Security Threats for NetWare and eDirectory
Novell Cool Solutions: Feature
Digg This -
Posted: 13 Dec 2001
Here are some common security issues that you might have encountered in your work with NetWare and eDirectory. Have you got any stories to share about any of these? If you've had a close encounter with one of them, and lived to tell about it, we'd love to hear from you. Let us know how you dealt with it, and if we publish your experience, we'll send you a Novell t-shirt for your trouble. Nothing fancy needed -- just the facts. (Spelling doesn't count. We'll clean it all up and make you look good.) Send your stories to firstname.lastname@example.org (Bet you've got some doozies about #1...) Hope to hear from you soon!
1. POOR USER MANAGEMENT - OLD/UNUSED/TEST ACCOUNTS, NO/WEAK PASSWORDS
2. NDS TREE OBJECT ENUMERATION
3. SUPERVISOR ACCOUNT
4. NO INTRUDER DETECTION
5. HIDDEN NDS OBJECTS
6. EXCESSIVE NDS RIGHTS
7. EXCESSIVE FILE SYSTEM RIGHTS
8. IPX SPOOFING AND DENIAL OF SERVICE
9. LATEST SUPPORT PACKS NOT APPLIED
10. DEFAULT CONFIGURATION OF NETWARE AND NDS
One of the most common entry points into any system is accounts with either no password at all, or a very weak password. Often these accounts are older accounts or accounts built for temporary testing, and then are never removed. It is important to have a policy that states that all accounts will be expired after a certain amount of time, all accounts have strong passwords that are regularly changed, and that old or test accounts are removed from the system as soon as possible.
By default, non-authenticated users can view every object in the NDS tree (unless a leaf is restricted by an Inherited Rights Filter). For example, using the Novell tool cx.exe or ndir.exe with the right parameters and switches will allow the entire tree structure to be enumerated.
On NetWare 3.x, each NetWare server had the Supervisor account that had full access to the server, and was used to perform various administrative and maintenance functions. It is little known, but this account still exists on every NetWare 4.x and 5.x server as a hidden bindery user. While this hidden account can do little direct damage to NDS, it does have supervisor access to the entire file server. Typically, it has the same password as was assigned to the Admin account during server installation.
The best defense against this account becoming the target of an attack is to create an NDS account named Supervisor that is disabled with no rights. Intruders trying to access the bindery account first will access the NDS Supervisor account instead.
Intruder Detection can detect if someone is trying to guess passwords by locking out an account after a number of bad passwords have been entered. By default, Intruder Detection is turned off, and has to be turned on on a per-container basis.
A common trick for hackers who have gained access to a system is to create a hidden backdoor in the form of an object that is invisible to the normal native tools used for maintaining and administering the system, thus preventing administrators from even knowing that they have been breached.
With the level of control and detail available to administrators to adjust within NDS, coupled with the scope and complexity of NDS, managing all of the NDS rights can be very difficult. Often when trying to ensure that certain users have enough rights to reach a resource, a system administrator will simply start opening up access until the users can reach the resource they needed, and inadvertently open up access to others. Would be intruders know this, and will search out these weaknesses to gain access to sensitive data.
Just like Excessive NDS rights, access to the data located on the file system itself poses serious risk to data if not managed properly.
Often there are a number of bugs and holes in the standard configuration that can lead to system compromise in a computer system, and Novell NetWare is no different. There are a number of problems in older versions of NetWare's IPX protocols and NLMs that can lead to such problems as server crashes and spoofing requests as the Admin account. While it is advised that you run TCP/IP instead of the legacy IPX, if you must run IPX there are a number of critical settings needed to help ensure that servers cannot be spoofed and crashed.
Many large software vendors will roll in security fixes into the latest patches, sometimes with little to no notice that a fix is security related. Often there are bug fixes themselves that inadvertently close security holes included in these patches and fixes.
Out of the box, there are dozens of individual parameters that need to be adjusted and tweaked to ensure the system is secure. Often these individual tweaks are missed used while trying to rush to get new servers online, and as new changes occur in a company's security policy, new changes need to be applied to previously installed systems.
For more about security threats and issues, check out the links in the Security Threat Info section of the Manager's Resource Library.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com