home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Support Library
/
RoseWare - Network Support Library.iso
/
security
/
warmfz.txt
< prev
next >
Wrap
Text File
|
1993-07-10
|
16KB
|
307 lines
"WE ALL LIKE WARM FUZZIES"
or
Information Systems Security for Netware
I was on vacation last week when a good friend of mine called about 6 p.m. "How are you
doing?", I casually asked. "I've been at a new customer site since 8 a.m., my technician's
wife went into labor half an hour ago, and I have a security muff on my hands", John
casually replied. I took down the address, got in the car, and met my old friend at the job
site. What a mess.
Later, over a beer, we complained at length about LAN managers who make all their users
'Supervisor Equivalent', and a host of other ills. Granted, most small to medium sized
businesses do not come out of the jello-books, or military/industrial security environment,
however, some form of security is usually necessary. [The jello books, are the red and the
orange books which define a Trusted Computing Base.] Closing the barn door after the bulls
are loose makes life very difficult.
Information Systems Security (ISS), is a design philosophy, not an aberration of
environmental factors. No one likes the idea of a security problem, especially in the age of
mutation engine viruses, trojan horse programs, and the increasing numbers of power users.
It leaves you with what my grandfather called "a cold prickly feeling." He always preferred
"warm fuzzies", and so would any network manager, when it comes to issues of security. So
I came up with a simple design philosophy for networks.
"WE ALL LIKE WARM FUZZIES"
W - WHOAMI?
This handy command line utility will tell you information about a user's attachments
to file servers. I want you to consider it, and the security implications, from a
different viewpoint. Before you add your first user, ask yourself, several questions:
1) Who are they?
2) Where do they work (i.e., accounting, sales)?
3) What do they need to know?
4) What software do they need to get the job done?
E - Establish Security Policies
You should have a written document which states clearly, and simply, the reasons for
the policies, what the policies are, and what penalties will be enforced for failing to
follow the security policy manual. Make certain that every user has a copy, and
understands the policy. [Legal type documents signed by the users are nice but can be
difficult to enforce.]
A - Account Balances & Audit Trails
Every user account should have an account balance associated with it. It is a very
simple, but effective means for tracking the usage for the accounts on your server.
Yes - the truly inspired will of course find ways around such spartan methods, but it
is a good first line of defense.
Having an audit trail is very desirable. LT Auditor by Blue Lance is an excellent
product. Version 4, is a server based NLM product that will also perform software
metering. Audit trails allow the LAN manager to determine who accessed what files
when, and if the data collection is set up to do it, find out who uploaded, and/or
downloaded software to/from the LAN.
L - Login Security
Plain and simple. Establish passwords for every account, and force frequent, random,
unique changes. Ensure that a minimum of six characters are used in the password.
Do not allow passwords to go down the wire unencrypted.
L - Limit User Logins & Storage Space
Restrict the number of concurrent logins a user may have to one! Whenever possible,
restrict station access to their workstation only. Eliminate user accounts immediately,
if someone is discharged, or leaves the firm.
Limit user storage space. It is another simplistic audit function, but if a user is
quickly gobbling up disk space when they should not be, something funny is probably
going on.
L - Lock Out
Enable Intruder detection features to reduce the risk of unauthorized access.
Whenever possible have a cross reference of user/mailstop/floor/node address, listed
by network address.
I - Identify Access Hours
By restricting the time and days that a user can login to the server, you are
eliminating one more hole in your security. It makes no sense for someone who only
needs to access the server Monday to Friday between 8 a.m. and 6 p.m. to have access
24 hours a day, seven days a week. Too tempting. [See Limit User Logins, i.e.,
disgruntled employees.]
K - Keyboard Lockout @ Console
Effective keyboard protection is available only in Netware 3.11, and 4.0. This can be
achieved with the Secure Console console command.
This procedure restricts NLM loading to those found in SYS:SYSTEM. Time and
date on passwords, logins, and the SET TIME and SET TIMEZONE features are
restricted to those with Supervisor rights, using the FCONSOLE utility. This feature
will also remove DOS from a fileserver, preventing user access to power-on
passwords.
E - Eliminate Viruses
Today, trojan horse programs, mutation engine viruses, and the number of users who
bring in their favorite shareware, or game from a bulletin board and upload them to a
workstation harddrive where, if they are carrying a virus, they can infect other files
and spread across the network like wildfire is uncountable.
Security must be proactive to be effective, particularly in this area. In order to
minimize this threat, use diskless workstations, wherever, and whenever possible.
Keep to a minimum, preferably one, the number of workstations attached to the LAN
that can load software.
Use server based virus scanning software. Don't think that it won't happen to you. It
is not a question of if, but rather when. If you do not employ diskless workstations,
be certain that you use workstation based scanning software as well. There are a host
of products available on the market today. Pennywise here can be pound foolish later.
[See the January/February issue of Netware Connection for an interesting article on
viruses and network security. Don't miss the interview with Jan Newman on the
security enhancement for Netware 3.11.]
W - Workstation Security
We have already discussed enabling Intruder detection features and encrypted
passwords. You do need to be aware of several other potential threats. Two involve
the LOGIN command, the other involves logging out of the network.
LOGIN poses two security threats. One involves bypassing the login scripts, and the
other is automated password entry.
1) Novell's LOGIN command will allow an alternate file that contains a
login script to be passed by a DOS command line argument. By doing
this, you bypass the system and the user login scripts. Now the user
has control of the audit process.
2) LOGIN also allows DOS to redirect the keyboard, taking input from a
file. A user can create a password file locally, and call it locally from
the autoexec.bat file. This is a security nightmare because the password
is stored as ASCII text in a file that can read by anyone who walks up
to the workstation.
The final problem comes when a user gets up and walks away from their workstation,
leaving it logged in to the network. This allows anyone who walks up to the station
access to the file server and any files on it depending on how security equivalences
are implemented. There are several good products on the market today to assist with
this problem.
A - Attributes
Attributes represent the most important form of internal security features of Netware.
These are the properties which you assign to files and directories. The most important
of these are Hidden, Delete Inhibit, and Rename Inhibit.
By assigning file attributes, you override your effective rights. This prevents you
form doing things that your rights would normally allow. Example: If a directory is
flagged Hidden, you cannot see the contents of the directory even if you posses the
File Scan right.
R - Rights
Users access information on the network based on their rights. Rights are used to
determine what your users can and cannot do in a network directory, and with the
files in those directories.
Rights can be applied to groups and individuals. It is generally wise to set up your
rights for groups first then manage them individually where necessary. In this way
you can add or delete rights on a personal basis for user Jones in the group Sales.
M - Make Regular Backups
You may wonder what this has to do with network security, because it is not always
obvious to the casual observer. If you have a policy that includes frequent, regular
backups, and you maintain audit trail files on your server these can always be
extracted from your backup tapes provided you backup file by file.
Backups are also important in the event that you have a virus attack that can be traced
to a specific date. You may be able to restore files that were damaged or destroyed,
with non-infected files.
F - File Server Security
Securing your file server can be anything from putting it in a very visible public
place, to constructing a controlled access, secure facility complete with state of the art
electronics and video surveillance gear.
For many LAN managers, a public place that is well monitored by continuous traffic
flow and people who know that "Gee, I haven't seen that person here before. I
wonder what they are doing at the file server?"will suffice. This combined with 'K -
Keyboard Lockout @ Console' should provide a cost effective level of deterrent for
most small LANs.
Another very useful form of protection is booting only from a floppy. Using this
means you can bring a file server on-line, remove the boot disk, place it in a secure
location, and use it only when the server needs to be rebooted. [See U - UPS.]
U - UPS
UPS as a security component? Certainly! Consider the following: You have a
brownout at your network site. Your file server does not have a UPS so the file
server power supply trips, causing a file server reboot. When the system comes back
on-line the system is vulnerable to power on passwords.
While this is true even with a UPS, you must have a power outage before the file
server is finally shut down, or a VERY long brownout which drains the battery. The
key here is that the file server is shut down by the UPS and will only come back on
when power returns. If you have taken the further protection of booting only from a
floppy, the file server cannot be brought back on-line until the floppy is produced
from a secure location.
Z - Zero Tolerance
Have a security policy that is realistic, explain it to your users, make certain that they
understand it, and then implement it. Part of that policy should be a list of actions to
be taken against employees if they violate the security policy. Be serious about
implementing it.
Don't make an example of anyone because they made the first infraction, etc. Stick to
the rules that have been set up and you will find that users will follow these policies.
This is particularly true if the employee feels that if security is a problem, everyone
has a problem. Communication is very important here.
Z - Zero Penetration
Zero Penetration is the ideal. We have to realize that this may not be practically
achievable, certainly not in an environment that does not employ the methodologies of
Trusted Computing.
We can, however, with thought and careful implementation, bring our LAN from no
security to reasonably secure status. When in doubt, implement a procedure. You can
always change a procedure or policy to relax security, but tightening it is very
difficult. [it is not recommended that you relax security. Always search for a secure
compromise to the problem you are faced with.]
I - Inherited Rights
Inherited Rights are the rights that apply to a file or directory upon creation. These
are Access Control, Create, Erase, File Scan, Modify, Read, Supervisory, and Write.
These rights apply automatically unless they are revoked by a user with Supervisory
rights.
LAN Managers can use the IRM to further security, by understanding the following
principle of the IRM:
The difference between giving a user a trustee assignment of no rights and not
giving a trustee assignment at all is extreme. When giving an assignment of
no rights , you prevent the user from inheriting any rights from the parent
directory, by not giving an assignment at all you allow the user to inherit
rights from the parent directory.
E - Effective Rights
These are the security rights for an individual user pertaining to a particular file or
directory. Effective rights are determined by the previous directory level's effective
rights and the current level's IRM. The intersection of the rights active in both of
these levels will be the user's new effective rights unless any new trustee rights have
been granted. If new trustee rights have been granted, only those rights will be the
effective rights.
An administrator must always take into account the effective rights for each user in
every directory.
S - SECURITY
The SECURITY utility reports on nine separate security issues. Some are bona fide
security problems, i.e., Excessive rights in certain directories, while others, i.e.,
Workgroup Manager, are informational in nature.
1) Excessive rights in certain directories
2) Insecure passwords
3) No login scripts
4) No password assigned
5) Password too short
6) Root directory privileges
7) Supervisor equivalence
8) User has not logged in for xxxx time
9) Workgroup Manager
Excessive rights in a directory - Comes up when a user has greater rights than those
normally assigned, i.e., if a user had the Erase right for SYS:SYSTEM.
Insecure passwords - The password is the same as the user account name. Although
current versions of SYSCON and SETPASS do not allow the user to set the password
to the account name, older versions did.
No login script - When a user login script is not present, another user could create a
hostile login script for the user who does not have one.
No password assigned - Obvious. Assign one.
Root directory privileges - Serious security flaw! This means that the user has one or
more rights in the root of the volume indicated. Because rights flow to all
subdirectories of the root unless revoked this is extremely dangerous.
Supervisor Equivalence - While not always a security flaw, it can be, if all users are
supervisor equivalent or users who do not need to be are. If more than one or two of
these turn up on your sever re-examine your assignments.
While this paper is not meant to be an end all be all on Netware security issues (it focuses
mostly on Netware 3.11) these guidelines can be applied to any Netware environment from
Netware Lite to the new enterprise solution, Netware 4.0. I hope that I have given anyone
who reads this food for thought.
Unpublished work Copyright 1993 Paul Osterwald, President, Networks Unlimited. All rights
reserved. The author can be reached at CServe 70642,317 or Internet address
70642.317.compuserve.com. Any comments or criticisms will be welcome.