Penetration Testing mailing list archives
Re: [PEN-TEST] Novell NetWare security evaluation
From: Patrick Coomans <Patrick.Coomans () 4ALL BE>
Date: Mon, 8 Jan 2001 10:47:53 +0100
Hi, Apart from third party software to protect or evaluate the protection of your Novell servers, I think it may be helpfull for some of you if I include my little to-do list for securing Novell 5 servers. There are a lot more parameters out there, I also advise you to check out SECURE.NCF on your server. Should you want to be able to see all possible SET parameters (also the hidden ones) try using MONITOR /HELP then check out all the extra parameters visible in the Server Settings. Here part of my little list: 1) SET NCP Include IP Address I very much appreciate a this new parameter in NW5 SP5 or NW5.1 SP1. The parameter syntax is "SET NCP Include IP Addresses = a.b.c.d; u.v.w.x; o.p.q.r; etc..." and is meant for servers that have both "Public"-type as well as "Private"-type of NIC's. This parameter allows you to stop the NCP advertisement (and NDS Server IP address registration) for the IP addresses which are PUBLIC. 2) Set NCP Packet Signature Level=2 I did experience a lot of trouble with enforcing NCP Packet Signatures on all servers to level 3 (always require NCP Packet signatures), it seems that a lot of 3rd party boxes don't support packet signing well, and I had to reduce the NCP Packet Signature level to 2 (do signatures if the client can, but don't if the client doesn't support it) 3) Filter incoming connections to services like RCONJ and FTP Use FILTCFG to configure filtering for those services so that you can limit connection attempts to source IP addresses in the networks which are allowed to initiate those connections. You can also configure a Novell server to create a logfile of all packets that were "dropped" by your filtering configuration by changing the file \sys\etc\ippktlog.cfg 4) Limit the NCP Login IP Addresses for all your User ID's to valid IP addresses. (use console one or nwadmin32 to do this - user properties). 5) Make sure you have a proper CONSOLE LOGGING configured. I usually do this Load CONLOG Archive=Yes Next=05:00 Entire=Yes Maximum=20000 which makes CONLOG archive all its console logging files for later retrieval Also, invalid NCP login attempts are sent to the console.log 6) Set NCP Enable IPX address = Off can be set only if your network is IP only. This will completely remove all IPX NCP-support from all loaded modules. 7) Reject bad NCP packets. You have to take care with this one, since -again- some manufacturers simply send out bad NCP packets. An example are some QMS network printer-boxes, who will fail to attach to a server if you reject bad NCP packets. Set display NCP bad component warnings = on Set reject NCP packets with bad components = on Set display NCP bad length warnings = on Set reject NCP packets with bad lengths = on 8) Set a lot of other IP communication parameters Set filter packets with IP header options = on Set filter subnet broadcast packets = on Set discard oversized UDP packets = on Set discard oversized ping packets = on Set tcp defend land attacks = on Set tcp defend syn attacks = on Set ipx netbios replication option = 0 (completely disallow all netbios forwarding) 9) Configure your stack to reject incoming rip or ospf from public or semi-public interfaces 10) Configure your SLP architecture with a NAMED scope, do not use "UNSCOPED". 11) Make sure you have to BINDERY CONTEXT set in your autoexec.ncf 12) Do not use RCONSOLE. It sends console password cleartext. (you can't anyway if your server is pure IP) 13) Enable netware's intruder detection 14) Enfore strong passwords on the users download the tools to do this at http://www.connectotel.com/ppm/
Current thread:
- [PEN-TEST] Novell NetWare security evaluation Neubauer, Brenda (Jan 03)
- <Possible follow-ups>
- Re: [PEN-TEST] Novell NetWare security evaluation Simple Nomad (Jan 04)
- Re: [PEN-TEST] Novell NetWare security evaluation Patrick Coomans (Jan 08)