Using NCP Packet Signature

NetWare includes a security feature called NCP Packet Signature that protects servers and clients using the NetWare Core Protocol^TM (NCP) services. For general information about NCP Packet Signature, see NCP Packet Signature.

Instructions for using NCP Packet Signature follow:

Server Signature Levels

Client Signature Levels

Packet Signature and Job Servers

Server Signature Levels

To determine the server's current signature level, enter

SET NCP Packet Signature Option

To set a server's packet signature level, enter
SET NCP Packet Signature Option = number

Replace number with 0, 1, 2, or 3. The default is 1

Number	Explanation
0	Server does not sign packets (regardless of the client level).
1	Server signs packets only if the client requests it (client level is 2 or higher).
2	Server signs packets if the client is capable of signing (client level is 1 or higher).
3	Server signs packets and requires all clients to sign packets or logging in will fail.

You can use the SET console command to change the signature level from a lower to a higher level.

You cannot change from a higher to a lower level unless you first reboot the server. For example, if the current signature level is 2, you can't set the signature level to 1 by using the SET command at the console. To change the signature level from 2 to 1, you must add the SET command to the startup.ncf file and then restart the server:

SET NCP Packet Signature Option = 1

You can add this SET command to your startup.ncf file to set the signature level each time the server is brought up.

Client Signature Levels

Set client signature levels to 0, 1, 2, or 3. The default is 1. Increasing the value increases security, but decreases performance.

Number	Explanation
0	Disabled. Client does not sign packets.
1	Enabled, but not preferred. Client signs packets only if the server requests it (server level is 2 or higher).
2	Preferred. Client signs packets if the server is capable of signing (server level is 1 or higher).
3	Required. Client signs packets and requires the server to sign packets or logging in will fail.

To set DOS or MS Windows client signature levels, add the parameter to the workstation net.cfg file, as follows:

signature level = number

To set the Windows 95 or Windows NT client signature level for an individual workstation, change the parameter setting with the Advanced Settings tab of Novell NetWare Client Properties, as follows:

From the system tray, right-click N

Click Novell Client Properties

Click Advanced Settings, then select Signature Level from the scrollable list

You can set the signature level for multiple clients at once by adding the signature level to the configuration file when you install the clients.

For information about configuring Windows 95 clients, see Clients > Novell Client for Windows 95 > Planning > Configuring Before Installing.

For information about configuring Windows NT clients, see Clients > Novell Client for Windows NT > Setting Up > Preparing to Install; then click on the link to Unattended Install of Novell Client.

You can also refer to the Novell Client Install Manager (NCIMAN) online help for more information. You will find NCIMAN for Windows 95 on the NetWare client CD at Products \ibm_enu\admin. You will find NCIMAN for Windows NT on the NetWare client CD at Products \winnt\i386\nls\english\admin.

Changing the Signature Level for an NLM

NLM programs that use the Novell Runtime Libraries are assigned a default NCP Packet Signature level that corresponds to the current signature level of the server.

To change the packet signature level for a single NLM, use the following command syntax when you load the NLM:

[LOAD] NLM [CLIB_OPT]/L number

Replace number with 0, 1, 2, or 3.

Packet Signature and Job Servers

A job server is a server that performs a task and then returns the completed task. Most job servers are third-party products.

You should be aware that some job servers do not support NCP Packet Signature. A job server might produce unsigned sessions if

It does not operate on top of DOS

It does not use standard Novell clients

It is not an NLM

It uses its own implementation of the NCP engine (such as embedded print servers in printers)

Minimizing Risks

To minimize security risks associated with job servers:

Install queues only on servers with signature level 3.

Do not allow privileged users to put jobs in queues on servers with signature levels below 3.

Make sure the job server's account is unprivileged.

Disable the job server's ability to change to client rights.

Disabling Change to Client Rights

To prevent a job server from assuming the rights of a client, add the following SET command to the server's startup.ncf file:

SET Allow Change to Client Rights = OFF

The default is ON, because certain job servers and third-party applications cannot function without changing to client rights. Refer to the documentation that comes with the job server to determine whether the job server can function without client rights.