A.3 Security Recommendations

The following subsections provide a summary of security-related recommendations for NetStorage:

A.3.1 Registry Access Control

Access control to the registry is enforced by the operating system.

On Windows (any version), each branch of the registry can have its own ACL (access control list). Windows checks to see if the calling thread has permissions to read/write/modify the registry entry being accessed, and returns status appropriately.

On NetWare, local access to the registry is a trusted operation, and any NLM™ running on the server is allowed access.

On Linux, XTier has implemented its own registry based on XFLAIM, and access to this database is via UNIX domain sockets. Only XTier's registry user (novlxregd) and group (novlxtier) have access to these domain sockets, and access control is enforced via file system permissions. For any process to access the registry, the user associated with the process must be a member of the novlxtier group. Adding a user to a group is a privileged operation, and can be done only by an administrator.

WARNING:Do not store security-sensitive information in the registry. Sensitive information such as passwords should not be stored in the registry unless it is protected by strong encryption.

A.3.2 Use NMAS

NMAS™ login is designed to be more secure than NDS4. You should enable NMAS login for eDirectory users and enable the corresponding setting in NetStorage.

A.3.3 Use SSL With Your Web Server

Without SSL, all traffic to the Web server from the client, browser, or WebDAV client is in the clear. This allows anyone to snoop the traffic and look at all the data, including the data for authentication. This applies when the Basic authentication scheme is used. Using SSL provides privacy for all data traffic between the workstation/client and the Web server.

A.3.4 Persistent and Session Cookies

Session cookies are valid only for the duration of the browser/client session. After the windows of the browser are closed, these cookies are discarded by the browser, and a new instance of the browser has no knowledge of previously set session cookies.

Persistent cookies have an expiration date/time, and are valid until then. Persistent cookies are stored in persistent storage (usually the file system), so that newer instances of the browser can pick them up.

For more information about cookies, see Persistent Client State HTTP Cookies.

A.3.5 Use Web Server Logs

You should check Web server logs frequently for security-related information.

A.3.6 Use XTLog

See Enable Debug Logging in IDM 6.5 and 7 for information on how and when to use XTLog.

Although the information refers to the ZENworks® Middle Tier Server, it also applies to other XTier applications such as NetStorage.

A.3.7 Denial of Service Attacks

Application developers should be aware of the possibility of denial of service attacks. This is true for any Web-based application. For example, if a DoS attack can be mounted on Apache or IIS, any XTier-web application is affected, because XTier-web runs as a module (or extension) of Apache and IIS.

A.3.8 Trusted Roots in CAPI

For instructions on setting up trusted roots in CAPI, see Trusted Root Certification Authority Policy.

A.3.9 Certificate Validation Registry Setting

If you are using NetIdentity, do not use the registry setting that allows a connection without certificate validation. The NetIdentity client places a registry setting on the client workstation. For more information see Setting Up NetIdentity Authentication in the Novell ZENworks 7 Desktop Management Installation Guide.