------------------------------------------------------------------- SECURTY3.DOC -- 19980329 -- Email thread on NetWare Security Issues ------------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Tue, 20 Jan 1998 20:48:56 +0200 From: Jirka Hanika Subject: Re: Office97 on Server...Again >or not (default is not save) to accomodate rebooting after a crash. >Volume User: has 800MB capacity and thus each user has much elasticity >but all share the capacity. Sharing makes far better use of common >resources, with the known danger of a hog consuming all. > Takeaway/permanent storage is via floppy disks. > Joe D. OK. What about the following scheme. The users are requested to go within at most 2 MB, unlimited space during login time. No quotas are used (alternatively, quotas like 100 MB to block a single runaway program from filling up all the space). Thrice a year, at random moments, or whenever the space fills up, the supervisor asks for a sorted list of trespassers and the 10 "winners" (per 1000 users, they will surely range from ten to fifty MB, but most people will stay deep under the 2 MB allowed) will be punished with a REAL 2 MB limit for one year. They're forced to tidy up within one month, lest their account is disabled and/or data brutally deleted. User who think they really need more than 2 MB may politely ask and explain the reasons and they will be allowed to use legally, say, 10 MB for the period of time specified. This is easy to handle as there're very few people who have sound reasons for more space, among a few thousand users here. USU is bigger, so this last rule will not be feasible there, unless handled automatically. This works OK for us. I believe the server space is more reliable than personal diskettes, even when the users choose to save everything to four different pieces. ------------------------------ Date: Wed, 28 Jan 1998 12:06:29 -0400 From: Michael Prosise Subject: Re: Win95 Netware Security Issue >>A couple of my colleagues have reported the following incidents >>while installing new Win95 pc on our 4.1 netware lan. >> >>The Client 32 Novell software is installed on a netware server, the >>procedure is to connect to the server using Microsofts Client for >>netware and run the client 32 setup software from the server, it >>deletes the microsoft client and install's Novells client 32 >>software. On some occasions when they have just the microsoft >>client installed they have double clicked on the server icon in >>network neighbourhood and rather than the software asking them to >>log in it just attaches to the server with full supervisory >>rights....I did'nt believe it when I heard it first but I now have 2 >>independant reports on this happening... any ideas. The Micro$oft client allows you to save passwords in a .pwl file. By default this is on. If an administrator goes to a workstation that is already logged in by the user and attaches to another server using a supervisory account. The password will be saved unless he/she unselects the option. From that point on that user will be able to access that server with admin priv's. A quick way to remedy this is to find the .pwl file and delete it. They're located under c:\windows and start with the user id, ie jsmith.pwl. ------------------------------ Date: Wed, 18 Feb 1998 01:25:51 -0800 From: Randy Richardson Subject: Re: security - merge admin and edu trees into one network?? >not asking for details on how to , but rather experience on this matter and >advice as far as security considerations, and, if you were in my position, >would you put your job on the line with your response With my experience, I would jump at this opportunity. I don't know how much experience you have, but consultants and books can be very helpful. Being familiar with the FAQ (from this list) and the Novell KnowledgeBase are highly recommended. A proper tape backup system, with tapes being cycled off site, is usually a requirement, and also highly recommended. >i have been requested to merge or move our entire campus (at least the main >site) into one NDS tree This will reduce administrative costs in the long-run. It's a good idea. >our ADMIN and EDU networks are totally separated by routers (ADMIN is >netware 3.x, EDU is INW4 NDS) and one network does not see the other using >routers > >my approach in the past has been to keep EDU computer labs and ADMIN >networks separate, as that reduces security problems ( maybe i am behind >the times here in this thinking) Enabling SECURE.NCF is one of the steps to enabling C2 security mode. See the following URLs for more details on C2 security: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2932708 http://support.novell.com/cgi-bin/search/tidfinder.cgi?2921494 http://support.novell.com/cgi-bin/search/tidfinder.cgi?2915939 http://support.novell.com/cgi-bin/search/tidfinder.cgi?2915938 http://support.novell.com/cgi-bin/search/tidfinder.cgi?2915935 "Creating a Secure Network Management Environment While Utilizing Novell's ManageWise Product:" http://support.novell.com/cgi-bin/search/tidfinder.cgi?2915082 Some documents pertaining to NetWare 4.0, which may also be useful: http://support.novell.com/cgi-bin/search/tidfinder.cgi?13466 http://support.novell.com/cgi-bin/search/tidfinder.cgi?13817 >we will soon implement groupwise 5.x for the entire campus ( about 1000 >email users) > >of course, having separate networks is a problem Upgrading the NetWare 3.x system to IntranetWare 4.11 as well will definitely be helpful. >the consultant i met with today advises we open up the routers ( put all >onto one campus network) and move to an NDS model for security The consultant is right about using NDS for security, just be sure there is lots of planning and testing involved. You can also search the internet for hacker-related sites that specifically go after NetWare (you can bet your students will be doing this), and make sure those tricks are all defeated as well. Most of them are out-dated by new versions of the OS, C2 mode, or patches, but it's worth checking up on regularly just to be sure. >we are willing to start over from scratch here, as i have administrative >backing for providing a proper NDS foundation I think Novell is interested in "success stories," you may want to let them know what you're up to and ask them for suggestions as well. >the consultant ( this was a brief meeting, and we have not looked at >details) advised that possibly we have one tree and implement container >level security by restricting the browse right in each container (ADMIN and >EDU are simple examples) Partitions and Replicas, and those sorts of things will help you optimize backbone traffic and maximize network performance. I've come across a really good book: NDS Troubleshooting Peter Kuo and Jim Henderson New Riders Publishing Copyright date: 1995 ISBN 1-56205-443-0 >is this an adequate security model??? >what is the security model for an NDS campus with both ADMIN and EDU >networks that want to use groupwise for centralizd messaging?? Have you considered setting up two GroupWise servers, just to look at the alternatives? It might be good to have one EMail server for administration, and the other for students since the students are likely to send large files over EMail and generate a lot of traffic. >please respond if you have experience with this type of security or >consolidation problem [Snip] I'm curious, approximately how many workstations will be connected altogether? ------------------------------ Date: Thu, 5 Mar 1998 21:41:41 -0800 From: Randy Richardson Subject: Re: Tunnel between Servers >I'm trying to establish an IP Tunnel between two 4.11 file servers. I've >loaded TCP/IP and configured the tunnel at each end, but I can't get the >two servers to see each other. I have IP Tunnelling set up between lots of IntranetWare 4.11 servers all over the internet. The snag that got me the first time I set up IP Tunnel was that I didn't define "Remote Peers:" 1. :Load INetCfg.NLM 2. Protocols 3. IPX 4a. Enable "Tunnel IP Through IPX" 4b. Tunnel Configuration 5. Remote Peers The "Remote Peers" list contains the IP addresses of servers which are authorized to communicate via IP Tunnel. You'll need to set up the address of the other server here, and you'll have to do this on both servers, respectively. ------------------------------ Date: Wed, 11 Mar 1998 15:08:09 -0500 From: Jayson Agagnier Subject: Re: Security - blocking data access - long reply >Is it possible to block access to a specific directory on a volume from >everyone including admin when Admin has supervisor access to the root of the >volume? > >I have a system where the HR data is on DATA:files\hr. Is there any way >to block the admin account and equivalents from access to this data? I'm >thinking that to accomplish this, I'd need to add another volume to the >server, put that volume in the HR container, give somebody in that container >admin rights to the volume object and then block NDS rights to that >container. There is no higher object than Admin that can be used to control volume, directory and file access. Users can have certain rights to various objects, at some point someone will need Supervisory rights to the HR objects so administration work can be performed. In addition, most network backup/restore packages need to work either logged in as the Admin user or an Admin equivelant. Barring Admin from certain objects could prevent data restores from being performed in the event of a disaster. If you're not comfortable with your Admininstrator, talk to him about it, try to work something out. If someone in HR is not comfortable with the Administrator, again some communication is needed. I would also suggest that your company pay for the Administrator(s) to become members of USENIX and SAGE (System Administrators' Guild) more info. can be found at www.usenix.org. It would be a good idea to present the SAGE Code of Ethics http://www.usenix.org/sage/publications/code_of_ethics.html to whomever is uncomfortable with the current Admin situation. A new corporate policy could then be adopted based on the SAGE Code of Ethics and the Administrators could sign on to that policy. Once such a policy is in place, the executives will know exactly what the duties and boundries of a sys. admin. are, and the admins. will know that they are entrusted to manage whatever sensitive data reside on the server with diligence. Remember, thousands of sys admins work with sensitive data every day, and they perform their work with due diligence, if you cannot trust your sys admins who can you trust? Feel free to e-mail me if you have any questions about this, I have worked with many companies in implementing such policies, and all parties involved have expressed satisfaction. ------------------------------ Date: Wed, 11 Mar 1998 16:08:38 -0700 From: Joe Doupnik Subject: Re: Password decoding >Does anyone know of any known crack/hacker attempts that would cause >Netware user account passwords to be extracted/unencrypted from a 3.x >bindery (or 4.x NDS) and viewable? > >The reason for asking this is that in the midst of a security review of >our Netware servers, we have chosen to use the Kane Security Analyst >(which I think is a great package and is helping us a great deal), which >analyzes a user's password against a cracker database and alerts you if >a user's password is easily guessed. I was then asked that since this >utility obviously views a user's password - who's to say that there >aren't any Hacker utilities that would do the same and let a hacker view >an accounts password in clear text. > >I know that there are other utilities out there that allow you to change >a user's password but I am just trying to determine how much of a risk >there is, and if there is a cause for concern, of some hacker gaining >access to a Netware server from viewing a user's password (extracted >from the bindery or NDS). > >If you know of any such case, or if this is a cause for concern, just >let me know. --------- Two important points. First, the tool runs within the server, as an NLM, right? Two, it does not decode the password material. Instead it tries dictionary words, encrypts them one-way, and compares the result with what is in the bindery. It's called a dictionary attack. You can't do this from outside unless intruder detection is turned off and infinite retries are permitted and no one notices hours devoted to this activity. There is no extraction, no decryption, involved. You will also discover that a LOT of cpu cycles go into dictionary attack NLMs. Getting at the bindery files is not possible unless you have given users rights to sys:system or have given away the password to Rconsole. Risks from unwanted attackers are zilch unless you let them run NLMs or open connections with no limits as described above. Risks from merely guessing likely passwords is very much higher. This is one reason that on ALL machines users are encouraged to avoid dictionary words and their common permutations and to impose a long minimum length and expire them periodically. Basic security is a good thing to read up on. There are lots of books and even a couple of News groups. To see how frail MS products are on security point your web browser to http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt Joe D. ------------------------------ Date: Wed, 11 Mar 1998 23:23:14 -0500 From: Jayson Agagnier Subject: Re: Password decoding - really, really long reply! >Does anyone know of any known crack/hacker attempts that would cause >Netware user account passwords to be extracted/unencrypted from a 3.x >bindery (or 4.x NDS) and viewable? > >The reason for asking this is that in the midst of a security review of >our Netware servers, we have chosen to use the Kane Security Analyst >(which I think is a great package and is helping us a great deal), which >analyzes a user's password against a cracker database and alerts you if >a user's password is easily guessed. I was then asked that since this >utility obviously views a user's password - who's to say that there >aren't any Hacker utilities that would do the same and let a hacker view >an account's password in clear text. > >I know that there are other utilities out there that allow you to change >a user's password but I am just trying to determine how much of a risk >there is, and if there is a cause for concern, of some hacker gaining >access to a Netware server from viewing a user's password (extracted >from the bindery or NDS). Ahhh! I have been waiting for someone to ask something like this. I know I'm going to piss some of you off, too bad! Don't bother e-mailing or flaming me, I'll just ignore your e-mail, and forever send any future e-mail you send to e-mail hell! All semi-competent network administrators should be fully aware of as many exploits as possible. If you don't know about them, someone does and you've just placed the network you're responsible for at great risk. Look at this as education and prevention, not as providing script kiddies with tools to crack your network with. NetWare 3.1x ============ Got a guest or generic user account? If so, get rid of it, you have provided a security hole big enough to drive a Mac truck through. Got RConsole loaded? Unload it, the RConsole password encryption scheme is pretty weak. Any ole Joe with a packet sniffer can capture the rconsole password and decrypt it (more on this later) By default sys:etc is [R F] to group everyone, remove it, general user require limited access to files in sys:public, and their mail directory in sys:mail. All other directories are for supervisor use only. Hack NetWare 3.1x ================= In a small organization or company the following procedure would be difficult, but it stupidly easy in larger corporations. This has been my single most successful method of owning a foreing network. Mr. Printer repair man walks in to reception, "Yeah, I'm here to fix some laser printer in (found some printer location via social hacking - company policy comes into play here), Mr so and so said he would be in a meeting, but told me to go up and fix" "Okay, here is your pass, please sign in" Well, that was easy, I'm in, I have my nifty little Toshiba Libretto Pentium 120 palmtop loaded with Win95 and a network sniffer set to gather specific packets. In this case, RConsole and Supervisor logins. Go to the printer area, find an empty office, or cubicle. Attach the palmtop to the under side of the desk with two sided tape (this nifty box is smaller than some WindowsCE palmtops)! No empty offices, oh well, then I have to pull out my mini two port hub and plug both the Libretto and printer into the same port. If the company is using a switched network, it may take longer to gather the required packets, if not, they are usually gathered within a couple of hours. Go back later in the afternoon/next day pick up the palmtop and start running the cracking programs. Alternatively one could say they are there to fix a computer and try logging in with default accounts such as APC, CHEY_ARCHSVR, WINDOWS_PASSTHRU, TEST, ARCHIVIST, GATEWAY, MAILADM etc. There are many others, I will not divulge the passwords however, so don't ask! I'm just letting you know about some commonly tried accounts that are pretty weak. I have had the most success with APC & CHEY_ARCHSVR. To crack the Rconsole password you just take the packets, the client initiated and server response packets, then with a bit of under standing of how the protocol works, some simple hex math and the RConsole password will be revealed to you. Know what? About seven times out of ten (based on my experience), the password entered will also be the Supervisor password - we're a lazy lot. If this is not the case, then you'll have to copy an nlm to the server, place it in the mail directory of whatever user you logged in as (guest, APC, etc), this nlm will allow you to have a DOS CLI style prompt. You can then copy the three bindery files (they do not need to be closed - this is the really fun part about this) to the same mail directory. Copy the bindery files to your palmtop, clean up your track, and happy cracking offsite. If no generic account access is possible, then ask some one to login for you (remember, you Mr. Computer Fix-it guy!) and watch carefully as they type their password, or install a TSR that will dump all type character to a file. In any case you will soon have the required files. The longest this procedure has taken me is just over nine minutes, the quickest was just over two minutes. Files needed: Nwcon Bincrack Rcon BindScan Backdoor & B_Login These tools are widely available on the 'net, if you don't have them get 'em! Now! Learn how they work, learn how they can be used to circumvent your current security measures. NetWare 4.1x ============ Again get rid of rconsole, or at least run remote encrypt (NW 4.10) and secure.ncf (NW 4.11). You'll have to look at the options in secure.ncf and set them accordingly. Most of the above methods work for gaining rconsole access to netware 4.11 server as well (generic accounts etc.) I usually look for systems running Novells web server, these are pretty easy to crack because of all the default settings. Anonymous user access is usually available if not, again pose as Mr. Computer Fix-it Guy and get a user to login for you, and watch for the password. Once you have captured enough packets, go back to your cave and start decrypting, once you have the rconsole password, see if the web server is loaded, if so, load netbasic and type shell, or use jcmd. You can now access the _netware directory where the NDS files are kept. I usually create an ncf file that will unload ds.nlm, flag the files, copy them to a directory I would have access to (love those sys:mail directories), flag the files back to their original state, load ds, cover my tracks and I'm out. This takes about a minute or so, some places have had extraordinary NDS size files and took about five minutes to complete. The only real problem with this is the unloading of ds, no authentication, can proceed while ds is unloaded, this will send up a warning flag to any semi-conscious administrator. Once you have the NDS files, go back to your cave again and run Pandora (thanks SN) and away you go. You now have complete network access. Files needed: ============= Pandora JRBUtils Things to watch out for: NetWare 3.1x ============ - Remove guest and generic accounts - Limit concurrent connections to 1 - Never use Supervisor, use supervisor equivs - permits tracking of activity - Load accounting, roll the file on a monthly basis - Most managers, directors and executive never use a computer other than their own desktop, limit their login by network/mac address - Limit the number of Supervisor concurrent logins to 1 - Review the Supervisor account information and verify the last login date/time. If it has been recently used, find out from where (accounting) - Change vendor default passwords whenever possible (APC etc.) - Set minimum password length to 6, it'll increase the amount of time for an offline brute force attack by a couple of days. - Set passwords to expire ever 40 - 60 days. Less than that and users most users will start writing them on stickies. - Set NetWare to require unique passwords - Educate your users on using number somewhere in the middle of the password - Try using creative password such a u2r4me, i8a4re, u2knowy etc. - When users go on vacation disable their accounts - Set up company policies to help protect against social engineering. (Reception, Help Desk) - Intruder detection should be enabled and set for three attempts max. NetWare 4.11 ============ - Same as above - Install a decent firewall with options to track data gathering activities (port scanning, repetitive login attempts, OOB attacks etc) - Do not load Telnet - Do not load ftp - it is brain dead - Run Novonyx Web Server if possible - Do not permit anonymous connections - Do not permit NDS browsing outside the company - better yet, not at all. That's what NWAmin is for. - Do not install netbasic - Run secure.ncf Everything I have outlined above has been performed under contract and fully disclosed to the parties required. Do not ask me for further details, I cannot and will not provide them. The files I have mentioned are the bare bone basics, many more exist. It is better that the network administrator find and understand them instead of some other party - it is only a matter of time until someone else will. I understand that most IS departments are greatly understaffed and grossly over-worked, you have my sympathies, I was there and just got tired of executives who only worried about money and overhead. At some point they will discover that the data on the network is the most valuable asset the compnay owns - usually after it has been destroyed or altered. A great place to start learning is the Norman Mobile Research Centre (NMRC) which is located at www.nmrc.org - a great HAQ FAQ for both NetWare and NT can be downloaded. Some of the tools I mentioned are on-line there, Pandora was written by Simple Nomad and is a great package to use as a starter for learning about NDS and possible exploits. For other really great places perform a search on altavista for; "netware hack", "netware crack", "novell hack", "novell crack" the results will provide more than enough ample sources of information. Remember this, what I outlined above is pretty vague, works, I do it for a living, but the biggest threat by far is from current employees who are disgruntled and about to leave. The best example I came across was someone who used a couple of the above tools, gained supervisor access to a database server, used backdoor to create a hidden account. Then brought in a small computer with a dat drive (Libretto would work fine with an external DAT drive) and started backing up the entire client/financial database to DAT and was going to bring it to their new employer. The best way to secure a network is to know how it can be compromised. Test your security from time to time, have someone else try it who is not intimately familiar your setup, you get a much less biased view. ------------------------------ Date: Fri, 13 Mar 1998 15:43:37 -0800 From: Jayson Agagnier Subject: Re: NDS user database with passwords >Is it possible to get the NDS user database with passwords exported to a >text file. I want to create a dialin access list using TACACS+ Pandora will do what your asking for. Make a backup copy of your NDS using DSMaint extract it, run showpass and redirect the output to a text file. Pick a copy of Pandora from www.nmrc.org ------------------------------ Date: Thu, 19 Mar 1998 17:05:41 +1100 From: Scott Marshall Subject: Re: IPX/IP GATEWAY: Netscape vs. MSIE >> Has anybody found that netscape navigator seems to work fine with the >> ipx/ip gateway, whereas Microsoft internet explorer doesn't? > >They both worked fine for me the last time I checked, and I had >applied all the service packs to the system (including IWSP4a.Exe >and Client32 v2.20). > >If you're using an earlier version of Client32, note that v2.20 >actually uses Microsoft's WinSock.DLL which has undocumented API >functions that aren't supported by third-party WinSock.DLLs. > >Be aware of the Internet Explorer security holes (ActiveX >applets can do OLE stuff that allows the programmer to open >an MS-DOS prompt, hide the icon from the task bar, and send >keystrokes such as "format C: Y ", which will >format the hard drive right under the user's nose). Oooh! - Nasty! ------------------------------ Date: Fri, 20 Mar 1998 12:35:44 -0700 From: Joe Doupnik Subject: Re: NW 4.11 replacement for security.exe? >In Netware 4.11, how can I identify users with more privileges than they >should have? If someone created themselves a privileged "back door" >account, can I track it down? Particularly if they've used super.exe or >some such program to enable swapping their privs on and off. > >In Netware 3.11 there was that nice utility, security.exe, that would >show you all users who had more privileges than "normal". I've tried >using NWAdmn95 to search for users with ADMIN equivalence, but it fails >if the person uses super.exe to switch off their privs. Plus it wouldn't >help if the person making the back door created an account that had >extra rights and privs, but wasn't simply an admin equivalent. I've >tried and failed to find any documentation on how to search for users >based on "Security flags" -- what the heck are security flags and where >are they documented? Not in the Dynatext online documentation anywhere, >as far as I can see, nor in numerous Netware 4.11 books that we have >floating around here. I feel as though I'm missing something obvious. >Surely this must be a perennial problem, isn't it--how to find back door >accounts? Surely this is an easy thing to track down, isn't it? -------- NDS is much more complex than NW 3.1 structures, and much finer grained too. As openers, username ADMIN can be removed if you wish. Only beginners define another username as admin-equivalent; experienced folks give a username the same rights without equivalences. Many of us try hard to remove all possible bindery emulation material. Rights vary depending on the object under investigation, unlike NW 3. So find trustees of objects and keep in mind inheritance and IRFs. If you do this thoroughly most wise guys will be spotted, and you will have grey hair too. The trick is to never let them get started, by closing all doors at server creation time. If necessary remove and recreate suspicious users. The problem isn't perennial because, ah, er, we nip it in the bud when creating a server. Joe D. ------------------------------ Date: Fri, 20 Mar 1998 16:41:09 -0500 From: Jerry Shenk Subject: Re: How can I require login to the server console? >>Oh my goodness, what a gaping security hole! You are gonna actually allow >>remote access to your firewall...how HORRIBLE!!! ;) - these security guys >>won a lot of friends here last week!! Remote access to the firewall as >>something they specifically would not allow. >> >>I'm sure I saw what I'm looking for someplace....probably in the back of >>some magazine someplace. > >The only way someone can access rconsole is through an IPX connection >from withing the firewall. We would never load rs232 or allow any >kind of telnet or serial connection to our console. To access our >consoles you need: > >1. IPX and the encrypted password on the local net >2. A key to the server room and the password > >I would however be interested in whatevery you might find to further >tighten security I'll tell you one thing I did learn from this security audit - BorderManager is tight. The BM box has three NICs, 1 private and 2 public (different providers). Each public side has a hub and a Cisco router connected to a digital line. The 'penetration expert' sat on the external hub and banged away with all his Linux toys and never cracked a thing. There were quite a few times when he warned us that the firewall would probably crash....well, it never did. I think he's used to a firewall on an NT platform. He never even stopped throughput....granted, things got a little slow at times but it never stopped and we could turn off his ports like a switch by setting/removing filters in filtcfg. Filtcfg isn't exactly the nicest interface but for functionality, I think it held up well. I guess it would be nice to have a few more proxies, particularly ftp proxy. BorderManager failed the ICSA security list recently. I don't know why. --------- Date: Sat, 21 Mar 1998 06:05:11 -0500 From: Jerry Shenk Subject: Re: How can I require login to the server console? I would think he did. He was talking about packet spoofing and things like that but when you're doing NAT, I don't believe there's anything to falsify. I had their system clearly set up with an inside and an outside. If this had been a firewall between two public segments, I think there would have been more options for him to try. About Traceroute - the firewall has 'em blocked. From the inside, it's possible to traceroute up to the BM box but we're blocking port 7 (echo) and I think that's what traceroute uses (along with DNS for name resolution but that's not REALLY a part of the traceroute process). Anyway, the only things we are allowing to be initiated by anybody on the private side are POP3, SMTP, DNS & SHTTP. Certain user's IP addresses are entered into the firewall so that they can receive ftp files. HTTP is handled only through proxy and there is an outgoing rule that limits that to only specific IP addresses. I wonder if anybody here knows how BM as a firewall compares in features with other firewalls (specifically Raptor - that's a name I hear quite a bit). ------------------------------ Date: Mon, 23 Mar 1998 17:10:55 -0800 From: Randy Richardson Subject: Security: Falsifying traceroutes Recently, we've been discussing security on the internet, and the falsification of routes. Someone recently submitted the following URL into the error log on my site (probably by appending it to the main URL): http://www.lanman.com/exploits/dns.cache-poison.cname.html This is obviously an invalid address, but the site seems to have a lot of very interesting information. Does anyone know if there is a way to stop this? It doesn't appear to be the kind of issue a firewall can resolve, but I'm not sure. ------------------------------ Date: Sun, 29 Mar 1998 10:46:52 -0700 From: Joe Doupnik Subject: Re: server address >We are running INW with Mercury/PMail >as email system. I want to allow Mercury to start without asking for >the password, but for that I do not want to use admin. Hence, I >created a new user, which is only meant to be used by Mercury. >Mercury runs fine. But when I want to restrict the user to login only >to the server by using the address given in the server object, it >doesn't find the user. I guess that the address I have used then must >be incorrect. Where do I find the network address of the server? Station restrictions work on network addresses. IPX address restrictions have two components: the IPX network of the board in the server connecting the client, and optionally the MAC address of the client lan adapter. NW 3/4/5 servers have an internal network node, MAC address of 000000000001, which is the same value on all servers. Internal node addresses are not useful for filtering/address restrictions. Joe D. ------------------------------