HostedDB - Dedicated UNIX Servers
-->
IT Baseline Protection Manual S 2.101 Revision of Novell Netware servers

S 2.101 Revision of Novell Netware servers

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

In practice, complete revision of a Novell Netware  3.x server within the framework of IT-baseline protection will hardly be possible. Nonetheless, the following approaches to revision should be observed.

With the program SYS:SYSTEM\SECURITY.EXE the bindery-files of a Novell Netware server will be examined for the following security weaknesses. Recognised weaknesses will be listed.

No password assigned

Users not requiring a password to login to the Novell Netware server will be listed.

Insecure passwords

Here, many aspects of the bindery of a Novell Netware server will be examined.

Firstly, all users whose login name is equivalent to their password will be listed, as will users whose password may be less than five characters. Furthermore, it will be examined for every user if the duration of password validity amounts to less than 60 days and if an unlimited number of Grace Logins is permitted.

Supervisor equivalence

SYS:SYSTEM\SECURITY.EXE checks the bindery of a Novell Netware server in order to list those users who have the "supervisor" security level (Supervisor equivalence).

Root directory privileges

Due to access rights being passed "down" all users of the Novell Netware server will be examined to see if they have access to the main directory (at volume level).

Login scripts

All the users not having their own login-script (User Login Script) will be determined.

In order to exchange electronic messages, all users have the "Create" privilege in the SYS:MAIL directory as standard. An "attacker" could copy a LOGIN file (User-Login-Script) into the SYS:MAIL directory of a user not possessing a User Login Script, thus changing the user's Novell Netware environment.

Excessive rights

Within the installation framework, Novell Netware  3.x makes many directories available as standard (SYS:SYSTEM, SYS:PUBLIC, SYS:LOGIN). SYS:SYSTEM\SECURITY.EXE examines the bindery of a Novell Netware server to check if users have more privileges than provided as standard in these directories. Furthermore, the right of every user to possess a SYS:MAIL directory will be examined (exception "Create" for the group "Everyone").

Additional controls:

© Copyright by
Bundesamt für Sicherheit in der Informationstechnik		 July 1999
home