home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!panix!news.mathworks.com!tank.news.pipex.net!pipex!lyra.csx.cam.ac.uk!warwick!news.shef.ac.uk!not-for-mail
- From: seca40%teach@dcs.shef.ac.uk (Fauzan Mirza)
- Newsgroups: comp.os.netware.security,comp.answers,news.answers
- Subject: comp.os.netware.security FAQ
- Followup-To: poster
- Date: 27 Aug 1995 04:54:16 GMT
- Organization: Computer Science, Sheffield University
- Lines: 440
- Approved: news-answers-request@MIT.EDU
- Message-ID: <41otpo$lq9@hippo.shef.ac.uk>
- Reply-To: F.U.Mirza@sheffield.ac.uk (Fauzan Mirza)
- NNTP-Posting-Host: suna8.dcs.shef.ac.uk
- Summary: The FAQ list for comp.os.netware.security newsgroup
- Keywords: netware,security,faq
- X-Newsreader: TIN [version 1.2 PL2]
- Xref: senator-bedfellow.mit.edu comp.os.netware.security:1446 comp.answers:13903 news.answers:51524
-
- Archive-name: netware/security
- Posting-Frequency: monthly
- Last-modified: Sat Jul 22 1995
- Version: 0.3 DRAFT
-
- ------------------------------
-
- Subject: Introduction
-
- comp.os.netware.security
- Frequently Asked Questions
-
- Fauzan Mirza
- F.U.Mirza@sheffield.ac.uk
-
- This is a draft FAQ list for the comp.os.netware.security newsgroup.
- It's intent is to provide answers to questions asked by those who are
- merely interested in Novell NetWare, and also to provide help for
- those who are concerned about security of their network.
-
- I am not affiliated with Novell in any way, and I have taken it upon
- myself to produce this FAQ. My experience with Novell NetWare is that
- of a programmer and administrator, with a keen interest in computer
- security. I don't hold any Novell qualifications.
-
- At the moment, this FAQ is oriented towards Novell NetWare 2/3.
-
- Please send any comments, contributions, or notification of errors to
- the author.
-
- Thanks to the following people for improvements or additions:
- Fons Botman <botman@rabo.nl>
- Bob Janacek <safety@gti.net>
- Brian Flynn <BFLYNN.UNCSON@mhs.unc.edu>
-
- ------------------------------
-
- Subject: TABLE OF CONTENTS
-
- Section 1: Basic Information
- 1.01 - Where are passwords stored?
- 1.02 - Is the execute-only flag secure?
- 1.03 - Can a packet-sniffer capture passwords?
- 1.04 - Can the server be infected with a computer virus?
- 1.05 - What auditing functions does Accounting provide?
- 1.06 - What are trustees and trustee rights?
- 1.07 - What are groups?
- Section 2: Software
- 2.01 - What is HACK.EXE?
- 2.02 - What is NOVELBFH.EXE?
- 2.03 - How do I use SECURITY?
- 2.04 - Vendor security addons
- Section 3: Help
- 3.01 - How do I secure the server?
- 3.02 - I've lost the Supervisor password.
- 3.03 - I've deleted the user Admin.
- 3.04 - I've revoked my own rights from this subdirectory.
- 3.05 - Supervisor has been locked out.
-
- ------------------------------
-
- Subject: Section 1: Basic Information
-
- This section gives information on how Novell NetWare operates,
- and explains some basic security concepts.
-
- ------------------------------
-
- Subject: 1.01 - Where are passwords stored?
- NetWare: 2,3
-
- Passwords are stored in encrypted form in the NET$VAL.SYS bindery
- file. It is not possible to decrypt passwords although brute force
- crackers have been written which operate on the bindery.
-
- The bindery files are stored in the SYS:SYSTEM directory, and
- should not be accessible by any non-Supervisor user. The SECURITY
- utility will detect excessive rights in SYS:SYSTEM.
-
- ------------------------------
-
- Subject: 1.02 - Is the execute-only flag secure?
- NetWare: 3
-
- No. It is sufficient to prevent casual copying of executables, but
- software exists which will allow any user to copy X flagged files.
-
- The X flag cannot be removed from files, so it is is a good measure
- against computer viruses. However, virus scanners cannot read X
- flagged files, so infected X flagged files will be difficult to
- detect.
-
- Wolfgang Schreiber wrote a utility called X-AWAY, available from
- ftp.novell.de, which enables a Supervisor equivalent user to copy
- X flagged files. X-AWAY is deliberately crippled to prevent
- non-Supervisor users from copying programs.
-
- ------------------------------
-
- Subject: 1.03 - Can a packet-sniffer capture passwords?
- NetWare: 2,3
-
- Since Novell NetWare 3, passwords are sent to the server encrypted
- using a hashing function. The three password functions (Login,
- Change password, Verify password) have a pretty secure protocol,
- such that the information gathered by packet sniffers cannot be
- used to reconstruct the event or determine the password.
-
- Some very old software use the NetWare 2 unencrypted password calls.
- These can be captured and used, since these passwords are sent in
- plaintext.
-
- Packet sniffers can capture just about all other information that
- is transmitted on the LAN. This includes telnet/ftp passwords, etc.
-
- ------------------------------
-
- Subject: 1.04 - Can the server be infected with a computer virus?
-
- Since the server does not run DOS, it is immune from file viruses.
- They are vunerable to boot viruses, however, and these can be
- avoided by not booting the server from floppy disks.
-
- The server can be used to spread viruses, since workstations may
- execute infected software from the server and thus infect local
- hard disks, floppy disks, and so on.
-
- If possible, do not allow users to have write access to the
- executables on the server.
-
- A number of anti-virus utilities exist for Novell NetWare, including
- Dr Solomon's Anti Virus Toolkit, McAfee Associates's NETSCAN, and
- Data Fellows Ltd's F-PROT Professional.
-
- ------------------------------
-
- Subject: 1.05 - What auditing functions does Accounting provide?
- NetWare: 3
-
- Accounting is used to track logins and can be used to track (and
- put limits on) use of server resources.
-
- By default, accounting is not active. The supervisor must switch
- it on using the SYSCON utility.
-
- ------------------------------
-
- Subject: 1.06 - What are trustees and trustee rights?
- NetWare: 2,3
-
- A trustee is any user or group that has been granted access rights
- in a directory.
-
- The access rights in Novell NetWare 2 are slightly different from
- the ones in NetWare 3.
-
- The following is a summary of access rights for NetWare 3.
-
- S - Supervisory. Any user with supervisory rights in a directory
- will automatically inherit all other rights, regardless of
- whether they have been explicitly granted or not. Supervisor
- equivalent accounts will hold this access right in every
- directory.
-
- R - Read. Enables users to read files.
-
- C - Create. Enables users to create files and directories. Unless
- they also have write access, they will not be able to edit
- files which have been created.
-
- W - Write. Enables users to make changes to files. Unless they also
- have create access, they may not be able to edit files, since
- the write operation can only be used to extend files (not
- truncate them, which file editors need to do).
-
- E - Erase. Enable users to erase files and remove directories.
-
- M - Modify. Enable users to modify file attributes.
-
- F - File scan. Enables users to see file and directory information.
- If a user does not have file scan rights, they will not see any
- evidence of such files existing.
-
- A - Access control. Enable user to change trustee rights. They
- will be able to add other users as trustees, remove trustees,
- and grant/revoke specific rights from users. The only caveat
- of access control is that it is possible for users to remove
- themselves (as trustees) from directories, thus losing all
- access control.
-
- In addition to trustees and access rights, there is a concept of
- inherited rights which means that users inherit rights from parent
- directories. For example, if user ALICE has rights [CWEM] in a
- directory, and she has [RF] rights in the parent directory then
- she will have [RCWEMF] rights as a result of the inherited rights.
- This will only work if one of the rights that ALICE has in the two
- directories is granted to a group; if both are granted to her, she
- will lose the rights of the parent.
-
- ------------------------------
-
- Subject: 1.07 - What are groups?
- NetWare: 2,3
-
- Groups are a object type which allows users to be grouped together
- for various purposes. The main interest in this is to maintain
- security, by granting access rights to groups instead of individual
- users.
-
- By default, all users are in a group called EVERYONE. If you grant
- [RF] to group EVERYONE in a directory, then every user in that group
- will hold those rights in that directory.
-
- Some software also makes use of groups (for example, Pegasus Mail
- does not run if the user is in group NOMAIL).
-
- ------------------------------
-
- Subject: Section 2: Software
-
- This section describes the purpose and use of some software.
-
- ------------------------------
-
- Subject: 2.01 - What is HACK.EXE?
- NetWare: 3
-
- HACK is a program, written at Leiden University in the Netherlands,
- which exploits the lack of packet authentication in early versions
- of NetWare 3. It enabled a user to pose as a more privileged client
- by sending requests to the server with fake source addresses.
-
- If SUPERVISOR is logged on, it attempts to send a single packet to
- the server requesting it to add Supervisor-equivalency to the
- account it is being run from.
-
- Novell released updated versions of the server and client software
- which would add packet authentication (using a feature called NCP
- packet signatures). The software is available from ftp.novell.com.
-
- NetWare 3.12 includes the updated software, but the administrator
- still has to set the correct packet signature level on both server
- and workstations.
-
- With NCP packet signatures active, any attempt to forge packets
- to the server will result in a message on the server console, in
- the error log, and sent to the affected client.
-
- ------------------------------
-
- Subject: 2.02 - What is NOVELBFH.EXE?
- NetWare: 2,3
-
- NOVELBFH, Novell Brute Force Hacker, is a program written by
- DGE Alofs in Holland. It is a menu driven program that attempts
- to crack accounts by using the verify password function and
- trying various guesses for password.
-
- The password checking is done using the unencrypted password call,
- so this program can be rendered useless on NetWare 3 by disabling
- the unencrypted password call at the server (this is the default).
-
- ------------------------------
-
- Subject: 2.03 - How do I use SECURITY?
- NetWare: 3
-
- SECURITY is the standard security auditing utility, supplied with
- NetWare. It is found in the SYS:SYSTEM directory, and needs to be
- run by a Supervisor-equivalent user.
-
- ------------------------------
-
- Subject: 2.04 - Vendor security addons
-
- Administrators may be interested in products which are available
- to improve network security. This section will eventually be a
- list of such products. Please submit your product descriptions to
- the FAQ maintainer.
-
- STOPLIGHT LAN - StopLight LAN integrates with Netware to provide
- network and workstation security enhancements. It provides
- workstation access control, keyboard lock, trustee assignments
- for local and network drives, file encryption, local drive
- disable during network use, floppy drive disable, software
- piracy prevention, central installation and management from
- the network, Windows administration. 13K memory overhead
- required. Download from http://www.safe.net/safety or
- ftp://ftp.safe.net/pub/safetynet/sllan.exe
-
- ------------------------------
-
- Subject: Section 3: Help
-
- This section gives solutions to common problems.
-
- ------------------------------
-
- Subject: 3.01 - How do I secure the server?
- NetWare: 3
-
- The most important rule is to lock the server console.
- At least one method has been posted a couple of times which
- explains how to switch off password verification using the
- server internal debugger.
-
- Anyone with console access can obtain supervisor access.
-
- Place any useful NLMs in SYS:SYSTEM and then add the following
- line to AUTOEXEC.NCF:
- SECURE CONSOLE
-
- Disable use of unencrypted passwords. Either type the following,
- or add it to the AUTOEXEC.NCF:
- SET ALLOW UNENCRYPTED PASSWORDS OFF
-
- If you have NCP packet signatures installed, add the following
- line to AUTOEXEC.NCF:
- SET NCP PACKET SIGNATURE OPTION = 3
-
- Use a password different from the Supervisor password for RCONSOLE.
-
- Load the MONITOR NLM and lock the console.
-
- Remember that access to the backups is just as bad as access
- to the server. Keep the backups secure too.
-
- Some other suggestions:
- Limit number of Supervisor accounts (not too many, but keep at
- least one, unless using the SUPER utility described below).
- Enable intruder detection and lockout.
- Require unique passwords on all accounts.
- Login as Supervisor as little as possible.
-
- Use the SUPER.EXE program, written by Wolfgang Schreiber, which
- will toggle instant supervisor-equivalency to a user. This isn't
- a loophole, since some preparation has to be done on the accounts
- which should be able to gain supervisor-equivalency, and those
- accounts will be reported by the SECURITY utility.
- SUPER is available from netwire (Look on ftp.novell.de or
- ftp.novell.com).
-
- ------------------------------
-
- Subject: 3.02 - I've lost the supervisor password.
- NetWare: 2,3
-
- The following method is used to obtain the supervisor account on
- NetWare 2. It will work on NetWare 3, but there is an easier way
- which follows.
-
- The following is fairly complicated, and is not recommended for
- beginners.
-
- 1. Reboot the server and load DOS.
- 2. Use a disk editor to examine the Novell partition and locate
- the directory entries for the bindery files (NET$BIND.SYS and
- NET$BVAL.SYS).
- 3. Check for backup copies of the bindery with extension OLD (ie,
- NET$BIND.OLD and NET$BVAL.OLD). If you find them, change their
- extension to XXZ.
- 4. Change the SYS extension to OLD.
- 5. Restart the server. It will create a new bindery with SUPERVISOR
- and GUEST accounts; both without passwords.
- 6. Login as SUPERVISOR and run BINDREST to restore the old bindery.
- 7. Change the SUPERVISOR password.
-
- On NetWare 3, there are a number of NLMs which will reset the
- supervisor password (SETPWD and SETSPASS) or create supervisor
- equivalent accounts (BURGLAR). SETPWD is available by anonymous
- ftp from netlab2.usu.edu.
-
- In general, you should have at least one supervisor equivalent
- account (see section 3.01).
-
- ------------------------------
-
- Subject: 3.03 - I've deleted the user Admin.
- NetWare: 4
-
- This answer was provided by Mattman (mdrobel@novell.com) in an
- article posted on comp.os.netware.security.
-
- If you don't have a backup, you can do two things:
-
- 1. Reinstall Directory Services. I would recommend this option only
- if you don't have a lot of NDS objects and rights set up.
-
- 2. If you have another user with Admin or equivalent rights, it's
- easy to recreate the Admin user object and give him the rights
- he had before. Those rights would be:
- Make him a trustee of [Root] and give him supervisory object and
- property rights.
-
- ------------------------------
-
- Subject: 3.04 - I've revoked my own rights from this subdirectory.
- NetWare: 3
-
- A common mistake is to revoke your own access control rights in a
- directory. If you have access control rights in a parent directory,
- you can regain the access rights that you lost.
-
- Example: If user ALICE has [RCWEMFA] in USR:ALICE/ but accidentally
- revoked access control in the subdirectory PROJECTS (let's just
- say she now has [RF] in USR:ALICE/PROJECTS/), she would not be
- able to simply use grant to get the rights back because she has
- insufficient rights.
-
- To recover access control:
-
- 1. Check which groups you are in (or equivalent to).
- WHOAMI /S
- 2. Pick a group and grant access rights to that group in the parent.
- GRANT A TO EVERYONE FOR USR:ALICE
- 3. You should now have access control in the subdirectory.
- CD PROJECTS
- 4. Remove the trustee which caused the problem.
- TLIST
- REMOVE ALICE FROM USR:ALICE/PROJECTS
- 5. Remove the rights of the group from the parent directory.
- REMOVE EVERYONE FROM USR:ALICE
-
- ------------------------------
-
- Subject: 3.05 - Supervisor has been locked out.
- NetWare: 3
-
- If the Supervisor account cannot login due to intruder detection,
- you can restore login status by entering ENABLE LOGIN at the server
- console. This will only work for the SUPERVISOR account.
-
- ------------------------------
-
- (end of FAQ)
-
- ========================================================================
- Fauzan Mirza Dept of Computer Science DOS/NetWare/Linux
- F.U.Mirza@shef.ac.uk University of Sheffield Programming/Security
- ========================================================================
-