S 4.102 C2 security under Novell 4.11

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Certain standardised evaluation criteria have become established for the assessment of IT products and IT systems: the US criteria known as TCSEC (Trusted Computer System Evaluation Criteria) and the European version, ITSEC (Information Technology Security Evaluation Criteria), which in the meantime have been further developed to become the CC (The Common Criteria for Information Technology Security Evaluation). In the autumn of 1997 Novell Netware 4.11 received a certification in accordance with functionality class C2 of the TCSEC from the National Computer Security Center (NCSC); this corresponds to ITSEC class F-C2/E2.

The use of a certified product provides a guarantee that the security functionality of the product has been independently tested and does not fall below the standard specified in the evaluation level (see also S 2.66 Consideration of the contribution of certification to procurement).

Frequently encountered standard cases are grouped together as functionality classes in these security criteria. The requirements of functionality classes F-C2 are essentially intended for operating systems. They include definitions of the following features, for example:

• Adoption of the C1 specifications

• Existence of mechanisms for restricting access by users to certain documents

• Identification of users

• Refinement of access rights

• Auditing of all security-related events with time stamp, user name, object and message indicating whether successful or unsuccessful

• Administration of audit files (access protection, control of size, etc.)

• Delimitation of resources (access protection)

• Delimitation of data from different processes with respect to other processes even after sharing

The observance of these specifications is checked with special test procedures.

However, acquiring a C2-certified product is not sufficient in itself to achieve C2 security. The key factor for actually putting a C2 system into practice is the precise implementation of the specifications of the certification report.

The security options necessary for achieving C2 security with Netware 4.11 were summarised in the file named SECURE.NCF. The following sections look more closely at the SECURE.NCF file and explain the individual options.

The SECURE.NCF file and its options

To enable a Novell Netware 4.11 server to utilise the extended security mechanisms, attention should be paid to the following points:

• The SECURE.NCF file must be stored on the server in SYS:SYSTEM.

• The SECURE.NCF file is an executable file similar to a batch file under DOS, and should therefore only be edited with an ASCII editor (e.g. EDIT.NLM).

• The line "SET ENABLE SECURE.NCF=ON" must be inserted into AUTOEXEC.NCF to call the SECURE.NCF file. Alternatively, the command "SECURE" can also be inserted into AUTOEXEC.NCF or this command can be issued on the server console.

The extract from the SECURE.NCF file given below shows only the commands contained in the file. The original file contains a brief explanation of each command.

SET ALLOW UNENCRYPTED PASSWORDS = OFF

SET ALLOW AUDIT PASSWORDS = OFF

SET AUTOMATICALLY REPAIR BAD VOLUMES = ON

SET REJECT NCP PACKETS WITH BAD LENGTHS = ON

SET REJECT NCP PACKETS WITH BAD COMPONENTS = ON

SET IPX NETBIOS REPLICATION OPTION = 0

SET ADDITIONAL SECURITY CHECKS = ON

# SET CHECK EQUIVALENT TO ME = ON

# SET NCP PACKET SIGNATURE = 3

# SECURE CONSOLE

## DISPLAY NCP BAD COMPONENT WARNINGS

## DISPLAY NCP BAD LENGTH WARNINGS

All command lines that are commented out with "#" are additional security parameters and are not necessary for observance of the C2 or F-C2/E2 provisions. Command lines that are identified by "##" do not form part of the standard scope of the SECURE.NCF file, but they represent a meaningful benefit in everyday use.

The commands in detail

All commands and SET statements can also be issued at the console or be set using the SERVMAN.NLM or MONITOR.NLM program.

All SET parameters in the SECURE.NCF file are described below, and the default values are also specified.

SET ALLOW UNENCRYPTED PASSWORDS = OFF (Default=OFF)

The purpose of this parameter is to ensure the compatibility of Netware 2.x clients and print servers. The consequence of setting the parameter to ON is that a password that is necessary for authentication can be transmitted to the server without being encrypted. This favours unauthorised infiltration into the system concerned. The default value of OFF ensures that each password has to be encrypted during the login procedure. Unencrypted passwords are not accepted.

SET ALLOW AUDIT PASSWORDS = OFF (Default=OFF)

This parameter is connected to the auditing mechanisms of the Netware operating system. During auditing, changes to (or manipulations of) objects are recorded in accordance with the specifications of the configurations by means of the AUDITCON.NLM program. Given the appropriate authorisations, which can be set individually for each auditor in the general assignment of rights for the operating system, an auditor can be put in a position to read the auditing file. The authorisation in each case restricts the scope of what can be read. The effect of the default value OFF is that the auditor does not have to identify himself with an additional password.

SET AUTOMATICALLY REPAIR BAD VOLUMES = ON (Default=ON)

This parameter instructs the operating system to repair a volume that cannot be mounted on system startup by invoking the VREPAIR.NLM program. This ensures that after an uncontrolled system crash and the subsequent restart, possible errors on volumes (data areas in the disk packs) will be rectified without additional intervention by the system administrator.

SET REJECT NCP PACKETS WITH BAD LENGTHS = ON (Default=OFF)

The effect of this parameter when set to ON is that NCP packets with the incorrect length will be rejected. This may lead to errors with older applications (utilities).

SET REJECT NCP PACKETS WITH BAD COMPONENTS = ON (Default=OFF)

The effect of this parameter when set to ON is that NCP packets with incorrect components will be rejected. In this case, too, there may be errors with older applications (utilities).

SET IPX NETBIOS REPLICATION OPTION = 0 (Default=2)

This parameter specifies the procedures that the IPX router is to use for dealing with NetBIOS broadcast messages. The following values are available for selection:

SET ADDITIONAL SECURITY CHECKS = ON

This parameter activates additional security checks which are incompatible with earlier NDS versions.

The parameters listed above are absolutely mandatory for observance of the security certification in accordance with class C2 and class F-C2/E2. The parameters in the following can be used for extending the security functions.

SET CHECK EQUIVALENT TO ME = ON (Default=OFF)

This parameter forces checking of the NDS attribute "Equivalent To Me" on the server. If the value for extended security is set to ON, the attributes "Equivalence" and "Equivalent To Me" must be synchronised with the DSREPAIR application. Activating this option may possibly have detrimental effects on the system's authentication speed.

SET NCP PACKET SIGNATURE = 3 (Default=1)

Communication between a Novell Netware client and a Novell Netware server is controlled by the Netware Core Protocol (NCP). The client and server exchange individual packets which contain data. A potential attacker can monitor these packets by using special programs (see T 5.58 "Hacking Novell Netware") and can manipulate packets belonging to users with higher privileges.

The packet signature was developed to counteract this threat. When a user logs on to the network, a secret key is determined. Whenever a workstation then sends an inquiry to the network using NCP, it is provided with a signature formed from the secret key and the signature of the previous packet. This signature will be attached to the relevant packet and sent to the server. The server will verify the packet signature before dealing with the actual inquiry.

The packet signature can be activated on the server with this parameter. The following NCP packet signature levels are possible:

To guarantee security, the value for the NCP packet signature should be set to 3. The Novell Netware server and the client sotware on the workstations must be configured accordingly. However, as use of the NCP packet signature increases network load, it should be clarified beforehand whether performance will be reduced unacceptably as a result.

SECURE CONSOLE

This command triggers several functions. It should therefore only be executed on security-sensitive systems. The functions are:

1. All search path extensions are reversed. Only the search path to the SYS:SYSTEM drive is then available for invoking NLMs.

2. A search path extension with the SEARCH ADD command is no longer possible.

3. Changing various server parameters with the SET command is no longer possible.

4. Changing the system time and system date is no longer possible.

5. The system debugger can no longer by called using the special key combination.

Note: because SECURE CONSOLE reduces the search paths to the system minimum, considerable problems may arise with server applications which require a special search path extension.

DISPLAY NCP BAD COMPONENT WARNINGS

This parameter instructs the server to display a warning message on the console when NCP packets are received with invalid content or parts of the content. This could indicate that attacks have taken place.

DISPLAY NCP BAD LENGTH WARNINGS

This parameter instructs the server to display a warning message on the console when NCP packets are received with an invalid length. This could indicate that attacks have taken place.