home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Support Encyclopedia 96-1
/
novell-nsepro-1996-1-cd2.iso
/
download
/
netware
/
seclog.exe
/
SECLOG.TXT
< prev
Wrap
Text File
|
1993-11-15
|
5KB
|
111 lines
NOVELL TECHNICAL INFORMATION DOCUMENT
TITLE: Security Enhancement LOGIN.EXE 4.02
DOCUMENT ID: TID013339
DOCUMENT REVISION: A
DATE: 02SEP93
ALERT STATUS: Yellow
INFORMATION TYPE: Symptom Solution
README FOR: SECLOG.EXE
NOVELL PRODUCT and VERSION:
NetWare 4.01
ABSTRACT:
LOGIN.EXE v4.02 eliminates a small window of exposure under NetWare 4.x where
a user's name and password may be temporarily swapped to disk when running in
a DOS environment with less than 640KB of EMS or XMS memory, or if the login
script uses a SWAP command to swap to disk instead of to memory. (If you are
not using the external command (#), you don't need to install this update.)
──────────────────────────────────────────────────────────────────────────────
DISCLAIMER
THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. NOVELL
MAKES EVERY EFFORT WITHIN ITS MEANS TO VERIFY THIS INFORMATION. HOWEVER, THE
INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION ONLY. NOVELL
MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS INFORMATION.
──────────────────────────────────────────────────────────────────────────────
SYMPTOM
A small window of exposure exists where a user's name and password may be
temporarily swapped to disk when running in a DOS environment with a
small memory configuration. The NetWare 2.x and NetWare 3.x LOGIN
utilities are not affected and require no enhancement.
CAUSE
In NetWare 2.x and 3.x, LOGIN.EXE keeps a version of the user ID and
password in protected domain memory so that attachment to other servers
does not require the user to reenter the same information. After the
login process is complete, the memory is cleared. This process poses no
security threat in NetWare 2.x or 3.x.
In NetWare 4.x, the login process contains more steps. The LOGIN.EXE is
larger because the added security features, such as NDS and
authentication, have expanded the file size. During the current NetWare
4.x login and authentication process, portions of LOGIN.EXE may be
temporarily swapped to extended or expanded memory or to disk in DOS
environments with less than 640KB EMS or 640KB XMS memory configurations.
If login is temporarily swapped to disk, it is placed in the current
directory of the default disk, whether local or on the network.
A security threat occurs if a portion of the login executable containing
the user ID and password information is temporarily swapped to disk.
After login completes, a user may be able to salvage or undelete the
temporary swap file, gaining access to read the user ID and password
information of the logged-in network user.
SOLUTION
Novell recommends that security conscious users implement the new
LOGIN.EXE v4.02 for NetWare 4.0 or 4.01 environments.
Solution Specifics:
Note: The new version of LOGIN.EXE will be incorporated in future
versions of NetWare 4.x.
Self-Extracting File Name: SECLOG.EXE Revision: A
Files Included Size Date Time
SECLOG.TXT (This file)
LOGIN.EXE 354859 08-25-93 11:43a
Installation Instructions:
1. Flag LOGIN.EXE in your PUBLIC and LOGIN directories to Shareable and
Read/write. For example, at the LOGIN directory, type:
FLAG LOGIN.EXE SRw <Enter>
2. Copy LOGIN.EXE from your PUBLIC and LOGIN directories to a diskette
for backup purposes.
3. Copy this version (4.02) of LOGIN.EXE to your PUBLIC and LOGIN
directories.
4. Flag the newly installed LOGIN.EXE in your PUBLIC and LOGIN
directories to Shareable and Read only. For examle, at the PUBLIC
directory, type:
FLAG LOGIN.EXE SRo <Enter>
After installing LOGIN.EXE 4.02, you should require all users to change
their passwords.
If this security enhancement is installed on a NetWare 4.0 server after
completing the upgrade to NetWare 4.01, verify that the LOGIN.EXE is
v4.02. If the LOGIN.EXE is not v4.02, reinstall this enhancement. Use
the NDIR.EXE utility with the /ver option to verify the version
information. For example, at the PUBLIC directory, type:
NDIR LOGIN /ver