|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
In practice, complete revision of a Novell Netware 3.x server within the framework of IT-baseline protection will hardly be possible. Nonetheless, the following approaches to revision should be observed.
With the program SYS:SYSTEM\SECURITY.EXE the bindery-files of a Novell Netware server will be examined for the following security weaknesses. Recognised weaknesses will be listed.
No password assigned
Users not requiring a password to login to the Novell Netware server will be listed.
Insecure passwords
Here, many aspects of the bindery of a Novell Netware server will be examined.
Firstly, all users whose login name is equivalent to their password will be listed, as will users whose password may be less than five characters. Furthermore, it will be examined for every user if the duration of password validity amounts to less than 60 days and if an unlimited number of Grace Logins is permitted.
Supervisor equivalence
SYS:SYSTEM\SECURITY.EXE checks the bindery of a Novell Netware server in order to list those users who have the "supervisor" security level (Supervisor equivalence).
Root directory privileges
Due to access rights being passed "down" all users of the Novell Netware server will be examined to see if they have access to the main directory (at volume level).
Login scripts
All the users not having their own login-script (User Login Script) will be determined.
In order to exchange electronic messages, all users have the "Create" privilege in the SYS:MAIL directory as standard. An "attacker" could copy a LOGIN file (User-Login-Script) into the SYS:MAIL directory of a user not possessing a User Login Script, thus changing the user's Novell Netware environment.
Excessive rights
Within the installation framework, Novell Netware 3.x makes many directories available as standard (SYS:SYSTEM, SYS:PUBLIC, SYS:LOGIN). SYS:SYSTEM\SECURITY.EXE examines the bindery of a Novell Netware server to check if users have more privileges than provided as standard in these directories. Furthermore, the right of every user to possess a SYS:MAIL directory will be examined (exception "Create" for the group "Everyone").
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |