PC Direct 1995 May

home *** CD-ROM | disk | FTP | other *** search

/ PC Direct 1995 May / PC Direct CD-ROM (May 1995).ISO / ipe / protec / manual / chap2.txt < prev next >

Wrap

Text File | 1994-08-09 | 30.7 KB | 706 lines

Chapter 2 Network Security Installation This section provides step by step instructions on installing PROTEC NET onto a server and its associated workstations. It explains changes made to each and provides information on maintaining a secure system. ==================== Server Installation ==================== PROTEC NET is installed onto a server using NETINST.EXE. Once installed, the server is referred to as the Security Server. This installation program creates two directories: SYS:PUBLIC\PROTEC and SYS:SYSTEM\PROTEC. These directories are known as the PROPUBLIC and PROSYSTEM directories. PROTEC initializes PROPUBLIC and PROSYSTEM as DOS environment variables. PROTEC NET installation copies its security setup programs to the PROSYSTEM directory and its workstation security programs and data files to the PROPUBLIC directory. NETINST.EXE is configured by default to replace Novell NetWare's network login programs and modify the System Login Script to provide workstation security. ============================== Novell NetWare Bindery Changes ============================== During server installation, PROTEC NET modifies the Novell Bindery to classify the file server as a PROTEC NET Security Server. The installation process appends the PROTEC signature to the bindery specifying the following information: · Serial number · Version number · Revision number · Installation date and time · Site Licence · Person who installed PROTEC NET This information is encrypted but can be viewed from the Help About window within the Security program PSECURE.EXE. The server installation also creates two objects to assist in maintaining user security: PROTEC_USER and PROTEC_GROUP. During installation, it creates the PROTEC_USER which is used by PROTEC's Login program to synchronize passwords if specified within NetWare's System or user login script. PROTEC NET also creates the PROTEC_GROUP to allow workstation security to be configured properly and local workstation audits to be transferred to the workstation's associated Security Server. Further, a property is added to each user record to indicate the Security Server is the user's Primary Server. A property may not be added to a user's record if the installer verifies the user is already assigned a Primary Server. Refer to PRIMSRVR.EXE for information on creating the PROTEC_USER, PROTEC_GROUP and changing or assigning a Primary Server. If PROTEC NET is removed from a file server, all PROTEC NET records and properties are removed from the bindery. To Install the PROTEC NET System onto the Network Server 1 Log in to the destination server as either the Supervisor or a user with supervisor security equivalence. 2 Run NETINST.EXE from PROTEC NET Disk 1. 3 Scripts. PROTEC NET deploys workstation security centrally from the server by inserting its NET Script programs into the selected script. These utilities install and update workstation security. The selected login script is modified as follows: SET PROPUBLIC="servername/vol:PUBLIC\\PROTEC\\" #servername/vol:PUBLIC\PROTEC\NAMER.EXE #servername/vol:PUBLIC\PROTEC\BLDTREE.EXE #servername/vol:PUBLIC\PROTEC\AUTONVLL.EXE #servername/vol:PUBLIC\PROTEC\RBP.EXE #servername/vol:PUBLIC\PROTEC\UPP.EXE Figure 2.2. NetWare Login Script Changes PROPUBLIC is set to the [servername/vol:]\PUBLIC\PROTEC directory on the server. PROPUBLIC specifies the directory where PROTEC data files are located. Either the System Login Script or user login scripts may be modified to include the changes found in Figure 2.2. The System Login Script ensures workstation security is downloaded independent of user thus maintaining maximum security. If you are evaluating the product and would like to limit workstation installation to specific users, select the appropriate user login scripts from the combo box labeled `User Script.' Multiple users may be selected by pressing ENTER after each user name is highlighted. Each PROTEC NET Script program is listed in the chart below with a brief description of its responsibilities. NET Script Description Program NAMER.EXE Automatically records a workstation's network address, known within PROTEC NET as a Workstation ID. It also prompts a user for an identifiable name and location of his workstation. Once the workstation is named, the user is no longer prompted for this information. BLDTREE.EXE Records a workstation's drives, directories and files. The Workstation ID must be recorded prior to building a workstation directory tree. BLDTREE.EXE only runs if scheduled through PSECURE.EXE or if the workstation has just been named through NAMER.EXE. AUTONVLL.EXE Installs and removes workstation security. The Workstation ID must be recorded prior to installing PROTEC. AUTONVLL.EXE only installs or removes PROTEC if scheduled through PSECURE.EXE RBP.EXE Installs and removes Boot Protection. The Workstation ID must be recorded and PROTEC must be installed before installing Boot Protection. RBP.EXE only installs or removes Boot Protection if scheduled through PSECURE.EXE. UPP.EXE Updates workstation's security configurations. The Workstation ID must be recorded before configuring security. UPP.EXE only updates security if scheduled through PSECURE.EXE and PROTEC is installed. Figure 2.3. PROTEC NET Script Program Chart 4 Backup Script File. If checked, a backup of the original login script is saved to the PROPUBLIC directory. 5 Insert MAP S16:=SYSTEM\PROTEC into Supervisor's login script. This command places the PROSYSTEM directory in the path so that users can access the Security program, PSECURE.EXE, without having to go to the PROSYSTEM directory. 6 Use PROTEC Login Programs. PROTEC's Login programs should be used to ensure Novell's environment is properly updated and to access PROTEC NET Script enhancements. If this option is made active, PROTEC NET server installation sets up security so that users run its Login programs: LOGIN.EXE, LOGOUT.EXE and MAP.EXE. PROTEC NET copies these programs to the server's \LOGIN directory and stores backup copies of the original programs to the PROSYSTEM directory. These files are renamed as follows: NVLOGIN.EXE, NVLOGOUT.EXE and NVMAP.EXE. Use PROTEC's Login programs if one of the following reasons is TRUE: · Users run applications from a menu program or shell. This ensures that the menu's environment reflects changes made to Novell's environment. · NetWare's System or user scripts contain any PROTEC "aware" script commands such as single signon commands: SYNC and SSO. 7 Copy PROTEC programs to the server. This option copies files that are needed to install workstation security. PROTEC NET copies all files that configure security to the PROSYSTEM directory and all files that update or install workstation security to the PROPUBLIC directory. Files are copied to each directory and are listed within the PSETUP.INF file located on PROTEC NET disk 1. Files copied to the PROSYSTEM directory are preceded by the label '[system files]' whilst files copied to the PROPUBLIC directory are preceded by the label '[public files]' 8 Make PROTEC data files. These files are created within the PROPUBLIC directory. Refer to PINIT.EXE for a list of these data files. 9 Create PROTEC_GROUP: Add all users to group. This group is created to define directory trustee rights - [ RWC MF ] - for PROPUBLIC directory. Users must be granted these rights so a workstation's audit records are copied up to the appropriate Security Server and workstation security is copied down to the workstation. Once PROTEC is installed onto the server, PROTEC NET can be scheduled to install security onto workstations automatically using its Security program PSECURE.EXE. =============================== Accessing the Security Program =============================== The Security program, PSECURE.EXE, is the core management program that enables supervisors to control, monitor and configure workstation and user security. PERM.EXE is a subset of the Security program that allows supervisors to set Group Access Permissions. NETSEC.EXE may be used to configure and schedule workstation security. To Access the Security Program from the DOS Prompt 1 Log onto the system as a supervisor. 2 Go to DOS and change to the drive where PROTEC NET resides (e.g. F:) 3 Change directories to the PROSYSTEM directory as follows: cd \system\protec 4 Access the Security Program by typing the following: psecure ============================= Workstation Auto Installation ============================= Once PROTEC NET server installation is complete, workstation security may be deployed. To maintain a secure system, all workstations which attach to a Security Server should be protected by PROTEC NET. These instructions assume the NetWare System Login Script has been modified to include the PROTEC NET Script programs. NAMER.EXE runs only once to name a workstation address. The remaining PROTEC NET Script programs only execute tasks if they are scheduled to do so. Refer to Server Installation for information on PROTEC NET Script programs. To Set up Workstation Security to Install Automatically 1 Name Workstation ID and Build Directory Trees. (This is initiated automatically at login by NAMER.EXE.) Each workstation's network address must be recorded before workstation security can be installed. For more information, refer to Add or Delete Workstation ID. 2 Add users to Novell's PROTEC_GROUP. (This is done automatically during server installation using NETINST.EXE.) If users have been installed after server installation, add them to the PROTEC_GROUP using Novell NetWare's Syscon Utility. 3 Access the Security program, PSECURE.EXE. Refer to Accessing the Security Program for step by step instructions. 3aChange Master Password. Refer to Master Password for information on this facility. 3bAutoInstall PROTEC onto each workstation. From the Workstation menu, select Install/Remove PROTEC. Once configured, PROTEC is installed when the next user logs onto the Security Server. To view results of installation, refer to View AutoInstall Results. For more information, refer to Install or Remove PROTEC. 3cAutoInstall Boot Protection. From the Workstation menu, select Install/Remove Boot Protection. Installation occurs automatically when a user logs onto the workstation. To view results of installation, refer to View AutoInstall Results For information on Boot Protection features, refer to Install or Remove Boot Protection. 3dConfigure Workstation and User Security. It is important that each user has been assigned a Primary Server. PROTEC NET's server installation does this automatically. Refer to Workstation Security and User Security for further details. If you are working in an environment with multiple servers, refer to Maintaining a Secure System. ============================== View Auto Installation Results ============================== PROTEC NET automatically displays results from installation operations as they occur. If there are problems with installation, you can view them directly from the Security program. To View Results 1 Access the Security program. Refer to Accessing the Security Program for instructions. 2 From the Workstation menu, select Install/Remove PROTEC or Install/Remove Boot Protection. ========================== Workstation System Changes ========================== PROTEC NET needs to modify each workstation to implement security properly. During installation, it makes a copy of the original CONFIG.SYS and AUTOEXEC.BAT and places them in the PROTEC directory. It modifies the CONFIG.SYS to ensure it has enough files and buffers and loads the PROTEC3.SYS driver if Boot Protection is installed. The AUTOEXEC.BAT file is modified so that PROTEC's environment variables - PROTEC, PROPUBLIC and PROFLAGS - are initialized. PROTEC's security kernel, LOADER.COM is loaded as the last statement in the AUTOEXEC.BAT which ensures all programs and TSRs are loaded and all environment variables are set prior to the user logging onto the workstation. The following section explains changes in detail. CONFIG.SYS and AUTOEXEC.BAT PROTEC NET originally modifies the CONFIG.SYS so that files and buffers are set to at least 30 and 40, respectively. If Boot Protection is installed, PROTEC3.SYS is inserted as the first driver in the CONFIG.SYS. Refer to the Drivers Directory for information on loading other drivers prior to PROTEC3.SYS. The workstation's AUTOEXEC.BAT is modified so that its security kernel LOADER.COM is loaded after its network drivers. The network drivers that must be present are listed under the heading `[network drivers]' in the PSETUP.INF file located in the PROPUBLIC directory. If the workstation uses different network drivers, modify this list and then schedule to install PROTEC. LOADER.COM is loaded as the last statement in the AUTOEXEC.BAT and is configured so that its environment parameter is set to "/e:auto." During workstation installation, PROTEC NET inserts three environment variables into the AUTOEXEC.BAT file: PROTEC, PROPUBLIC and PROFLAGS. PROTEC informs the security kernel where its security modules exist while PROPUBLIC indicates where its data files reside. PROPUBLIC is configured as follows: SET PROPUBLIC=drive:\PUBLIC\PROTEC where the drive represents the logical drive pertaining to the Security Server. For information on the PROFLAGS environment variable refer to PROFLAGS Environment Variable. If a supervisor schedules PROTEC to AutoInstall to the destination path, C:\PROTEC.NET, then the AUTOEXEC.BAT may be modified as follows: SET PROFLAGS=headings messages errors box double SET PROPUBLIC=f:\public\protec SET PROTEC=c:\protec.net REM REM The following lines are for illustration REM only c:\dos\keyb uk,,c:\dos\keyboard.sys c:\dos\smartdrv REM a preferred server may be configured to REM correspond to a user's REM Primary Server so when a user signs onto REM a PROTEC NET REM workstation, the Server specified in the REM Login screen is the REM users Primary Server. network drivers (e.g. ipx.com and netx /ps=administration) ... c:\protec.net\loader.com /e:auto NOTE LOADER.COM must be inserted after the network drivers so that protection works properly. If the system uses DOS utilities, KEYB.COM and SMARTDRV.EXE, make sure KEYB.COM is loaded before SMARTDRV.EXE. If not, SMARTDRV.EXE does not flush its buffers properly. PROFLAGS Environment Variable The environment variable PROFLAGS is placed into the AUTOEXEC.BAT file when workstation security is installed and is used by PROTEC NET Script programs. PROFLAGS settings supply information which may assist PROTEC NET workstation installation. This variable can be set to a subset of the following: · HEADINGS: specifies program to print copyright notice so that you can identify which PROTEC NET Script program is running · MESSAGES: specifies program to print general messages · ERRORS: specifies program to print errors to screen · FILE: specifies program to print messages to a file. The next string after the word "FILE" must be the file name · PAUSE: pauses after each line is output · BOX : shows messages within a box · DOUBLE: uses double lines to create box · PAUSEBOX: pauses after a box has been "closed" The default setting is HEADINGS MESSAGES ERRORS BOX DOUBLE. To modify the default setting used during workstation installation, edit the PSETUP.INF file within the PROPUBLIC directory on the Security Server. The settings are found under the `[proflags]' heading. Examples ;Have errors displayed within double boxes pausing after each line of ;output [proflags] errors box double pause [end] ;Or have errors go to a file while and include all headings and messages [proflags] file c:\errors.txt headings messages errors box double [end] ;Or use the default [proflags] headings messages errors box double [end] Directories Created during Workstation Installation PROTEC workstation installation creates the following directories: the PROTEC directory (default C:\PROTEC.NET); C:\DRIVERS; C:\PUBLIC. The PROTEC Directory The PROTEC directory stores PROTEC workstation security modules and programs and can only be accessed by supervisors. The DRIVERS Directory The DRIVERS directory contains PROTEC's Boot Protection driver, PROTEC3.SYS. This directory remains decrypted if Boot Protection has been installed, specifically Level II. If you wish to load other drivers like HIMEM.SYS before PROTEC3.SYS in the CONFIG.SYS, place them in this directory and modify their paths to load from the DRIVERS directory. After installing Boot Protection, you may want to load PROTEC3.SYS into upper memory using HIMEM.SYS and EMM386.EXE. By copying HIMEM.SYS and EMM386.EXE to the DRIVERS directory, PROTEC3.SYS can load into memory while still maintaining maximum security. The CONFIG.SYS may look like the following: FILES=30 BUFFERS=40 DEVICE=c:\drivers\himem.sys DEVICE=c:\drivers\emm386.exe ram DOS=high,umb DEVICEHIGH=c:\drivers\protec3.sys SWITCHES /N In the above example, HIMEM.SYS AND EMM386.EXE are being loaded from the DRIVERS directory so they are available to the system prior to the root directory being decrypted. This enables PROTEC NET to be loaded high. `SWITCHES /N' supported by DOS 6.x and above prevents users from bypassing the CONFIG.SYS and AUTOEXEC.BAT using function keys, F5 and F8. NOTE It is recommended that you protect this directory from normal users. The PUBLIC Directory The PUBLIC directory can always be accessed by all users. PROTEC automatically grants the VIEW permission to the PUBLIC directory when a user signs onto the system. However, supervisors may modify permissions to limit user security. ============================ PROTEC NET Workstation Login ============================ Every user must sign onto the system through PROTEC NET's Login screen. PROTEC NET requires users to select their Primary Server and enter their NetWare user name and a password before accessing the system. Refer to Primary Server for details on assigning or changing a user's Primary Server. To Log onto the PROTEC System 1 At the Login screen, if necessary select your Primary Server (ALT+S). 2 Enter your user name (ALT+U). 3 Enter your password (ALT+P). 4 Choose the OK button to log onto the system. NOTE Supervisors must inform users of their Primary Servers. Supervisor Login Function A network supervisor or network user with supervisor security equivalence can log onto the system bypassing PROTEC. If a supervisor presses F10 at the Login screen and enters his user name and password, PROTEC NET unloads from memory. This means there is no security until the security system is reloaded. To load PROTEC into memory run C:\LOADER.COM or reboot the computer. CAUTION If a supervisor uses the F10 key at login and removes PROTEC, the system is not protected if it is left unattended. =========================== Maintaining a Secure System =========================== The Security Server is automatically protected by PROTEC NET only if PROTEC has been installed on all workstations connected to the server. If not, the Security Server must be protected by the network operating system. The following precautions should be taken to ensure the Security Server is secured: · The PROPUBLIC directory must be accessible by all Netware users. To do so add all users to the PROTEC_GROUP. This group is created automatically during PROTEC NET server installation. This group is allowed the following directory trustee rights for \PUBLIC\PROTEC: [ RWC MF ]. Check trustee rights to ensure all users are granted these rights for the PROPUBLIC directory. If this group does not exist run ` PRIMSRVR /g'. · All network users who do not have PROTEC NET on their workstation but can access a Security Server must be denied the ERASE and MODIFY trustee rights to the PROPUBLIC directory. · If a user can access two workstations where PROTEC NET is on only one, deny the user access to the non protected workstation through Novell NetWare Syscon Station Restrictions feature. This prevents users from modifying PROTEC NET data files. · Every user should be assigned to only one Primary Server when working with multiple Security Servers. Run `PRIMSRVR.EXE /L' to generate a report of all users and their Primary Servers on all available Security Servers. · To ensure the workstation is protected at all times even if a user's Primary Server is down or unavailable, install a local copy of PROTEC. Refer to When Server is down / Laptops. · Make sure NetWare's System Login Script is modified to include NET Script programs to update and maintain workstation security. · If a workstation is shared and each user has a different Primary Server, each user must sign onto his Primary Server at least once before a supervisor can assign Group Access Permissions. If maximum security is needed during security installation, secure each station using NetWare's Syscon utility. · Backup system configurations using the feature `Save PROTEC Configuration' found within PSECURE.EXE once workstation security is installed or updated so that data files can be restored if corrupted. · Set and review Audits to track user activity and to identify potential security breaches. ============================ Increasing Your Site Licence ============================ The Site Licence utility PLICENSE.EXE allows you to increase your server site licence instantly. Contact your PROTEC NET representative for assistance.