Querying, Documenting, and Tracking the NDS - PowerPoint PPT Presentation

1 / 57

About This Presentation

Title:

Querying, Documenting, and Tracking the NDS

Description:

... Can Visual Click Help With My NDS ... It helps you monitor NDS security ... MyReset for NDS will help you reduce your help desk calls by 15% to 35% when ... – PowerPoint PPT presentation

Number of Views:86

Avg rating:3.0/5.0

Slides: 58

Provided by: nove4

Category:

more less

Transcript and Presenter's Notes

Title: Querying, Documenting, and Tracking the NDS

1
Querying, Documenting, and Tracking the NDS
Security Framework

Nina Moorehouse
Service Line Manager, Novell Consulting
nmoorehouse_at_novell.com
John McCann
President, Visual Click Software
jmccann_at_visualclick.com
Rich Roberts
Novell Consultant
rroberts_at_novell.com

2
How Is This a One Net Service?
Downtime related to security breaches is on the
rise! An increase in breach-inflicted downtime
suggests an increase in either the frequency or
severity of threats to your company's e-business
systems. Minimize Risky e-Business With
Novell's Net Security Solution, Novell Connection
Magazine, February 2001. http//www.ncmag.com/
3
How Is This a One Net Service?

Two years ago, half (50) of the respondents to
the Global Security Survey survived the year
without experiencing downtime related to security
breaches
Last year, only 26 of the 4,900 executives,
security professionals, and technology managers
who responded tolast year's survey managed to
avoidbreach-inflicted downtime
The Global Security Survey is conducted annually
by InformationWeek Research and
PricewaterhouseCoopers. "It's Time To Clamp
Down, July 10, 2000
www.informationweek.com/794/security.htm

4
What is Security?

Novell used information from industry analysts
and security experts, including IDC, Gartner,
PricewaterhouseCoopers, and Giga Information
Group, to determine that a complete security
solution is comprised of nine elements, each of
which serves a specific purpose

5
Nine Elements of Security
6
Nine Elements of Security

Firewall
Authentication and authorization
Single sign-on
Virtual private network
Virus protection
Certificate management
Secure businesscommunications
Intruder detection
Net control

Authentication and authorization
Net control
Authentication and authorization
Net control
7
Nine Elements of Security

Firewall
Authentication and authorization
Single sign-on
Virtual private network
Virus protection
Certificate management
Secure businesscommunications
Intruder detection
Net control

Authentication and authorization
NDS security framework
Net control
8
NDS Security

NDS object settings
Auditing
Server parameter settings
Client 32 settings

9
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can I clean up my NDS security?
How do I maintain my NDS security framework?
What are some of the best practices to secure NDS?

10
Who Is Visual Click Software, Inc?

Visual Click is focused on providing software
solutions that enable customers to reduce the
complexity and costs of managing computer network
security

Factoids Founded in the 1998 by John T.
McCann Incorporated in 1999 First product,
DSRAZOR, released in Fall of 1999 under the
name clickVISION Manager Second product,
MyReset for NDS, released Spring 2000 Third
product, DSMETER, released in Fall of 2000
11
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can I clean up my NDS security?
How do I maintain my NDS security framework?
What are some of the best practices to secure NDS?

12
How Can Visual Click Help With My NDS Security
Issues?

Visual Clicks mission is to be the leading
provider of reasonably-priced, visually-customizab
le computer network security management and
reporting applications

Visual Click creates technology to helpyou
interact with your NDS and NetWare environment
via
DSRAZOR
DSMETER
MyReset for NDS

13
How Can Visual Click Help With My NDS Security
Issues?

Overview
Have you ever wanted to design your ownNDS and
NetWare management, reporting or query applets?
DSRAZOR allows you to create andcustomize your
own NDS and NetWare applets
Whether you need a management applet for
yourself, your help desk personnel or evenyour
end-users
Over 100 ready-to-run applets included

14
How Can Visual Click Help With My NDS Security
Issues?

Overview
As an NDS administrator, your job is to
continuously protect and defend your company's
NDSand NetWare assets
DSMeter is your automated NDS and NetWare
attendant
It helps you monitor NDS security
With it you can lock down NDS, create and delete
privileges to just those object classes you
desire, and disable and lock all hidden user
accounts
DSMeter is an NLM-based platform that
fullyintegrates with NDS
For more information, visit http//www.visualclic
k.com/

NetWare Loadable Module
15
How Can Visual Click Help With My NDS Security
Issues?

Overview
MyReset for NDS will help you reduce your help
desk calls by 15 to 35 when your users reset
their OWN password
When users forget their passwords and want to
reset them, they simply enter responses to
prompts you designate
If the responses they enter are verified,
theirpassword is reset
For more information, visit http//www.visualclic
k.com/

16
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can I clean up my NDS security?
How do I maintain my NDS security framework?
What are some of the best practices to secure NDS?

17
The Visual Click/NovellConsulting Relationship

First contact, BrainShare 2000
All Novell consultants have access to DSRAZORvia
internal Novell Consulting website
Consultants use DSRAZOR to analyzecustomer
environments
Consultants developed a toolkit for tuning
andproactive analysis for eDirectory that
includestools created with DSRAZOR
Other special-purpose tools have been createdby
Novell consultants

18
The Visual Click/NovellConsulting Relationship

Tuning and proactive analysis for NDS eDirectory
overview
A tuning and proactive analysis for eDirectory by
Novell consulting includes non-invasive
information collection, a detailed analysis, and
customized recommendations of a customer specific
NDS eDirectory implementation

DSRAZOR by Visual Click Tuning and proactive
analysis by Novell Consulting THE PERFECT FIT
19
The Visual Click/NovellConsulting Relationship

Tuning and proactive analysis for NDS eDirectory
overview
Novell consultants help customers evaluate their
eDirectory implementation based on the
organizations specific environment, needs, and
anticipated growth
It includes an eDirectory analysis and detailed
report including
Business needs
Mechanics
Architecture
Maintenance
For more information http//www.novell.com/consult
ing/bso/

20
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can i clean up my NDS security?
How do i maintain my NDS security framework?
What are some of the best practices to secure NDS?

21
Building Your NDS Security Baseline

baseline n 1the back line at each end of a
tennis court 2the lines a baseball player must
follow while running the bases 3an imaginary
line or standard by which things are measured or
compared. They established a baseline for the
budget"

22
Building Your NDS Security Baseline
Query NDS security settings

Query NDS security settings
Document security settings for your servers
Assess supervisor privilegeswho, where, and why
Audit effective file system access

23
Query NDS Security SettingsUsing

DSRAZOR allows you to create and customizeyour
own NDS and NetWare applets
DSRAZOR works equally well to query anyversion
on any platform of NDS
DSRAZOR works equally well with eDirectory as
long as Windows-based client is available running
Client 32
Every DSRAZOR applet includes built-inltright
clickgt reporting
DSRAZOR NLMs are NOT required unless any of the
following functionality is desired
NLM interdependencies
NLM memory usage
NCP packet captures
Zero-privilege help desk

24
Query NDS Security SettingsUsing

Installation
Console
Predefined queries

25
Query NDS Security SettingsUsing

Custom DSRAZOR console
Every DSRAZOR console query can be customized and
new ones can be created
Any query can be redirected via DSRAZOR's Output
to File option, which is very useful for large
NDS trees
Drag-and-drop designer
Infractions found by DSRAZOR queries
can be corrected on the spot
More step-by-step instructions in the
product manual (free copy available on website)

26
Building Your NDS Security Baseline

Query NDS security settings
Document server security settings
Assess supervisor privilegeswho, where, and why
Audit effective file system access

27
Document Server Security SettingsUsing

Optional CVMONE.NLM gives the ability to show
NLM interdependencies and memory in use by each
NLM
DSRAZOR server security settings query
DSRAZOR NLMs loaded report
Customizing the query
Compiling as .EXE
Using rules

28
Building Your NDS Security Baseline

Query NDS security settings
Document security settings for your servers
Assess supervisor privilegeswho, where, and why
Audit effective file system access

29
Assess Supervisor PrivilegesUsing

Console query demonstration
Supervisor access to NDS objects
Supervisor access to NetWare (NCP) file servers'
NDS object
Supervisor access to Rootof NDS tree
Supervisor access to Root of file server
volumes

30
Building Your NDS Security Baseline

Query NDS security settings
Document security settings for your servers
Assess supervisor privilegeswho, where, and why
Audit effective file system access

31
Audit Effective File System AccessUsing
Directly audit sensitive filesystem
directories Collect comprehensive listingof all
with file system access Calculating file system
rightsfor a single account
32
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can I clean up my NDS security?
How do I maintain my NDS security framework?
What are some of the best practices to secure NDS?

33
Cleaning Up NDS SecurityUsing

Set policies for password settings
Set policies for account settings
Set server security settings
Removing hidden NDS objects

34
Cleaning Up NDS SecurityUsing

Set policies for password settings (
)
Set policies for account settings
Set server security settings
Removing hidden NDS objects

35
Cleaning Up NDS SecurityUsing

Set policies for password settings
Set policies for account settings (
)
Set server security settings
Removing hidden NDS objects

36
Cleaning Up NDS SecurityUsing

Set policies for password settings
Set policies for account settings
Set server security settings ( )
Removing hidden NDS objects

37
Cleaning Up NDS SecurityUsing

Set policies for password settings
Set policies for account settings
Set server security settings
Removing hidden NDS objects

38
Cleaning Up NDS SecurityUsing

Notes on removing hidden NDS objects
Hidden NDS objects are those that have their IRF
completely removed
This is allowed as long as at least one other
object is a direct NDS supervisory trustee
Unfortunately, this can be a self-reference,
making it possible for any supervisory NDS
account to "hide" itself
Hidden Objects can only be "found" by an NLM
(DSMETER.NLM)
NLM can only scan replicas stored on the local
server
NLM access to NDS is unblockable therefore, it
can"see hidden NDS objects
NLM has complete access to any replica of any
partition stored upon the server where the NLM is
loaded

39
NDS Security Framework Topics

What are the elements of security and NDS
security?
Who is Visual Click?
How can Visual Click help with my NDS security
issues?
What is their relationship with Novell
Consulting?
How can I build an NDS security baseline?
How can I clean up my NDS security?
How do I maintain my NDS security framework?
What are some of the best practices to secure NDS?

40
Maintaining NDS Security Framework

Using Visual Click tools
DSMETER tracking and controls
Zero-privilege help desk tools
DSRAZOR and DSMETER futures

41
Maintaining NDS Security Framework

DSMETER tracking and controls
NDS and file system security change tracking
NDS login tracking (including suspicious login
tracking)
Object creation/deletion granularity
File server tracking
Custom reporting

42
Maintaining NDS Security Framework

Tracking changes to NDS and file system security
Track by container branch
Track NDS security changes thatresult in
supervisor privileges
Track file system security changesthat result in
supervisor privileges
Track NDS object creation
Track NDS object deletion
Track NDS change password activity

43
Maintaining NDS Security Framework

DSMETER NDS login tracking
Track by container and/or container branch
Track normal NDS user logins and logouts (those
that use a Novell connection licensedoes not
track ZEN workstation logins or other non-user
NDS objects unless they use a Novell connection
license)
Track bindery logins
Track failed NDS logins bad password
Track failed NDS logins bad account name

44
Maintaining NDS Security Framework

DSMETER object creation/deletion granularity
Lock down object-create privileges to specific
object classes in specific containers
Lock down object-delete privileges to specific
object classes in specific containers
Block any user without specific privileges
definedeven those with supervisory privileges to
NDS
Define custom message to be sent to initiating
user noting denial of create or delete activity
Block activity regardless of tool used (NWADMIN,
ConsoleOne, custom tool, etc.)

45
Maintaining NDS Security Framework

DSMETER file server tracking (per NetWare server)
Version and revision of NetWare
Version of DS.NLM
Installed RAM
CPU speed in MHz
CPU speed" rating
CPU name
Free space on C\ (DOS partition)
Size of NDS (space used in SYS_NETWARE)
Free space on each mounted volume

46
Maintaining NDS Security Framework

DSMETER custom reporting
Customize reports with rules
Report by date range
Filter on any data within the report
Report definition stored in NDS for easy access

47
Maintaining NDS Security Framework

Zero-privilege help desk tools
Eliminate non-admin help desk staff from having
direct NDS write privileges
Restrict access to only those areas of the NDS
tree that non-admin help desk staff requires
Manage volume space restrictions
Manage GroupWise passwords and distribution
lists
Create users with required NDS attributes

48
Maintaining NDS Security Framework

Benefits
Reduce NDS and file system security exposures
Minimize/eliminate training time and costs
Lessen time to correct "mistakes"
Enable change control by enabling a security log
of network administration activity

49
Maintaining NDS Security Framework