S 2.100 Secure operation of Novell Netware servers

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Secure operation of a Novell Netware network requires various actions which are listed below:

Allocation of access rights to directories and files

The allocation of access rights (Trustee Assignments) to files and directories on Novell Netware servers plays a central role in the security of Novell Netware servers.

In contrast to the assignment of attributes, Trustee Assignments are assigned to individual users or user groups.

Directories and files can be assigned to specific tasks via the access rights. This ensures that user groups and users are only granted access to the directories and files which they require for performing their respective tasks.

For a clearer overview, easier administration and improved auditing capability, access rights should be assigned primarily to user groups.

To prevent accidental release of directories by users, system administration should ensure that the directories allocated to users and user groups do not contain "Supervisory" (S) and "Access Control" (A) privileges.

If certain properties (e.g. write-protected files) are allocated to files or directories with the help of Netware Attributes, attention should be paid to the fact that users possessing the "Modify" (M) privilege for the corresponding files and directories are able to change these attributes. The number of users with this access right should thus be restricted (see below Allocation of Netware Attributes to files and directories).

Allocation of access rights to directories and files

Besides granting access rights to users and groups for files and directories, the allocation of Netware-Attributes to files and directories can increase data security. Attributes always concern files or directories, i.e. they are independent of the allocated access rights and are valid for all users including the supervisor.

Users, who have been granted the "Modify (M)" privilege for the files and directories concerned, can change the Netware-Attributes and thereby carry out every action permitted by their effective privileges.

By installing Netware-Attributes, security will take the form of a subsystem in file and directory security.

When allocating Netware-Attributes to files and directories, the following properties of Netware-Attributes should be taken into account.

• Directory Attributes:

Hidden (H): The directory will be labelled as hidden; it will not show up in a contents list under DOS, neither can it be copied or deleted.

System (Sy): The directory (e.g. SYS:SYSTEM\DELETED.SAV) is used by the system; it will not show up in a contents list under DOS, it can neither be copied nor deleted.

Rename Inhibit (R): The directory cannot be renamed.

Delete Inhibit (D): The directory cannot be deleted.

Purge (P): When deleting, the directory and the files contained therein will immediately be physically deleted. Restoring the directory with the help of SYS:\PUBLIC\SALVAGE.EXE is not possible.

• File Attributes:

Read write (Rw): Read and write access to the file is possible.

Read only (Ro): The file may only be read. Write access is not possible. To avoid data loss during simultaneous use, these files should also possess the "Shareable" (S) Attribute.

Executable program files (*.exe, *.com) should be given the "Read only" Attribute to prevent a possible computer-virus attack.

Shareable (S): These files can simultaneously be used by many users. Files that have been given the "Shareable" Attribute should also possess the "Read Only" Attribute. The "Shareable" Attribute is only relevant for programs that open files in a non-networkable mode.

Purge (P): Files with the "Purge" Attribute will, when deleted, not only be immediately logically deleted, but also physically. The consequence being that the file cannot be restored. (SYS:PUBLIC\SALVAGE.EXE).

In this context, it must be noted that the physical deletion of a file can be brought about not only by the "Purge" Attribute. If secure deletion of directories and files is required, the Netware program SYS:PUBLIC\PURGE.EXE can be installed for this purpose.

Transactional (T): Files with this attribute are subject to transaction control from Novell Netware. Transaction, in this context, means a series of changes in one or more files. Installing this attribute causes only completely executed transactions to be taken over by the data contained in the file. Transactions that have been improperly interrupted will be undone by Novell Netware.

Archive needed (A): The contents of files labelled thus by Novell Netware have been changed or reinstalled since the last backup. With a sequential backup, data backup software can recognise that the file must be backed up again.

Copy Inhibit (C): Files of this type cannot be copied. However, this Netware Attribute is only designed for APPLE Macintosh workstations.

Delete Inhibit (D): The file cannot be deleted.

Rename Inhibit (R): The file cannot be renamed.

Execute Only (X): Executable program files (*.EXE, *.COM) which have been allocated with this attribute may only be executed or deleted. Copying of the file is not possible.

Hidden (H): The file will be labelled as hidden; it will not show up in a contents list under DOS, neither can it be copied or deleted. I

System (S): This file (e.g. bindery Files -NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS) is used by the network operating system; it will not show up in a contents list under DOS, it can neither be copied nor deleted.

Backup of important system files

The server start files AUTOEXEC.NCF and STARTUP.NCF should be saved by the system administrator in their respective present versions on secured and stored in a safe place secured against unauthorised access. It is wise to supplement these files with comments so that the respective set parameters can be understood when problems arise.

Furthermore, the bindery (NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS) of a Novell Netware server should be regularly backed up with the help of the SYS:SYSTEM\BINDFIX.EXE program. The backed up bindery (SYS:SYSTEM\*.OLD) should then be saved on a data medium and stored in a safe place secured against unauthorised access.

In any case, after executing SYS:SYSTEM\BINDFIX.EXE the integrity of the new bindery should be tested. If in doubt, the old bindery can be restored with the help of SYS:SYSTEM\BINDREST.EXE.

User access to the present bindery is withdrawn during execution of SYS:SYSTEM\BINDFIX.EXE. For reasons of operational security, no user, apart from a supervisor or an equivalent-to-a-supervisor user, should be logged on to the Novell Netware server when backing up the server bindery.

Restricted use of a supervisor or an-equivalent-to-a-supervisor account

The supervisor account should not be used for daily administrative tasks. Rather, it should only be used in case of emergency. Nonetheless, to ensure system administration, an equivalent-to-a -supervisor account should be set up for every user with the "supervisor" network security level, with which the system administration is normally be carried out. If administrative tasks are not performed on a full-time basis, additional accounts need to be created specifically for each non-administrative activity.

Furthermore, a supervisor or an equivalent-to-a-supervisor account should only be used on the workstations defined for that purpose, since under some circumstances the integrity of other workstations can be manipulated by users.

Delegation of system administration

In larger networks (many Novell Netware servers or various locations) or with a large number of users, delegation of certain system administration tasks is recommended. For this purpose Novell Netware  3.x offers the possibility of assigning users with user-account-manager or workgroup-manager accounts.

User-account-managers can administrate users and groups which have been allocated to them by the system administrator. Thus, besides being able to alter user-data (password, operating time, etc.) they can pass on all the privileges which they themselves possess. Furthermore, user-account managers may allocate individual users to a group. In this case, the groups as well as the users must be administrated by the respective user-account-manager. The user-account manager cannot set up new users or groups. He may, however, delete users or groups which have been allocated to him.

A workgroup-manager has all the privileges of a user-account-manager. Moreover, he can set up new users and groups. An additional task of the workgroup manager is the setting-up of printing queues.

Use of the NCP-Packet-Signature

Communication between Novell Netware clients and a Novell Netware-server is controlled by the Netware Core Protocol (NCP). Client and Server exchange individual packets which contain data. A potential attacker can monitor these packets by using special programs (see T 5.58 "Hacking Novell Netware") and can manipulate packets belonging to highly privileged users.

The Packet-Signature has been developed to counteract this threat. When a user logs on to the server, a secret key will be established. If a workstation then sends an inquiry to the server via NCP, it will be provided with a signature formed from the secret key and the signature of the previous packet. This signature will be attached to the relevant packet and sent to the server. The server will verify the packet signature before dealing with the actual inquiry.

With the option Set NCP Packet Signature -value-, the packet signature can be activated on the server.

The possible levels of NCP-Packet signature are as follows:

Value "0": There are no NCP-Packet-signatures.

Value "1": The Novell Netware Server is using NCP-Packet-signatures at the request of the client.

Value "2": The Novell Netware server requires an NCP-Packet-signature from the client. If the client cannot supply one, communication between client and server will nonetheless be granted.

Value "3": The NCP-Packet-signature is mandatory.

To ensure IT-security, the value "3" should be selected for NCP-Packet-signature. Since installation of the NCP-Packet-signature increases network demands by 30%, it should be clarified beforehand whether the performance will be unreasonably reduced.

Restriction of available hard disk memory

With the help of the program SYS:PUBLIC\DSPACE.EXE the available hard disk memory of a volume or directory should be limited, as experience shows that use of available hard disk memory increases with the capacity of the hard disk memory.

Alternatively, once set up, the capacity of each user's personal directory can be restricted if single directories have been set up for work data.

Blocking programs that are not required

Most of the Novell Netware programs available under SYS:PUBLIC will generally not be required by Netware users, since many of the functions (printer configuration, password change, allocation of disks) can be carried out with the client software. For this reason, and due to the unfamiliar handling of Novell Netware service programs, it is recommended that programs not required be moved into the SYS:SYSTEM directory. In particular the program SYS:PUBLIC\RENDIR.EXE, should not be available to users due to the recognised threat (T 5.54 Deliberately Causing an Abnormal End).

Under no circumstances should the programs stored in the SYS:SYSTEM directory be moved into the SYS:PUBLIC directory, as has often been the case.

Information on Novell Netware patches

In the course of developing the network operating system Novell Netware  3.x, various weaknesses and shortcomings have come to light, most of which have been eliminated by the producer with the help of so-called patches. These patches can also be obtained from the manufacturer via the Internet (www.novell.com, ftp.novell.com and www.novell.de, ftp.novell.de). Shortcomings identified during operation of the network can thus be fixed by obtaining information on the network's functionality and, if necessary, loading the patches which have been made available. In particular, additionally installed software products, e.g. for the purpose of performing data backups, often require a certain patch level of the network operating system. Here though, it must be noted that the offered patches should by no means be loaded "blindly", but only after a thorough research if a concrete requirement for them has arisen ("never change a running system").

As not all patches are error-free, they should first be checked in a test configuration.

Apart from the international discussion forums in the Internet (Usenet) regarding Novell Netware (at present, comp.os.netware.announce, comp.os.netware.misc, comp.os.netware.security, bit.listserv.novell), there exists a german-speaking Novell forum for german users (at present, de.comp.sys.novell). A number of experienced Novell administrators are present, who can help solve even the most complicated problems. In addition, files are available over the Internet to answer the most frequently asked questions (FAQs). The most frequent problems are dealt with and solutions are offered.

Furthermore, patches and information regarding Novell Netware are made available by other service providers such as Compuserve, Fidonet and Mailboxes.

However, no guarantee can be given as to the correctness and comprehensiveness of the respective information in the usenet discussion forums or in the FAQs. It should be noted that a complete description of the problems arising, as well as a description of the respective network configuration (Client, Server), is highly advantageous when searching in the Internet (Usenet).

Furthermore, difficulties in network operation can often be remedied by making enquiries with the network operating system salesperson or by exchanging information with colleagues. As before, solving problems will be made considerably easier with a complete description of the configuration.

Testing for Computer-Viruses

Computer-Viruses located in the saved files and programs of a Novell Netware server can cause considerable damage to the network, due to their central position.

For this reason, the programs and files on a Novell Netware server should regularly be checked for the presence of computer viruses using a recent virus scanning program.

For this purpose, it is recommended to set up a special user-account on the Novell Netware server which contains "Read" (R) and "File Scan" (F) privileges for all server files. Under no circumstances should the anti-virus test be carried out with supervisor or equivalent-to-a-supervisor privileges, since an anti-virus program which is itself infected will then transfer this virus to all programs and files on the Novell Netware server.

For files and directories with an executable program code, users and user groups should only receive the effective "Read" (R) and "File scan" (F) privileges. Furthermore, executable programs should be provided with the "Read only" (RO) Netware Attribute.