"WE ALL LIKE WARM FUZZIES" or Information Systems Security for Netware I was on vacation last week when a good friend of mine called about 6 p.m. "How are you doing?", I casually asked. "I've been at a new customer site since 8 a.m., my technician's wife went into labor half an hour ago, and I have a security muff on my hands", John casually replied. I took down the address, got in the car, and met my old friend at the job site. What a mess. Later, over a beer, we complained at length about LAN managers who make all their users 'Supervisor Equivalent', and a host of other ills. Granted, most small to medium sized businesses do not come out of the jello-books, or military/industrial security environment, however, some form of security is usually necessary. [The jello books, are the red and the orange books which define a Trusted Computing Base.] Closing the barn door after the bulls are loose makes life very difficult. Information Systems Security (ISS), is a design philosophy, not an aberration of environmental factors. No one likes the idea of a security problem, especially in the age of mutation engine viruses, trojan horse programs, and the increasing numbers of power users. It leaves you with what my grandfather called "a cold prickly feeling." He always preferred "warm fuzzies", and so would any network manager, when it comes to issues of security. So I came up with a simple design philosophy for networks. "WE ALL LIKE WARM FUZZIES" W - WHOAMI? This handy command line utility will tell you information about a user's attachments to file servers. I want you to consider it, and the security implications, from a different viewpoint. Before you add your first user, ask yourself, several questions: 1) Who are they? 2) Where do they work (i.e., accounting, sales)? 3) What do they need to know? 4) What software do they need to get the job done? E - Establish Security Policies You should have a written document which states clearly, and simply, the reasons for the policies, what the policies are, and what penalties will be enforced for failing to follow the security policy manual. Make certain that every user has a copy, and understands the policy. [Legal type documents signed by the users are nice but can be difficult to enforce.] A - Account Balances & Audit Trails Every user account should have an account balance associated with it. It is a very simple, but effective means for tracking the usage for the accounts on your server. Yes - the truly inspired will of course find ways around such spartan methods, but it is a good first line of defense. Having an audit trail is very desirable. LT Auditor by Blue Lance is an excellent product. Version 4, is a server based NLM product that will also perform software metering. Audit trails allow the LAN manager to determine who accessed what files when, and if the data collection is set up to do it, find out who uploaded, and/or downloaded software to/from the LAN. L - Login Security Plain and simple. Establish passwords for every account, and force frequent, random, unique changes. Ensure that a minimum of six characters are used in the password. Do not allow passwords to go down the wire unencrypted. L - Limit User Logins & Storage Space Restrict the number of concurrent logins a user may have to one! Whenever possible, restrict station access to their workstation only. Eliminate user accounts immediately, if someone is discharged, or leaves the firm. Limit user storage space. It is another simplistic audit function, but if a user is quickly gobbling up disk space when they should not be, something funny is probably going on. L - Lock Out Enable Intruder detection features to reduce the risk of unauthorized access. Whenever possible have a cross reference of user/mailstop/floor/node address, listed by network address. I - Identify Access Hours By restricting the time and days that a user can login to the server, you are eliminating one more hole in your security. It makes no sense for someone who only needs to access the server Monday to Friday between 8 a.m. and 6 p.m. to have access 24 hours a day, seven days a week. Too tempting. [See Limit User Logins, i.e., disgruntled employees.] K - Keyboard Lockout @ Console Effective keyboard protection is available only in Netware 3.11, and 4.0. This can be achieved with the Secure Console console command. This procedure restricts NLM loading to those found in SYS:SYSTEM. Time and date on passwords, logins, and the SET TIME and SET TIMEZONE features are restricted to those with Supervisor rights, using the FCONSOLE utility. This feature will also remove DOS from a fileserver, preventing user access to power-on passwords. E - Eliminate Viruses Today, trojan horse programs, mutation engine viruses, and the number of users who bring in their favorite shareware, or game from a bulletin board and upload them to a workstation harddrive where, if they are carrying a virus, they can infect other files and spread across the network like wildfire is uncountable. Security must be proactive to be effective, particularly in this area. In order to minimize this threat, use diskless workstations, wherever, and whenever possible. Keep to a minimum, preferably one, the number of workstations attached to the LAN that can load software. Use server based virus scanning software. Don't think that it won't happen to you. It is not a question of if, but rather when. If you do not employ diskless workstations, be certain that you use workstation based scanning software as well. There are a host of products available on the market today. Pennywise here can be pound foolish later. [See the January/February issue of Netware Connection for an interesting article on viruses and network security. Don't miss the interview with Jan Newman on the security enhancement for Netware 3.11.] W - Workstation Security We have already discussed enabling Intruder detection features and encrypted passwords. You do need to be aware of several other potential threats. Two involve the LOGIN command, the other involves logging out of the network. LOGIN poses two security threats. One involves bypassing the login scripts, and the other is automated password entry. 1) Novell's LOGIN command will allow an alternate file that contains a login script to be passed by a DOS command line argument. By doing this, you bypass the system and the user login scripts. Now the user has control of the audit process. 2) LOGIN also allows DOS to redirect the keyboard, taking input from a file. A user can create a password file locally, and call it locally from the autoexec.bat file. This is a security nightmare because the password is stored as ASCII text in a file that can read by anyone who walks up to the workstation. The final problem comes when a user gets up and walks away from their workstation, leaving it logged in to the network. This allows anyone who walks up to the station access to the file server and any files on it depending on how security equivalences are implemented. There are several good products on the market today to assist with this problem. A - Attributes Attributes represent the most important form of internal security features of Netware. These are the properties which you assign to files and directories. The most important of these are Hidden, Delete Inhibit, and Rename Inhibit. By assigning file attributes, you override your effective rights. This prevents you form doing things that your rights would normally allow. Example: If a directory is flagged Hidden, you cannot see the contents of the directory even if you posses the File Scan right. R - Rights Users access information on the network based on their rights. Rights are used to determine what your users can and cannot do in a network directory, and with the files in those directories. Rights can be applied to groups and individuals. It is generally wise to set up your rights for groups first then manage them individually where necessary. In this way you can add or delete rights on a personal basis for user Jones in the group Sales. M - Make Regular Backups You may wonder what this has to do with network security, because it is not always obvious to the casual observer. If you have a policy that includes frequent, regular backups, and you maintain audit trail files on your server these can always be extracted from your backup tapes provided you backup file by file. Backups are also important in the event that you have a virus attack that can be traced to a specific date. You may be able to restore files that were damaged or destroyed, with non-infected files. F - File Server Security Securing your file server can be anything from putting it in a very visible public place, to constructing a controlled access, secure facility complete with state of the art electronics and video surveillance gear. For many LAN managers, a public place that is well monitored by continuous traffic flow and people who know that "Gee, I haven't seen that person here before. I wonder what they are doing at the file server?"will suffice. This combined with 'K - Keyboard Lockout @ Console' should provide a cost effective level of deterrent for most small LANs. Another very useful form of protection is booting only from a floppy. Using this means you can bring a file server on-line, remove the boot disk, place it in a secure location, and use it only when the server needs to be rebooted. [See U - UPS.] U - UPS UPS as a security component? Certainly! Consider the following: You have a brownout at your network site. Your file server does not have a UPS so the file server power supply trips, causing a file server reboot. When the system comes back on-line the system is vulnerable to power on passwords. While this is true even with a UPS, you must have a power outage before the file server is finally shut down, or a VERY long brownout which drains the battery. The key here is that the file server is shut down by the UPS and will only come back on when power returns. If you have taken the further protection of booting only from a floppy, the file server cannot be brought back on-line until the floppy is produced from a secure location. Z - Zero Tolerance Have a security policy that is realistic, explain it to your users, make certain that they understand it, and then implement it. Part of that policy should be a list of actions to be taken against employees if they violate the security policy. Be serious about implementing it. Don't make an example of anyone because they made the first infraction, etc. Stick to the rules that have been set up and you will find that users will follow these policies. This is particularly true if the employee feels that if security is a problem, everyone has a problem. Communication is very important here. Z - Zero Penetration Zero Penetration is the ideal. We have to realize that this may not be practically achievable, certainly not in an environment that does not employ the methodologies of Trusted Computing. We can, however, with thought and careful implementation, bring our LAN from no security to reasonably secure status. When in doubt, implement a procedure. You can always change a procedure or policy to relax security, but tightening it is very difficult. [it is not recommended that you relax security. Always search for a secure compromise to the problem you are faced with.] I - Inherited Rights Inherited Rights are the rights that apply to a file or directory upon creation. These are Access Control, Create, Erase, File Scan, Modify, Read, Supervisory, and Write. These rights apply automatically unless they are revoked by a user with Supervisory rights. LAN Managers can use the IRM to further security, by understanding the following principle of the IRM: The difference between giving a user a trustee assignment of no rights and not giving a trustee assignment at all is extreme. When giving an assignment of no rights , you prevent the user from inheriting any rights from the parent directory, by not giving an assignment at all you allow the user to inherit rights from the parent directory. E - Effective Rights These are the security rights for an individual user pertaining to a particular file or directory. Effective rights are determined by the previous directory level's effective rights and the current level's IRM. The intersection of the rights active in both of these levels will be the user's new effective rights unless any new trustee rights have been granted. If new trustee rights have been granted, only those rights will be the effective rights. An administrator must always take into account the effective rights for each user in every directory. S - SECURITY The SECURITY utility reports on nine separate security issues. Some are bona fide security problems, i.e., Excessive rights in certain directories, while others, i.e., Workgroup Manager, are informational in nature. 1) Excessive rights in certain directories 2) Insecure passwords 3) No login scripts 4) No password assigned 5) Password too short 6) Root directory privileges 7) Supervisor equivalence 8) User has not logged in for xxxx time 9) Workgroup Manager Excessive rights in a directory - Comes up when a user has greater rights than those normally assigned, i.e., if a user had the Erase right for SYS:SYSTEM. Insecure passwords - The password is the same as the user account name. Although current versions of SYSCON and SETPASS do not allow the user to set the password to the account name, older versions did. No login script - When a user login script is not present, another user could create a hostile login script for the user who does not have one. No password assigned - Obvious. Assign one. Root directory privileges - Serious security flaw! This means that the user has one or more rights in the root of the volume indicated. Because rights flow to all subdirectories of the root unless revoked this is extremely dangerous. Supervisor Equivalence - While not always a security flaw, it can be, if all users are supervisor equivalent or users who do not need to be are. If more than one or two of these turn up on your sever re-examine your assignments. While this paper is not meant to be an end all be all on Netware security issues (it focuses mostly on Netware 3.11) these guidelines can be applied to any Netware environment from Netware Lite to the new enterprise solution, Netware 4.0. I hope that I have given anyone who reads this food for thought. Unpublished work Copyright 1993 Paul Osterwald, President, Networks Unlimited. All rights reserved. The author can be reached at CServe 70642,317 or Internet address 70642.317.compuserve.com. Any comments or criticisms will be welcome.