Subject: comp.os.netware.security FAQ
Date: 27 Aug 1995 04:54:16 GMT
Summary: The FAQ list for comp.os.netware.security newsgroup
X-Newsreader: TIN [version 1.2 PL2]

Archive-name: netware/security
Posting-Frequency: monthly
Version: 0.3 DRAFT

------------------------------

Subject: Introduction

...    comp.os.netware.security
...   Frequently Asked Questions

....  Fauzan Mirza
...   F.U.Mirza@sheffield.ac.uk

This is a draft FAQ list for the comp.os.netware.security newsgroup.
It's intent is to provide answers to questions asked by those who are
merely interested in Novell NetWare, and also to provide help for
those who are concerned about security of their network.

I am not affiliated with Novell in any way, and I have taken it upon
myself to produce this FAQ. My experience with Novell NetWare is that
of a programmer and administrator, with a keen interest in computer
security. I don't hold any Novell qualifications.

At the moment, this FAQ is oriented towards Novell NetWare 2/3.

Please send any comments, contributions, or notification of errors to
the author.

Thanks to the following people for improvements or additions:
    Fons Botman <botman@rabo.nl>
    Bob Janacek <safety@gti.net>
    Brian Flynn <BFLYNN.UNCSON@mhs.unc.edu>

------------------------------

Subject: TABLE OF CONTENTS

Section 1:  Basic Information
    1.01 - Where are passwords stored?
    1.02 - Is the execute-only flag secure?
    1.03 - Can a packet-sniffer capture passwords?
    1.04 - Can the server be infected with a computer virus?
    1.05 - What auditing functions does Accounting provide?
    1.06 - What are trustees and trustee rights?
    1.07 - What are groups?
Section 2:  Software
    2.01 - What is HACK.EXE?
    2.02 - What is NOVELBFH.EXE?
    2.03 - How do I use SECURITY?
    2.04 - Vendor security addons
Section 3:  Help
    3.01 - How do I secure the server?
    3.02 - I've lost the Supervisor password.
    3.03 - I've deleted the user Admin.
    3.04 - I've revoked my own rights from this subdirectory.
    3.05 - Supervisor has been locked out.

------------------------------

Subject: Section 1:  Basic Information

    This section gives information on how Novell NetWare operates,
    and explains some basic security concepts.

------------------------------

Subject: 1.01 - Where are passwords stored?
NetWare: 2,3

    Passwords are stored in encrypted form in the NET$VAL.SYS bindery
    file. It is not possible to decrypt passwords although brute force
    crackers have been written which operate on the bindery.

    The bindery files are stored in the SYS:SYSTEM directory, and
    should not be accessible by any non-Supervisor user. The SECURITY
    utility will detect excessive rights in SYS:SYSTEM.

------------------------------

Subject: 1.02 - Is the execute-only flag secure?
NetWare: 3

    No. It is sufficient to prevent casual copying of executables, but
    software exists which will allow any user to copy X flagged files.

    The X flag cannot be removed from files, so it is is a good measure
    against computer viruses. However, virus scanners cannot read X
    flagged files, so infected X flagged files will be difficult to
    detect.

    Wolfgang Schreiber wrote a utility called X-AWAY, available from
    ftp.novell.de, which enables a Supervisor equivalent user to copy
    X flagged files. X-AWAY is deliberately crippled to prevent
    non-Supervisor users from copying programs.

------------------------------

Subject: 1.03 - Can a packet-sniffer capture passwords?
NetWare: 2,3

    Since Novell NetWare 3, passwords are sent to the server encrypted
    using a hashing function. The three password functions (Login,
    Change password, Verify password) have a pretty secure protocol,
    such that the information gathered by packet sniffers cannot be
    used to reconstruct the event or determine the password.

    Some very old software use the NetWare 2 unencrypted password calls.
    These can be captured and used, since these passwords are sent in
    plaintext.

    Packet sniffers can capture just about all other information that
    is transmitted on the LAN. This includes telnet/ftp passwords, etc.

------------------------------

Subject: 1.04 - Can the server be infected with a computer virus?

    Since the server does not run DOS, it is immune from file viruses.
    They are vunerable to boot viruses, however, and these can be
    avoided by not booting the server from floppy disks.
.
    The server can be used to spread viruses, since workstations may
    execute infected software from the server and thus infect local
    hard disks, floppy disks, and so on.

    If possible, do not allow users to have write access to the
    executables on the server.
.
    A number of anti-virus utilities exist for Novell NetWare, including
    Dr Solomon's Anti Virus Toolkit, McAfee Associates's NETSCAN, and
    Data Fellows Ltd's F-PROT Professional.

------------------------------

Subject: 1.05 - What auditing functions does Accounting provide?
NetWare: 3

    Accounting is used to track logins and can be used to track (and
    put limits on) use of server resources.

    By default, accounting is not active. The supervisor must switch
    it on using the SYSCON utility.

------------------------------

Subject: 1.06 - What are trustees and trustee rights?
NetWare: 2,3

    A trustee is any user or group that has been granted access rights
    in a directory.
    
    The access rights in Novell NetWare 2 are slightly different from
    the ones in NetWare 3.

    The following is a summary of access rights for NetWare 3.

    S - Supervisory. Any user with supervisory rights in a directory
.will automatically inherit all other rights, regardless of
.whether they have been explicitly granted or not. Supervisor
.equivalent accounts will hold this access right in every
.directory.

    R - Read. Enables users to read files.
    
    C - Create. Enables users to create files and directories. Unless
.they also have write access, they will not be able to edit
.files which have been created.
    
    W - Write. Enables users to make changes to files. Unless they also
.have create access, they may not be able to edit files, since
.the write operation can only be used to extend files (not
.truncate them, which file editors need to do).
    
    E - Erase. Enable users to erase files and remove directories.
    
    M - Modify. Enable users to modify file attributes.
    
    F - File scan. Enables users to see file and directory information.
.If a user does not have file scan rights, they will not see any
.evidence of such files existing.
    
    A - Access control. Enable user to change trustee rights. They
.will be able to add other users as trustees, remove trustees,
.and grant/revoke specific rights from users. The only caveat
.of access control is that it is possible for users to remove
.themselves (as trustees) from directories, thus losing all
.access control.

    In addition to trustees and access rights, there is a concept of
    inherited rights which means that users inherit rights from parent
    directories. For example, if user ALICE has rights [CWEM] in a
    directory, and she has [RF] rights in the parent directory then
    she will have [RCWEMF] rights as a result of the inherited rights.
    This will only work if one of the rights that ALICE has in the two
    directories is granted to a group; if both are granted to her, she
    will lose the rights of the parent.

------------------------------

Subject: 1.07 - What are groups?
NetWare: 2,3

    Groups are a object type which allows users to be grouped together
    for various purposes. The main interest in this is to maintain
    security, by granting access rights to groups instead of individual
    users.

    By default, all users are in a group called EVERYONE. If you grant
    [RF] to group EVERYONE in a directory, then every user in that group
    will hold those rights in that directory.

    Some software also makes use of groups (for example, Pegasus Mail
    does not run if the user is in group NOMAIL).

------------------------------

Subject: Section 2:  Software

    This section describes the purpose and use of some software.

------------------------------

Subject: 2.01 - What is HACK.EXE?
NetWare: 3

    HACK is a program, written at Leiden University in the Netherlands,
    which exploits the lack of packet authentication in early versions
    of NetWare 3. It enabled a user to pose as a more privileged client
    by sending requests to the server with fake source addresses.
    
    If SUPERVISOR is logged on, it attempts to send a single packet to
    the server requesting it to add Supervisor-equivalency to the
    account it is being run from.

    Novell released updated versions of the server and client software
    which would add packet authentication (using a feature called NCP
    packet signatures). The software is available from ftp.novell.com.

    NetWare 3.12 includes the updated software, but the administrator
    still has to set the correct packet signature level on both server
    and workstations.

    With NCP packet signatures active, any attempt to forge packets
    to the server will result in a message on the server console, in
    the error log, and sent to the affected client.

------------------------------

Subject: 2.02 - What is NOVELBFH.EXE?
NetWare: 2,3

    NOVELBFH, Novell Brute Force Hacker, is a program written by
    DGE Alofs in Holland. It is a menu driven program that attempts
    to crack accounts by using the verify password function and
    trying various guesses for password.

    The password checking is done using the unencrypted password call,
    so this program can be rendered useless on NetWare 3 by disabling
    the unencrypted password call at the server (this is the default).
    
------------------------------

Subject: 2.03 - How do I use SECURITY?
NetWare: 3

    SECURITY is the standard security auditing utility, supplied with
    NetWare. It is found in the SYS:SYSTEM directory, and needs to be
    run by a Supervisor-equivalent user.

------------------------------

Subject: 2.04 - Vendor security addons

    Administrators may be interested in products which are available
    to improve network security. This section will eventually be a
    list of such products. Please submit your product descriptions to
    the FAQ maintainer.

    STOPLIGHT LAN - StopLight LAN integrates with Netware to provide
.network and workstation security enhancements. It provides
.workstation access control, keyboard lock, trustee assignments
.for local and network drives, file encryption, local drive
.disable during network use, floppy drive disable, software
.piracy prevention, central installation and management from
.the network, Windows administration. 13K memory overhead
.required.  Download from http://www.safe.net/safety or
.ftp://ftp.safe.net/pub/safetynet/sllan.exe

------------------------------

Subject: Section 3:  Help

    This section gives solutions to common problems.

------------------------------

Subject: 3.01 - How do I secure the server?
NetWare: 3

    The most important rule is to lock the server console.
    At least one method has been posted a couple of times which
    explains how to switch off password verification using the
    server internal debugger.

    Anyone with console access can obtain supervisor access.

    Place any useful NLMs in SYS:SYSTEM and then add the following
    line to AUTOEXEC.NCF:
.SECURE CONSOLE

    Disable use of unencrypted passwords. Either type the following,
    or add it to the AUTOEXEC.NCF:
.SET ALLOW UNENCRYPTED PASSWORDS OFF

    If you have NCP packet signatures installed, add the following
    line to AUTOEXEC.NCF:
.SET NCP PACKET SIGNATURE OPTION = 3

    Use a password different from the Supervisor password for RCONSOLE.

    Load the MONITOR NLM and lock the console.

    Remember that access to the backups is just as bad as access
    to the server. Keep the backups secure too.

    Some other suggestions:
    Limit number of Supervisor accounts (not too many, but keep at
    least one, unless using the SUPER utility described below).
    Enable intruder detection and lockout.
    Require unique passwords on all accounts.
    Login as Supervisor as little as possible.

    Use the SUPER.EXE program, written by Wolfgang Schreiber, which
    will toggle instant supervisor-equivalency to a user. This isn't
    a loophole, since some preparation has to be done on the accounts
    which should be able to gain supervisor-equivalency, and those
    accounts will be reported by the SECURITY utility.
    SUPER is available from netwire (Look on ftp.novell.de or
    ftp.novell.com).

------------------------------

Subject: 3.02 - I've lost the supervisor password.
NetWare: 2,3

    The following method is used to obtain the supervisor account on
    NetWare 2. It will work on NetWare 3, but there is an easier way
    which follows.
    
    The following is fairly complicated, and is not recommended for
    beginners.

    1. Reboot the server and load DOS.
    2. Use a disk editor to examine the Novell partition and locate
       the directory entries for the bindery files (NET$BIND.SYS and
       NET$BVAL.SYS).
    3. Check for backup copies of the bindery with extension OLD (ie,
       NET$BIND.OLD and NET$BVAL.OLD). If you find them, change their
       extension to XXZ.
    4. Change the SYS extension to OLD.
    5. Restart the server. It will create a new bindery with SUPERVISOR
       and GUEST accounts; both without passwords.
    6. Login as SUPERVISOR and run BINDREST to restore the old bindery.
    7. Change the SUPERVISOR password.

    On NetWare 3, there are a number of NLMs which will reset the
    supervisor password (SETPWD and SETSPASS) or create supervisor
    equivalent accounts (BURGLAR). SETPWD is available by anonymous
    ftp from netlab2.usu.edu.

    In general, you should have at least one supervisor equivalent
    account (see section 3.01).

------------------------------

Subject: 3.03 - I've deleted the user Admin.
NetWare: 4

    This answer was provided by Mattman (mdrobel@novell.com) in an
    article posted on comp.os.netware.security.

    If you don't have a backup, you can do two things:
    
    1. Reinstall Directory Services. I would recommend this option only
       if you don't have a lot of NDS objects and rights set up.

    2. If you have another user with Admin or equivalent rights, it's
       easy to recreate the Admin user object and give him the rights
       he had before. Those rights would be:
       Make him a trustee of [Root] and give him supervisory object and
       property rights.

------------------------------

Subject: 3.04 - I've revoked my own rights from this subdirectory.
NetWare: 3

    A common mistake is to revoke your own access control rights in a
    directory. If you have access control rights in a parent directory,
    you can regain the access rights that you lost.
    
    Example: If user ALICE has [RCWEMFA] in USR:ALICE/ but accidentally
.revoked access control in the subdirectory PROJECTS (let's just
.say she now has [RF] in USR:ALICE/PROJECTS/), she would not be
.able to simply use grant to get the rights back because she has
.insufficient rights.

    To recover access control:

    1. Check which groups you are in (or equivalent to).
.WHOAMI /S
    2. Pick a group and grant access rights to that group in the parent.
.GRANT A TO EVERYONE FOR USR:ALICE
    3. You should now have access control in the subdirectory.
.CD PROJECTS
    4. Remove the trustee which caused the problem.
.TLIST
.REMOVE ALICE FROM USR:ALICE/PROJECTS
    5. Remove the rights of the group from the parent directory.
.REMOVE EVERYONE FROM USR:ALICE

------------------------------

Subject: 3.05 - Supervisor has been locked out.
NetWare: 3

    If the Supervisor account cannot login due to intruder detection,
    you can restore login status by entering ENABLE LOGIN at the server
    console. This will only work for the SUPERVISOR account.

------------------------------

(end of FAQ)

========================================================================
 Fauzan Mirza           Dept of Computer Science   DOS/NetWare/Linux
 F.U.Mirza@shef.ac.uk   University of Sheffield    Programming/Security
========================================================================
