Security Features User Guide

Introduction

This Security Features User Guide describes how users can make effective use of NetWare^® Enhanced Security. This guide is designed to

Help you use the server in a secure manner
Enable you to use the server's protection mechanisms effectively
Warn you about possible misuse of mechanisms

For this manual, a user is an authorized individual with a network account who interacts directly with the server via a network connection. A user should not have any special privileges to affect the configuration of the system.

By reading this manual, you will learn

How to log in and log out without compromising security
Why you may be denied access to certain Novell^® Directory Services^TM (NDS^TM) objects
What server features can maximize the protections offered by the product, and how to take advantage of those features
How to avoid pitfalls that might compromise the security of the server

If you are a network supervisor, you should also read NetWare Enhanced Security Administration.

NOTE: In Novell documentation, an asterisk denotes a trademarked name belonging to a third-party company. Novell trademarks are denoted with specific trademark symbols, such as ^TM.

System Overview

The NetWare operating system is a distributed network operating system made up of three components:

Servers
Workstations
Network media

The evaluated server component described in this manual can serve any number of workstations using the network media, limited only by software license restrictions.

The server component contains a Network Trusted Computing Base (NTCB) partition, which is used to enforce the security policies and to protect data stored on the server.

The evaluated server component cannot be used to run untrusted software.

Server Security Mechanisms

This section summarizes the protection mechanisms that are provided by the NetWare Enhanced Security server. Some of these mechanisms occur transparently, while others must be invoked by the user or the network supervisor.

Trusted systems are trusted to protect information---that is, to allow access to data objects only in accordance with the system's access control policies.
The server implements separate access control policies for NDS objects, NDS object properties, and file system objects (FSOs). These policies permit access based on a user's need to know as defined by authorized administrative or nonadministrative users.
The access control mechanisms provided by the server component depend upon the principle of individual accountability; that is, the server is able to identity and authenticate each user before allowing access to the server's protected resources and to trace the user's subsequent security-relevant actions.
Identification and authentication (I&A) requires the user to enter a security token (This is who I am...) and authentication token (...and here is some secret information to prove it).

The server provides traceability by allowing an auditor to audit security-relevant events within the system.
Finally, the server provides assurances that the security policies are implemented correctly and that the system is self-protecting.

The following sections summarize the protection mechanisms provided by the NetWare Enhanced Security server component.

Identification and Authentication

A NetWare server allows you to log in from workstations throughout the network. However, the server does authenticate your identity before before allowing you to use server resources.

Authentication is based on your user identifier and your private password. Each user's identifier is unique.

The password is a text string, known only to you. It is associated with your user identifier and recognized by the server NTCB (Network Trusted Computing Base).

NetWare 4.x authentication consists of two parts: network login and background authentication.

In a network login, your workstation participates in a protocol with the server to obtain a credential and signature, based on the Rivest, Shamir, Adelman (RSA) private key associated with your user account.

Once the server obtains the credential and signature, the background authentication protocol allows the workstation to present the credential and signature to any server on the network, gaining services from that server.

Thus, it is not necessary to log in separately to each server in the network.

Each user may have as many as three types of associated login restrictions:

The days of the week and times of day when logins are permitted
An account balance
The list of IPX^TM (Internetwork Packet Exchange^TM) addresses that can be used to originate connections

The server provides a flexible intruder detection mechanism to detect and prevent brute-force password-guessing attacks. If the number of incorrect login attempts exceeds the specified parameter, the server locks that station for a configurable period of time (or until the station is enabled by a network supervisor).

The server also provides a NetWare 3.x login method that uses the same authentication materials, but uses different protocol messages to transfer the authentication materials to the server. In a NetWare 3.x login, the user logs in to a bindery context on a single server.

Discretionary Access Control

The server NTCB (Network Trusted Computing Base) partition enforces DAC (discretionary access control) policies for all named objects under its control. These policies are based on user identity, where each user has the same identity on all servers.

The primary named objects controlled by the server's NTCB partition are NDS objects, NDS object properties, and file system objects (FSOs). Each of these objects has a separate access control policy.

An overview of these policies is not presented here. For a description of the access controls on NDS objects and NDS object properties, see:

Guide to NetWare 4 Networks
Chapter 1, Supervising the Network, of Supervising the Network
Concepts
Chapter 3, Security Supplement to Installation, and Chapter 5, Security Supplement to Managing Directories, Files, and Applications, of NetWare Enhanced Security Administration

For information on file system access controls, see:

Chapter 2, Managing Directories, Files, and Applications, of Supervising the Network
Chapter 6, Security Supplement to Creating Login Scripts, of NetWare Enhanced Security Administration

In addition to the primary named objects, other types of named objects include messages, semaphores, logical record locks, queues, queue entries, currently printing jobs, and audit trails.

Audit Trails

Three types of audit trails are provided in the server component:

NDS audit trails are associated with NDS containers (and therefore are known as container auditing), and are replicated along with the containers. The auditor may preselect NDS auditing on a per-event basis.
File system audit trails are associated with volumes within the server. The auditor may preselect file system audits on a per-event, per-user, or per-file basis.
Workstation audit trails are stored and protected on the server.

Object Reuse

The server enforces an object reuse policy to prevent scavenging of information for storage objects. In general, objects are cleared prior to their release to a subject.

As a network system composed of three components---servers, workstations, and network media---NetWare is designed to meet the Controlled Access implementation (Class C2) requirements of the Trusted Network Interpretation (TNI) [NCSC-TG-005] of the Trusted Computer System Evaluation Criteria (TCSEC) [DoD5200.28-STD].

The evaluated server is an IAD component as defined in Appendix A of the Trusted Network Interpretation.

Manual Overview

The NetWare operating system has been carefully designed, implemented, and administered to operate securely. You must read and follow the instructions in this manual in order to effectively use the NetWare operating system's protection mechanisms.

This manual is organized as follows:

How to Use This Manual, which you are currently reading, explains the purpose of this guide and points you to other relevant manuals.
User Security Responsibilities discusses what a NetWare Enhanced Security user is, and hence what security responsibilities such a user would have.
Logging In explains the procedures for logging in to the network from your workstation.
Accessing Files and Directories describes how to manage files and directories on the server. This chapter also describes how access to file system objects can be controlled and how access control information can be manipulated based on the appropriate access rights.
Accessing NDS Objects describes how to control access to NDS objects in order to safeguard information.
Messaging describes how you can send messages to other users via the server.
Printing and Queuing describes operations for print services and queue management.
Logging Out explains the procedures for securely logging out from the network.

Use of This Manual

This manual describes the security features available to you as a user of NetWare Enhanced Security servers. In order to meet the requirements of the NetWare Enhanced Security environment, you must use only trusted workstations to access NetWare servers. Your network supervisor can tell you how to identify trusted workstations.

This manual describes security aspects of NetWare servers. In addition to this manual, the vendor of your trusted worsktation will provide a companion manual that describes how to use your trusted workstation securely. This manual refers to the companion manual as a workstation security features user guide; your network supervisor can tell you the exact title of the workstation manual.

In order to use a NetWare network securely, you must read and understand both this manual and the workstation manual.

Related Manuals

This following related manuals may be useful in conjunction with this manual:

Concepts
NetWare Client for DOS and Windows User Guide
Guide to NetWare 4 Networks
Print Services
Supervising the Network
Utilities Reference