Why You Need a GroupWise Password
Novell Cool Solutions: Trench
By Rick Hellewell
Digg This -
Posted: 11 Oct 2001
Version: GroupWise 5.5
There's a big security hole if you don't have a GroupWise password set, which you can easily see by doing the following:
- Log on to the network as userA, open GW (and Notify opens during login, since it is usually in the startup group).
- Close GW (but not Notify). Shut down the computer.
- Restart the computer, bypassing the Novell login to get to your desktop.
- Start GW. Notice that you are reading the "UserA" mail...even though you didn't log onto the network.
This can happen if the Novell client is not set for "Cancel desktop login=Yes" (in Novell Client properties), and if USERA has not set up a GW password (or has the "remember password" [first checkbox] checkbox enabled in Tools Options Security, and the "No password with NDS" checkbox [second checkbox] empty).
Around here, we force the "Cancel Desktop login=Yes" via ZEN, so that the user is required to pass the Novell login to see the desktop. (Assuming network cable connected; if network is down/disconnected, user can get to the desktop.) And we strongly encourage GW passwords.
This happens with the Win9x Novell client; and possibly with the WinNT/Win2K Novell client, with GW 5.5.4. We haven't tried it with GW 6.
It can also happen by using the "Novell login" via the "Big Red N" on the taskbar if you don't exit GW *and* Notify. It is also related to GW running via TCP/IP.
A potential security problem that can be fixed by using GW passwords.