console
    authentication is encrypted but the session is
    not. Use remote encrypt for limited protection of
    the rconsole password.
  • An admin password entered into install, dsrepair,
    nwconfig, unicon, etc. are transmitted as clear
    text.

7
Securing the OS
  • Secure the Console (more)
  • Secure remote access
  • Use SSH to a terminal server with something like
    Compaq's Integrated Remote Console.
  • Secure all NDS consoles
  • With NDS any server that carries a replica of a
    DS partition can be exploited to gain access to
    accounts in that partition.

8
Securing the OS
  • Secure the File System
  • Protect SYS by relocating or quota limiting
    directories
  • print queues
  • mail spool
  • mail stores
  • backup software DBs and cataloges
  • log files
  • This will limit the risk of DOS attacks from
    inside and out.

9
Securing the OS
  • Secure the File System (more)
  • Rights to SYS dirs

10
Secure OS
  • Secure the File System (more)
  • Auditing Rights
  • Use NetWare's rights or JRB Utilities' trstlist.
    See www.software.ufl.edu.
  • Check rights granted by apps.
  • E.g. BackupExec, ArcServe, ftpd, web server.

11
Securing NDS
  • Don't put replicas on an insecure server.
  • Check rights granted by apps.
  • E.g. BackupExec, ArcServe, ftpd, web server.
  • Audit DS rights with NWAdmin.

12
Addressing IP
  • Assume every account can be attacked from the
    Internet
  • NetWare 4.2, NetWare 5, and Linux can allow this
    even if you are running NetWare 3.x. Popular
    ftpds for NetWare can also gateway to your
    server.
  • Beware of clear text passwords.
  • ftpd, pop servers, imap servers and xconsole send
    clear text passwords.

13
Displaying Banners
  • login scripts
  • send messages
  • ftp deamon welcome screens

14
Closing Mail Relays
  • Mercury
  • See mguide.exe in the Mercury distribution. The
    latest Mercury is always available at
    http//risc.ua.edu/pegasus/mercurynlm/. Older
    Mercurys do not have this feature.
  • GroupWise
  • See Novell TID 2946887 Blocking Mail Relay or
    Spamming (security)
  • Internet Messaging System (IMS)
  • Stay tuned.

15
Securing the Clients
  • Use modern clients
  • See www.novell.com/download/
  • Use packet signaturing
  • Patch the client OS
  • Blank out WIN95 passwords

16
Securing the Clients
  • Novell's WinNT password synching tools can place
    NDS password at risk.
  • Use Dynamic Local User in Workstation Manager

17
Securing the Clients
  • Avoid administrator rights on user accounts
  • Use passwords longer that 16 characters for admin
    accounts when using Workstation Manager.
  • Use ZEN Works for workstation management.

18
Securing Default Accounts Groups
  • guest - delete it!
  • unix service handler
  • unused print server accounts
  • everyone
  • passwordless accounts - station restrict them or
    delete them.

19
Auditing Accounts
  • Check account properties with JRB's getrest.
  • Check last login date, minimum password length,
    password expiration frequency, grace logins
    allowed
  • Adjust properties or disable accounts with JRB's
    setrest
  • Strong password tools
  • SmartPass, www.egsoftware.com
  • BindView NDS, www.bindview.com

20
Monitoring Activity
  • NetWare Auditing can monitor
  • Login/logout events
  • File rights changes
  • Much more
  • Monitor modifications to critical files
  • Audit tree-wide logins with Auditlog.nlm from
    Condrey Consulting, www.condreyconsulting.com

21
QA
  • ?
Write a Comment
User Comments (0)
About PowerShow.com