Re: [PEN-TEST] Novell NetWare security evaluation

[Patrick Coomans <Patrick.Coomans () 4ALL BE>]

Hi,

Apart from third party software to protect or evaluate the protection of your Novell servers, 
I think it may be helpfull for some of you if I include my little to-do list for securing Novell 5 servers.

There are a lot more parameters out there, I also advise you to check out SECURE.NCF on your server.
Should you want to be able to see all possible SET parameters (also the hidden ones) try using MONITOR /HELP  then 
check out all the extra parameters visible in the Server Settings.

Here part of my little list:

1) SET NCP Include IP Address
    I very much appreciate a this new parameter in NW5 SP5 or NW5.1 SP1.
    The parameter syntax is "SET NCP Include IP Addresses = a.b.c.d; u.v.w.x; o.p.q.r; etc..."
    and is meant for servers that have both "Public"-type as well as "Private"-type of NIC's.
    This parameter allows you to stop the NCP advertisement (and NDS Server IP address registration) for the IP 
addresses which are PUBLIC.


2) Set NCP Packet Signature Level=2
    I did experience a lot of trouble with enforcing NCP Packet Signatures on all servers to level 3 (always require 
NCP Packet signatures), it seems that a lot of 3rd party boxes don't support packet signing well, and I had to reduce 
the NCP Packet Signature level to 2 (do signatures if the client can, but don't if the client doesn't support it)


3) Filter incoming connections to services like RCONJ and FTP
    Use FILTCFG to configure filtering for those services so that you can limit connection attempts to source IP 
addresses in the networks which are allowed to initiate those connections.
    You can also configure a Novell server to create a logfile of all packets that were "dropped" by your filtering 
configuration by changing the file \sys\etc\ippktlog.cfg


4) Limit the NCP Login IP Addresses for all your User ID's to valid IP addresses.  (use console one or nwadmin32 to do 
this - user properties).


5) Make sure you have a proper CONSOLE LOGGING configured.  I usually do this
  Load CONLOG Archive=Yes Next=05:00 Entire=Yes Maximum=20000
    which makes CONLOG archive all its console logging files for later retrieval
    Also, invalid NCP login attempts are sent to the console.log


6) Set NCP Enable IPX address = Off
    can be set only if your network is IP only.  This will completely remove all IPX NCP-support from all loaded 
modules.


7) Reject bad NCP packets.  You have to take care with this one, since -again- some manufacturers simply send out bad 
NCP packets.  An example are some QMS network printer-boxes, who will fail to attach to a server if you reject bad NCP 
packets.
    Set display NCP bad component warnings = on
    Set reject NCP packets with bad components = on
    Set display NCP bad length warnings = on
    Set reject NCP packets with bad lengths = on


8) Set a lot of other IP communication parameters
    Set filter packets with IP header options = on
    Set filter subnet broadcast packets = on
    Set discard oversized UDP packets = on
    Set discard oversized ping packets = on
    Set tcp defend land attacks = on
    Set tcp defend syn attacks = on
    Set ipx netbios replication option = 0   (completely disallow all netbios forwarding)


9) Configure your stack to reject incoming rip or ospf from public or semi-public interfaces


10) Configure your SLP architecture with a NAMED scope, do not use "UNSCOPED".


11) Make sure you have to BINDERY CONTEXT set in your autoexec.ncf


12) Do not use RCONSOLE.  It sends console password cleartext.  (you can't anyway if your server is pure IP)


13) Enable netware's intruder detection


14) Enfore strong passwords on the users 
    download the tools to do this at    http://www.connectotel.com/ppm/