| |
Setting up basic remote access security consists of the following tasks:
For information on how to optimize user-specific and service-specific remote access security options, refer to the security-related topics under Optimizing.
To authorize users for specific services, complete the following steps:
Select Configure Security from the Remote Access Options window.
The Configure Security window is displayed.
Select Restrict Service by User.
A list of services is displayed.
Select a service.
A list of users authorized to use that service is displayed.
Initially, this list shows (Any User) to indicate that all users can access this service. If you have already authorized users for a specific service and you want to configure other services with an identical port configuration, use the following function keys:
Press Ins to display additional users.
A list of additional NetWare users is displayed.
Select a user or press F5 to select multiple users.
If users are distributed over multiple contexts, select the double period (..) to move up the Directory tree to a common branch. Select any other container object to move down the tree.
If the CONNECT object does not have Browse rights to move up the Directory tree, press Ins and enter the new Directory context. This allows you to jump to another branch of the tree where the CONNECT object does have rights.
Press Enter to add the users to the list of authorized users.
Press Esc to save the changes.
Repeat Step 2 though Step 7 to authorize user access to other services.
To authorize ports for specific remote access services, complete the following steps:
Select Configure Security from the Remote Access Options window.
The Configure Security window is displayed.
Select Restrict Service by Port.
A list of installed services is displayed.
Select a service.
A list of ports authorized to use that service is displayed.
Initially, this list shows (Any Port) to indicate that all ports can access this service. If you have already authorized ports for a specific service and you want to configure other services with an identical port configuration, use the following function keys:
Press Ins to display additional ports.
A list of additional remote access ports is displayed.
Select a port or press F5 to select multiple ports.
Press Enter to add the ports to the list of authorized ports.
Press Esc to save the changes.
Repeat Step 2 through Step 7 to authorize port access for other services.
Use the procedure in this section to set or specify the following global security options:
To set the global security parameters for remote access, complete the following steps:
Select Configure Security from the Remote Access Options window.
The Configuration Options window is displayed.
Select Set Global Parameters from the Configure Security window.
The Global Parameters window is displayed.
Select Default Maximum Connection Time and enter a value between -1 and 100,000 minutes.
Enter a value of -1 to allow all users to remain connected for an indefinite amount of time. You can set this parameter to 0 and customize the value for each user with the Set User Parameters window to prevent unauthorized users from accessing the network. Refer to User-Specific Remote Access Security.
NOTE: If the remote client is configured and has negotiated short-hold with the server, both the Idle Time Before Temporary Disconnect and Maximum Call Suspension timers are used (refer to Specifying ISDN Short-Hold Parameters). The other timers associated with the connection, Default Maximum Connection Time and Idle Time Before Disconnection (each configured on a global or individual user basis), are ignored.
If the remote client does not negotiate short-hold with the server, both the Idle Time Before Disconnection and Maximum Call Suspension timers are ignored. The other timers associated with the connection, Default Maximum Connect Time and Idle Time Before Disconnection, are used.
Select Idle Time Before Disconnection and enter a value between -1 and 100,000 minutes.
The default value of -1 indicates that the idle timer is not set and connections can remain idle for any amount of time. The timer is reset whenever data is sent or received through the port. This includes any broadcast or watchdog traffic that might be sent or received.
Select Default Dialback Mode and press Enter.
Select one of the following modes:
Specify a port for dialing back.
To have remote access dial back on the same port that the caller used to dial in, select Use Dial-In Port for Dialback and specify Yes. Specify No to have remote access dial back on a different port. Dialing back on a different port is useful if, for example, users dial in on a 1-800 line, and you want to keep that line free for other users. If you specify No, you must specify a dialback port group.
To have remote access dial back to a port group, select Dialback Port Group, press Enter , and specify a port group. Select a dialback port group if you specified to have remote access dial back on a different port.
Specify the following dialback parameters:
Select Dial-out Restrictions and press Enter .
A list of authorized dial-out numbers is displayed. Initially, the list shows the default, Any Number, indicating that users can dial out to any number.
Press Ins and enter a dial-out number.
If you only want certain users to dial out, enter an invalid phone number here, then enter valid numbers for individual users to enable them to dial out. Refer to "User-Specific Remote Access Security".
Press Ins again to enter another number. You can add or delete telephone numbers. Use the F5 key to delete multiple entries. Deleting the last number on the list redisplays the Any Number option.
Press Esc to exit and save your global security settings.
The Remote Client password is required to establish a connection, and the NetWare password is required for logging in to the NetWare network. Both passwords are specified for the same username.
You can set Remote Client passwords for the following types of callers:
You assign Remote Client passwords at first, then later allow callers to choose and change their own passwords. Remote access has Windows and Macintosh tools to enable users to change their passwords. Refer to the Novell Internet Access Server 4.1 remote access online help for more information about these tools. Refer to Setting Remote Access User Parameters for more information on using the NetWare Administrator utility to assign and change Remote Client passwords.
NOTE: After the connection is established, ARA 2.0 clients can use the ARA 2.0 client software to modify the passwords set by the administrator. ARA 1.0 clients, however, must run the Macintosh Set Remote Client Passwords utility to modify the administrator-specified password.
Enhance security for Remote Client passwords by requiring the following:
NOTE: The user has a grace login limit of three logins after a password has expired. During this grace period, the password must be changed by either the user or the administrator. NCS dial-in users can see the number of grace logins remaining as they authenticate with the Service Selector (if their password has expired) before they select a host session. A separate utility on the remote access client allows the user to check for the number of remaining grace logins. Refer to the Novell Internet Access Server 4.1 remote access online help for more information.
To set Remote Client passwords, complete the following steps:
Select Configure Security from the Remote Access Options window.
The Configure Security window is displayed.
Select Set User Remote Client Password.
A list of authorized users is displayed.
If users are distributed over multiple contexts, select the double period (..) to move up the Directory tree to a common branch. Select any other container object to move down the tree.
If the CONNECT object does not have Browse rights to move up the Directory tree, press Ins and enter the new Directory context. This allows you to jump to another branch of the tree where the CONNECT object does have rights.
Select a username.
The current status of the user's password is displayed, for example, never set or expired.
Enter a password.
The password must be alphanumeric and can contain up to 16 characters. The password is case-sensitive.
NOTE: You must enable password restrictions in order to specify passwords longer than 8 characters. Refer to Setting Password Restrictions for more information.
You can configure user passwords if the CONNECT object, in addition to having Browse and Read attribute rights, has Write attribute rights to the container.
NOTE: The Remote Client password is less secure than the NetWare password. Make sure it is not the same as the NetWare password.
Reenter the password.
Press Esc to save your changes.
Distribute the passwords to the corresponding users.
A user must enter this password to establish an initial connection with remote access.
An NCS dial-in user is prompted for a Remote Client password when dialing into remote access. If no Remote Client password is defined for this user, access will be denied.
NOTE: An undefined password is not the same as a NULL password. If the password is set to NULL, the user must press Enter when prompted for a password.
The Service Selector indicates when a Remote Client password has expired and enables the NCS dial-in user to change the password at login time.
To set password restrictions on Remote Client passwords, complete the following steps:
Select Configure Security from the Remote Access Options window.
The Configure Security window is displayed.
Select Set Remote Client Password Restrictions.
Select Enable Long Passwords, then specify Yes or No to enable or disable this option.
NOTE: You cannot disable the long passwords feature once you have enabled it. If you enable long passwords, you must upgrade all your servers to Novell Internet Access Server 4.1. Users will no longer be able to use NetWare Connect 2.0. You must also set the Enable Long Passwords parameter on each server.
Enter a value between -1 and 20 for the Maximum Invalid Login Attempts parameter.
This sets the number of times the user can enter the wrong password before being disconnected. The Remote Client password is disabled and cannot be used after the specified number of failed tries. The default of
-1 allows the user to reenter an incorrect password indefinitely.
Enter a value between -1 and 16 for the Set Minimum Password Length parameter.
This sets the minimum number of characters for a password. The change takes effect the next time the password is set. To increase security, have users specify passwords of five or more characters. The default of
-1 means no limit is set.
Press Esc to save your changes.
You can allow or disallow users to change their passwords. If you allow users to change passwords, you can increase password security by requiring them to change passwords periodically. Refer to User-Specific Remote Access Security for information on how to do this.
NOTE: The user has a grace login limit of three logins after a password has expired. During this grace period, the password must be reset or changed by either the user or the administrator. NCS dial-in users can see the number of grace logins remaining if their passwords have expired during authentication with the Service Selector.
Remote access has Windows tools that enable users to change their Remote Client passwords and Windows and Macintosh tools that enable users to check for the remaining number of grace logins. Refer to the Novell Internet Access Server 4.1 remote access online help for more information. Refer to Remote Access Parameters in NetWare Administrator for more information on using the NetWare Administrator utility to assign and change Remote Client passwords.
The Service Selector also has a menu option for changing the Remote Client password. This option is available to NCS dial-in users or PPP dialers using the Terminal Window After Dial-in option.
To configure for third-party security, complete the following steps:
Install the third-party security product. Follow the installation steps in the product documentation.
Select Set Third-Party Security Parameters from the Configure Security window.
NOTE: The Set Third-Party Security Parameters option is displayed only if a third-party security product is installed.
The Third-Party Security Parameters window is displayed.
Select Enable Third-Party Security and specify Yes.
Select Security Product Name, press Ins , then select a name from the list.
NOTE: When you install a third-party security product for remote access, the name of the third-party security product will remain in the Security Product Name list even after you have removed it.
Select Apply Third-Party Security to Direct-Connect Ports and specify Yes or No, depending on your configuration.
If you select No, third-party security will be enforced only for dial-in ports with modems attached. If you select Yes, third-party security will be enforced for all dial-in ports.
Press Esc to save your changes.
Third-party security is now enabled.
| |