IT Baseline Protection Manual S 2.148 Secure configuration of Novell Netware 4.x networks
S 2.148 Secure configuration of Novell Netware 4.x networks
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
A secure configuration of a Novell Netware 4.x network involves the following two steps:
Installation of the related software
Configuration of the network environment
Installation of the related software
To ensure secure installation of the Novell Netware 4.x software, the Installation manual for Novell Netware 4.x needs to be referred to beforehand. The following points must be observed on all accounts:
Hardware requirements: Before installation, a check is needed as to whether the selected hardware fulfils all applicable requirements (e.g. mass storage and main memory requirements)
The functionality of all hardware components must be tested under MS-DOS before employment in a more complex environment including, for example, a multi-protocol router
Documentation of the hardware configuration (refer to S 2.153 Documentation of Novell Netware 4.x networks)
Planning of the NDS (refer to S 2.151 Design of a NDS concept)
All other essential steps for installing Novell Netware 4.x software are described in the handbooks entitled Installation and Manual on Netware 4 Networks.
Availability requirements
To increase the availability of Novell servers and the stored data, the operating system offers a hierarchical set of fault tolerance levels which are described below. Each level contains the functionalities of the previous levels.
Hot Fix I and Hot Fix II
Novell Netware 4.x supports so-called Hot Fixes as a standard. With this mechanism data losses due to physical hard disk errors are prevented. A distinction is made between Hot Fix I and Hot Fix II. In the case of Hot Fix I, after a write access to a file, the changed data on the hard disk is compared to the original data, which is still available in the main memory of the Netware server. If the two sets of data do not agree, the sector of the hard disk will be marked as faulty and will be locked for future access.
The data from the memory is then stored in what is known as the "Hot Fix Area" of the hard disk.
However, in Netware 4.11 or higher, this functionality is deactivated by default. The Netware server's SET parameter accountable for this is called Enable Disk Read After Write Verify and is set to OFF in Netware 4.11. In order to activate the function Hot Fix I, this parameter must be set to ON.
Hot Fix II, however, also functions in the default setting of Netware 4.11. Hot Fix II has a similar fault tolerance to Hot Fix I, but only for mirrored or duplexed disks. Unlike Hot Fix I, errors may even be corrected when the data is read, as the information is redundant. If problems are detected when the data is read, the sector of the disk is marked as faulty and a sector from the Hot Fix area is used as a replacement. In this case, the intact information from the mirrored or duplexed disk is read and the information from the replacement disk for this area is automatically added to the faulty sector.
As disks themselves are now highly intelligent and similar mechanisms are available internally, Hot Fix I and II are of little importance today. If sectors in the Hot Fix area are occupied despite modern disks, it is necessary to change the disk immediately.
The Hot Fix area can be configured when a Netware partition is created. Novell Netware suggests a size for the Hot Fix area which is adequate for the size of the Netware partition. The relative size decreases as the size of the partitions increase.
Disk Mirroring (System Fault Tolerance II)
For disk mirroring two identical hard disks should be connected to the same controller of a server. Nevertheless, it is also possible to mirror hard disks which are not identical. The only requirement is that the data areas of the two Netware partitions of the disks to be mirrored are the same size. The data is stored simultaneously on both hard disks. If one disk fails, the second disk will be used without a loss in availability.
Disk Duplexing (System Fault Tolerance II)
Disk Duplexing means the installation of two hard disks and their controllers. With this mechanism not only a hard disk failure can be remedied, but also the failure of a hard disk controller can be recovered. In disk duplexing, the power supply of the hard disks should also be redundant, which is usually only possible with external disk systems.
Server Mirroring (System Fault Tolerance III)
Server mirroring is the highest level of fault tolerance against hardware failures. Two identical Novell Netware 4.x servers are employed simultaneously and "in parallel" in the network. However, it must be kept in mind that the secondary server is only available on standby and does not take over the work in the network unless the primary server fails.
The servers are connected via their own high speed network. If one servers fails, its tasks are carried out by the secondary server.
The decision whether measures other than Hot Fixes have to be employed depends on the required availability of the network.
Uninterruptible Power Supply (USP)
By using an uninterruptible power supply (UPS), the consequences of a power failure can be prevented. Netware supports the utilisation of devices supporting UPS-Monitoring. In case of a sudden power failure the server will be shut down normally at the end of the by-pass time of the UPS. All data residing in caches are written to hard disks. Connections to servers are terminated, as are server processes.
Configuration of the network environment
Novell Netware 4.x offers its own security system for the protection of the network and its resources. However, the corresponding functions must be activated manually by the administrator during configuration of a Netware 4.x network, so the administrator is responsible to a considerable extent for the security of the network.
The Novell Netware Administrator is an essential aid in administrating and securing a Netware 4.x network. This program comes in the following versions:
SYS:PUBLIC\NWADMIN.EXE for Windows 3.11,
SYS:PUBLIC\WIN95\ NWADMN95.EXE for Windows 95,
SYS:PUBLIC\WINNT\NWADMNNT.EXE for Windows NT and the more recent version,
SYS:PUBLIC\WIN32\NWADMN32.EXE for Windows NT and Windows 95.
The program Netware Administrator allows a wide range of settings, such as setting a minimum password length or the maximum number of simultaneous connections for a user. In the following section, the security-relevant functions of the Netware administrator are listed and explained. The descriptions include specifications of the related parameter settings required for the secure operation of a Netware 4.x network.
One essential step involved in the configuration of a secure Netware 4.x network is the creation of user accounts. Templates for the standard users of each context should be created for this purpose. During the establishment of individual user accounts, the values set in the templates are transferred, which greatly reduces the time and effort involved. The option named USE TEMPLATE has been provided for this purpose. The following functions should be set in a template:
Login restrictions
Menu diagram: Netware Administrator Menu "Template: User template / Login time restrictions"
Limit concurrent connections
This function is used to limit the number of concurrent connections of a user account and the corresponding Netware servers. A value of "1" should generally be selected here, in order to prevent unnecessary usage of connection licences.
Password restrictions
Menu diagram: Netware Administrator Menu "Template: User template / Password restrictions"
Allow user to change password
This option must be activated to allow users to change their password. If this option is not selected, no further possibilities can be accessed.
Require password
This option activates the password prompt for every user and offers a possibility of defining the following password rules. "Require password" should always be activated.
Minimum password length
This specifies the minimum password length. The minimum password length should be no less than six characters (refer to S 2.11 Provisions governing the use of passwords).
Force periodic password changes
When this option is active, users are prompted to change their password on a regular basis. As a rule, this option should be left active.
Days between password changes
This menu item specifies the general duration of the validity of passwords. This duration needs to be specified individually for each system (refer to S 2.11 Provisions governing the use of passwords).
Require unique passwords
When the password history is active (require unique passwords), the last nine passwords of a user account are compared with the newly entered password, and if a match is found, the new password is rejected by the Netware server. This enforces the use new passwords when a password expired. This option should always remain active.
Limit grace logins
Grace logins are those which may be performed following the expiry of a password. The number of grace logins should always be limited through the use of this option.
Grace logins allowed
The number of permissible grace logins should be set to a value of 1, so that when a password expires, it needs to be changed immediately by the user.
Set password after create
This option should always remain active. It automatically prompts the administrator to enter a password during the creation of a new user account. This prevents the creation of user accounts which are freely accessible on a temporary basis.
Login time restrictions
Menu diagram: Netware Administrator Menu "Template: User template / Login time restrictions"
Default time restrictions
The template designated "Login time restrictions" defines the permissible utilisation periods for user accounts in a Netware 4.x network. Outside the periods specified here, no user is able to log into the Netware 4.x network.
Subsequent changes to the default time restrictions during the configuration of new user accounts or the maintenance of existing ones, have no effect on the permissible access periods for those users which have already been configured. Different access periods for individual users can be specified with the help of SYS:\PUBLIC\NWADMIN.EXE (Objects / Details on multiple users).
The following security mechanisms can additionally be set for individual container objects of the NDS:
Intruder detection
Menu diagram: Netware Administrator Menü "Organizational Unit :Lab/Intruder Detection"
Detect Intruders
When this option is active, unauthorised login attempts are recognised, and the related user accounts are disabled, if required. This prevents "brute force attacks" under Novell Netware 4.x. This option must be activated with the programme Netware Administrator for every container.
Incorrect login attempts
This option specifies the maximum permissible number of incorrect login attempts; a value of 3 should generally be set here.
Intruder attempt reset interval
When this option is active, incorrect attempts at logging into a user account can be traced back through a specified time period. If the number of incorrect attempts at logging into a user account within the defined period exceeds the value set under "Incorrect login attempts", the user account is disabled (provided that the option titled "Lock account after detection" is active).
Lock account after detection
This menu item should always remain active, in order to disable user accounts for which the maximum permissible number of incorrect login attempts has been exceeded.
Intruder lockout reset interval
The time interval specified here should always be sufficiently long (> 1 hour), in order to ensure that the reasons for any intruder lockout (i.e. disabling of a user account) can be ascertained by the system administrator and the affected user.
Additional controls:
Have users been informed on how to handle passwords correctly?
Is the password quality controlled?
Are password changes mandatory?
Has every user been provided with a password?
Has a user template been generated? Have security aspects been taken into account here?