------------------------------------------------------------ NOVCONSF.DOC -- 19960318 -- The Comp.Os.Netware.Security Faq ------------------------------------------------------------ Feel free to add or edit this document and then email it back to faq@jelyon.com comp.os.netware.security Frequently Asked Questions Fauzan Mirza F.U.Mirza@sheffield.ac.uk This is a draft FAQ list for the comp.os.netware.security newsgroup. It's intent is to provide answers to questions asked by those who are merely interested in Novell NetWare, and also to provide help for those who are concerned about security of their network. I am not affiliated with Novell in any way, and I have taken it upon myself to produce this FAQ. My experience with Novell NetWare is that of a programmer and administrator, with a keen interest in computer security. I don't hold any Novell qualifications. At the moment, this FAQ is oriented towards Novell NetWare 2/3. Please send any comments, contributions, or notification of errors to the author. Thanks to the following people for improvements or additions: Fons Botman Bob Janacek Brian Flynn ------------------------------ Subject: TABLE OF CONTENTS Section 1: Basic Information 1.01 - Where are passwords stored? 1.02 - Is the execute-only flag secure? 1.03 - Can a packet-sniffer capture passwords? 1.04 - Can the server be infected with a computer virus? 1.05 - What auditing functions does Accounting provide? 1.06 - What are trustees and trustee rights? 1.07 - What are groups? Section 2: Software 2.01 - What is HACK.EXE? 2.02 - What is NOVELBFH.EXE? 2.03 - How do I use SECURITY? 2.04 - Vendor security addons Section 3: Help 3.01 - How do I secure the server? 3.02 - I've lost the Supervisor password. 3.03 - I've deleted the user Admin. 3.04 - I've revoked my own rights from this subdirectory. 3.05 - Supervisor has been locked out. ------------------------------ Subject: Section 1: Basic Information This section gives information on how Novell NetWare operates, and explains some basic security concepts. ------------------------------ Subject: 1.01 - Where are passwords stored? NetWare: 2,3 Passwords are stored in encrypted form in the NET$VAL.SYS bindery file. It is not possible to decrypt passwords although brute force crackers have been written which operate on the bindery. The bindery files are stored in the SYS:SYSTEM directory, and should not be accessible by any non-Supervisor user. The SECURITY utility will detect excessive rights in SYS:SYSTEM. ------------------------------ Subject: 1.02 - Is the execute-only flag secure? NetWare: 3 No. It is sufficient to prevent casual copying of executables, but software exists which will allow any user to copy X flagged files. The X flag cannot be removed from files, so it is is a good measure against computer viruses. However, virus scanners cannot read X flagged files, so infected X flagged files will be difficult to detect. Wolfgang Schreiber wrote a utility called X-AWAY, available from ftp.novell.de, which enables a Supervisor equivalent user to copy X flagged files. X-AWAY is deliberately crippled to prevent non-Supervisor users from copying programs. ------------------------------ Subject: 1.03 - Can a packet-sniffer capture passwords? NetWare: 2,3 Since Novell NetWare 3, passwords are sent to the server encrypted using a hashing function. The three password functions (Login, Change password, Verify password) have a pretty secure protocol, such that the information gathered by packet sniffers cannot be used to reconstruct the event or determine the password. Some very old software use the NetWare 2 unencrypted password calls. These can be captured and used, since these passwords are sent in plaintext. Packet sniffers can capture just about all other information that is transmitted on the LAN. This includes telnet/ftp passwords, etc. ------------------------------ Subject: 1.04 - Can the server be infected with a computer virus? Since the server does not run DOS, it is immune from file viruses. They are vunerable to boot viruses, however, and these can be avoided by not booting the server from floppy disks. The server can be used to spread viruses, since workstations may execute infected software from the server and thus infect local hard disks, floppy disks, and so on. If possible, do not allow users to have write access to the executables on the server. A number of anti-virus utilities exist for Novell NetWare, including Dr Solomon's Anti Virus Toolkit, McAfee Associates's NETSCAN, and Data Fellows Ltd's F-PROT Professional. ------------------------------ Subject: 1.05 - What auditing functions does Accounting provide? NetWare: 3 Accounting is used to track logins and can be used to track (and put limits on) use of server resources. By default, accounting is not active. The supervisor must switch it on using the SYSCON utility. ------------------------------ Subject: 1.06 - What are trustees and trustee rights? NetWare: 2,3 A trustee is any user or group that has been granted access rights in a directory. The access rights in Novell NetWare 2 are slightly different from the ones in NetWare 3. The following is a summary of access rights for NetWare 3. S - Supervisory. Any user with supervisory rights in a directory will automatically inherit all other rights, regardless of whether they have been explicitly granted or not. Supervisor equivalent accounts will hold this access right in every directory. R - Read. Enables users to read files. C - Create. Enables users to create files and directories. Unless they also have write access, they will not be able to edit files which have been created. W - Write. Enables users to make changes to files. Unless they also have create access, they may not be able to edit files, since the write operation can only be used to extend files (not truncate them, which file editors need to do). E - Erase. Enable users to erase files and remove directories. M - Modify. Enable users to modify file attributes. F - File scan. Enables users to see file and directory information. If a user does not have file scan rights, they will not see any evidence of such files existing. A - Access control. Enable user to change trustee rights. They will be able to add other users as trustees, remove trustees, and grant/revoke specific rights from users. The only caveat of access control is that it is possible for users to remove themselves (as trustees) from directories, thus losing all access control. In addition to trustees and access rights, there is a concept of inherited rights which means that users inherit rights from parent directories. For example, if user ALICE has rights [CWEM] in a directory, and she has [RF] rights in the parent directory then she will have [RCWEMF] rights as a result of the inherited rights. This will only work if one of the rights that ALICE has in the two directories is granted to a group; if both are granted to her, she will lose the rights of the parent. ------------------------------ Subject: 1.07 - What are groups? NetWare: 2,3 Groups are a object type which allows users to be grouped together for various purposes. The main interest in this is to maintain security, by granting access rights to groups instead of individual users. By default, all users are in a group called EVERYONE. If you grant [RF] to group EVERYONE in a directory, then every user in that group will hold those rights in that directory. Some software also makes use of groups (for example, Pegasus Mail does not run if the user is in group NOMAIL). ------------------------------ Subject: Section 2: Software This section describes the purpose and use of some software. ------------------------------ Subject: 2.01 - What is HACK.EXE? NetWare: 3 HACK is a program, written at Leiden University in the Netherlands, which exploits the lack of packet authentication in early versions of NetWare 3. It enabled a user to pose as a more privileged client by sending requests to the server with fake source addresses. If SUPERVISOR is logged on, it attempts to send a single packet to the server requesting it to add Supervisor-equivalency to the account it is being run from. Novell released updated versions of the server and client software which would add packet authentication (using a feature called NCP packet signatures). The software is available from ftp.novell.com. NetWare 3.12 includes the updated software, but the administrator still has to set the correct packet signature level on both server and workstations. With NCP packet signatures active, any attempt to forge packets to the server will result in a message on the server console, in the error log, and sent to the affected client. ------------------------------ Subject: 2.02 - What is NOVELBFH.EXE? NetWare: 2,3 NOVELBFH, Novell Brute Force Hacker, is a program written by DGE Alofs in Holland. It is a menu driven program that attempts to crack accounts by using the verify password function and trying various guesses for password. The password checking is done using the unencrypted password call, so this program can be rendered useless on NetWare 3 by disabling the unencrypted password call at the server (this is the default). ------------------------------ Subject: 2.03 - How do I use SECURITY? NetWare: 3 SECURITY is the standard security auditing utility, supplied with NetWare. It is found in the SYS:SYSTEM directory, and needs to be run by a Supervisor-equivalent user. ------------------------------ Subject: 2.04 - Vendor security addons Administrators may be interested in products which are available to improve network security. This section will eventually be a list of such products. Please submit your product descriptions to the FAQ maintainer. STOPLIGHT LAN - StopLight LAN integrates with Netware to provide network and workstation security enhancements. It provides workstation access control, keyboard lock, trustee assignments for local and network drives, file encryption, local drive disable during network use, floppy drive disable, software piracy prevention, central installation and management from the network, Windows administration. 13K memory overhead required. Download from http://www.safe.net/safety or ftp://ftp.safe.net/pub/safetynet/sllan.exe ------------------------------ Subject: Section 3: Help This section gives solutions to common problems. ------------------------------ Subject: 3.01 - How do I secure the server? NetWare: 3 The most important rule is to lock the server console. At least one method has been posted a couple of times which explains how to switch off password verification using the server internal debugger. Anyone with console access can obtain supervisor access. Place any useful NLMs in SYS:SYSTEM and then add the following line to AUTOEXEC.NCF: SECURE CONSOLE Disable use of unencrypted passwords. Either type the following, or add it to the AUTOEXEC.NCF: SET ALLOW UNENCRYPTED PASSWORDS OFF If you have NCP packet signatures installed, add the following line to AUTOEXEC.NCF: SET NCP PACKET SIGNATURE OPTION = 3 Use a password different from the Supervisor password for RCONSOLE. Load the MONITOR NLM and lock the console. Remember that access to the backups is just as bad as access to the server. Keep the backups secure too. Some other suggestions: Limit number of Supervisor accounts (not too many, but keep at least one, unless using the SUPER utility described below). Enable intruder detection and lockout. Require unique passwords on all accounts. Login as Supervisor as little as possible. Use the SUPER.EXE program, written by Wolfgang Schreiber, which will toggle instant supervisor-equivalency to a user. This isn't a loophole, since some preparation has to be done on the accounts which should be able to gain supervisor-equivalency, and those accounts will be reported by the SECURITY utility. SUPER is available from netwire (Look on ftp.novell.de or ftp.novell.com). ------------------------------ Subject: 3.02 - I've lost the supervisor password. NetWare: 2,3 The following method is used to obtain the supervisor account on NetWare 2. It will work on NetWare 3, but there is an easier way which follows. The following is fairly complicated, and is not recommended for beginners. 1. Reboot the server and load DOS. 2. Use a disk editor to examine the Novell partition and locate the directory entries for the bindery files (NET$BIND.SYS and NET$BVAL.SYS). 3. Check for backup copies of the bindery with extension OLD (ie, NET$BIND.OLD and NET$BVAL.OLD). If you find them, change their extension to XXZ. 4. Change the SYS extension to OLD. 5. Restart the server. It will create a new bindery with SUPERVISOR and GUEST accounts; both without passwords. 6. Login as SUPERVISOR and run BINDREST to restore the old bindery. 7. Change the SUPERVISOR password. On NetWare 3, there are a number of NLMs which will reset the supervisor password (SETPWD and SETSPASS) or create supervisor equivalent accounts (BURGLAR). SETPWD is available by anonymous ftp from netlab2.usu.edu. In general, you should have at least one supervisor equivalent account (see section 3.01). ------------------------------ Subject: 3.03 - I've deleted the user Admin. NetWare: 4 This answer was provided by Mattman (mdrobel@novell.com) in an article posted on comp.os.netware.security. If you don't have a backup, you can do two things: 1. Reinstall Directory Services. I would recommend this option only if you don't have a lot of NDS objects and rights set up. 2. If you have another user with Admin or equivalent rights, it's easy to recreate the Admin user object and give him the rights he had before. Those rights would be: Make him a trustee of [Root] and give him supervisory object and property rights. ------------------------------ Subject: 3.04 - I've revoked my own rights from this subdirectory. NetWare: 3 A common mistake is to revoke your own access control rights in a directory. If you have access control rights in a parent directory, you can regain the access rights that you lost. Example: If user ALICE has [RCWEMFA] in USR:ALICE/ but accidentally revoked access control in the subdirectory PROJECTS (let's just say she now has [RF] in USR:ALICE/PROJECTS/), she would not be able to simply use grant to get the rights back because she has insufficient rights. To recover access control: 1. Check which groups you are in (or equivalent to). WHOAMI /S 2. Pick a group and grant access rights to that group in the parent. GRANT A TO EVERYONE FOR USR:ALICE 3. You should now have access control in the subdirectory. CD PROJECTS 4. Remove the trustee which caused the problem. TLIST REMOVE ALICE FROM USR:ALICE/PROJECTS 5. Remove the rights of the group from the parent directory. REMOVE EVERYONE FROM USR:ALICE ------------------------------ Subject: 3.05 - Supervisor has been locked out. NetWare: 3 If the Supervisor account cannot login due to intruder detection, you can restore login status by entering ENABLE LOGIN at the server console. This will only work for the SUPERVISOR account. ------------------------------