|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
The security features within Novell Netware 3.x are not automatically activated after initial start of the SERVER.EXE file. They must be individually installed and configured via the system administration.
By using the program SYS:PUBLIC\SETPASS.EXE, the supervisor should allocate a password to this account immediately after the first login. A password should also be provided for the Guest account available as standard. If the guest account is not needed during later use, it should be deleted.
Unauthorised login attempts should be prevented during the set-up phase via DISABLE LOGIN (server console).
With the help of Novell Utilities SYS:PUBLIC\SYSCON.EXE under the menu Supervisor Options most of the Novell security mechanisms can be installed and configured. It should be considered that the settings made in the Default Time Restrictions menu are only valid for all Novell Netware accounts on the server, if these settings are made before the setting up of users and groups.
Relevant security menu points are listed below:
Default Account Balance/Restrictions
With the help of this menu item the following security settings for the Novell Netware server are activated.
To be added to the illustration: Menu SYS:PUBLIC\SYSCON.EXE "Default Account Balance/Restrictions"
Default time restrictions
With the help of Time Restrictions, the allowed working hours on a Novell Netware server can be defined. Outside these times, which generally correspond to normal working hours, no user will be permitted to login to the Novell Netware server.
Note: For guest and supervisor accounts installed as standard, the Netware default setting will be used (no time limit). As far as access times are concerned, it is recommended that at least the guest-account be restricted by using SYS:PUBLIC\SYSCON.EXE (User Information - Time Restrictions).
Additional changes to "Default Time Restrictions" when setting up or maintaining user accounts have no effect on the access times of users already defined. Differing access times for individual users must be set up with the help of SYS:\PUBLIC\SYSCON.EXE (User Information - Time Restrictions).
Edit System AUTOEXEC File
The parameters of a Novell Netware server are configured in the start file AUTOEXEC.NCF (e.g. volumes, NLMs, additional protocols etc.).
Furthermore, additional security settings can be carried out in the AUTOEXEC.NCF file.
The Novell Netware console command SECURE CONSOLE which should be included in the AUTOEXEC.NCF, ensures that NLMs can only be started from the server directory SYS:SYSTEM. The same applies for the deactivation of Novell Netware Debuggers. Via SECURE CONSOLE, DOS will be removed from the main memory of the Novell Netware server and the defined search paths will be deactivated and cannot be redefined.
File Server Console Operators
It is possible to have restricted control of a Novell Netware server from a workstation with the help of the menu utilities SYS:\PUBLIC\FCONSOLE.EXE.
The File Server Operator requiring no further privileges besides explicit entitlement to use SYS:\PUBLIC\FCONSOLE.EXE, can send messages to the user, change the Novell Netware server, or shut the server down. Also, the status of the Novell Netware server can be observed and changed (date, time, etc.) and information regarding current connections may be observed. The program SYS:\PUBLIC\FCONSOLE.EXE can be activated as standard by a supervisor or supervisor-equivalent account. Other users should not have access to these files
To be added to the illustration: Menu SYS:PUBLIC\FCONSOLE.EXE
Intruder Detection/Lockout
By activating "Detect Intruders" unauthorised login attempts to the Novell Netware server will be recognised and the accounts concerned will be frozen, if need be.
By activating "Detect Intruders" along with further parameterisation of this menu point, a "Brute Force Attack" under Novell Netware will be prevented.
Incorrect Login Attempts indicates the number of permitted failed login attempts. Generally, the number "three" should be selected here.
With the help of Bad Login Count Retention Time the time of the failed login attempts to an account can be traced back. If the number of failed login attempts exceeds the number set under Incorrect Login Attempts, within the time allowed, the user account will be frozen on the Novell Netware server.
The menu item Lock Account After Detection should be set to "Yes", so that an account which exceeds the number of invalid login attempts is frozen.
The time set for Length of Account Lockout should under no circumstances be too small (> 1 hour), to assure that the reason for an Intruder Lockout can be resolved by the System-administrator and the user concerned.
To be added to the illustration: Menu SYS:PUBLIC\SYSCON.EXE "Supervisor Options - Intruder Detection Logout"
System Login Script
In the System Login Script, settings will be made which should exist for all users once logged on to the Novell Netware server. In contrast to the User Login Script, the System Login Script will be executed for every user. Therefore, settings applying to all users of the Novell Netware server e.g. assignment of disks or activation of external programs, should be made in the System Login Script.
To prevent a user changing the standard settings via use of his own USER-Login-Script the command EXIT must be given when closing the System-Login-Script.
Note: Furthermore, a User-Login-Script must be created for every user. This is necessary since every user possesses the access right "create" in the SYS:MAIL directory. Therefore, a LOGIN file, which can carry out harmful functions, can be created in the SYS:MAIL directory of a user without a User-Login-Script.
View File Server Error Log
The File Server Error Log is the error protocol of a Novell Netware server. All error and warning messages will be saved here and can be analysed by the supervisor
To be added to the illustration: Menu SYS:PUBLIC\SYSCON.EXE "Supervisor Options - File Server Error Log"
Workgroup Managers
A workgroup manager is a restricted supervisor account. Like an administrator, it has the right to create or delete bindery objects (users, user groups, printer queues). The rights used by a workgroup manager, which can be passed on to users or user groups must comply with the rights granted by a supervisor.
Workgroup managers may not set up new workgroup managers or users with a supervisor-equivalent security level, unless the workgroup manager already possesses rights equivalent to a supervisor.
Station Restrictions
With the help of the menu point Station Restrictions, the network addresses from which a user can log on to the Novell Netware server can be determined. Information regarding the respective address of a workstation in the network can be found out, for example, by use of SYS:PUBLIC\USERLIST.EXE /A. Determining permitted network addresses is particularly recommended for supervisor or supervisor-equivalent accounts. These should be decided on the spot and as conditions require.
Standardised Set-up of Users and User Groups
Besides using menu utilities SYS:PUBLIC\SYSCON.EXE, it is also possible to set up users with the help of SYS:\PUBLIC\MAKEUSER.EXE and SYS:\PUBLIC\USERDEF.EXE .
These programs are particularly suited to the simultaneous set-up of large numbers of users.
With the help of SYS:\PUBLIC\MAKEUSER.EXE a type of Batch-file is created, with can be used t set up many users with various privileges.
The purpose of SYS:\PUBLIC\USERDEF.EXE is to set up many users with the same privileges. For this purpose, a template will be drawn up which indicates the criteria for the users.
These menu-utilities should be used particularly for larger networks to make administration easier and more consistent.
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |