
              NOVELL TECHNICAL INFORMATION DOCUMENT

TITLE:              Security Enhancement LOGIN.EXE 4.02
DOCUMENT ID:        TID013339
DOCUMENT REVISION:  A
DATE:               02SEP93
ALERT STATUS:       Yellow
INFORMATION TYPE:   Symptom Solution
README FOR:         SECLOG.EXE

NOVELL PRODUCT and VERSION:
NetWare 4.0
NetWare 4.01

ABSTRACT:
The Security enhancement eliminates a small window of exposure where a
user's name and password may be temporarily swapped to disk when running in
a DOS environment with a small memory configuration.
_________________________________________________________________

DISCLAIMER
THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. 
NOVELL MAKES EVERY EFFORT WITHIN ITS MEANS TO VERIFY THIS INFORMATION. 
HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION
ONLY.  NOVELL MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS
INFORMATION.
_________________________________________________________________

SYMPTOM

A small window of exposure exists where a user's name and password may be
temporarily swapped to disk when running in a DOS environment with a small
memory configuration.  The NetWare 2.x and NetWare 3.x login utilities are
not affected and require no enhancement.

CAUSE

How Login Works

In NetWare 2.x and 3.x, LOGIN.EXE keeps a version of the user ID and
password in protected domain memory so that attachment to other servers
does not require the user to reenter the same information.  After the login
process is complete, the memory is cleared.  This process posses no
security threat in NetWare 2.x or 3.x.

In NetWare 4.x, the login process contains more steps due to added security
features.  The LOGIN.EXE is larger because the added security features such
as NDS and authentication have expanded the file size.  During the current
NetWare 4.x login and authentication process, portions of LOGIN.EXE may be
temporarily swapped to extended or expanded memory or to disk in DOS
environments with small memory configurations.   If login is temporarily
swapped to disk, it is placed in the current directory of the default disk
whether local or on the network.

Security Threat

The security threat occurs if a portion of the login executable containing
the user ID and password information is temporarily swapped to disk.  After
login completes, a user may be able to salvage or undelete the temporary
swap file gaining access to read the user ID and password information of
the logged in network user.

SOLUTION

Novell recommends that security conscious customers implement the new
LOGIN.EXE v4.02 for NetWare 4.0 or 4.01 environments.

Self-Extracting File Name:  SECLOG.EXE      Revision:  A

Files Included     Size     Date       Time

  SECLOG.TXT             (This file)
   LOGIN.EXE     354859   08-25-93    11:43a

Installation Instructions:

1) Flag LOGIN.EXE in the PUBLIC and LOGIN directories to SRW.

2) Copy LOGIN.EXE from the PUBLIC or LOGIN directories to a diskette for
backup purposes.

3) Copy this version (4.02) of LOGIN.EXE to the PUBLIC and LOGIN
directories.
     
4) Flag LOGIN.EXE in the PUBLIC and LOGIN directories to SRO.

Note:  After installing LOGIN.EXE 4.02, you should require all users to
change their passwords.  In addition, if this security enhancement is
installed on a NetWare 4.0 server after completing the upgrade to NetWare
4.01, verify that the LOGIN.EXE is version 4.02.  If the LOGIN.EXE is not
4.02, reinstall this enhancement.   The NDIR.EXE utility can be used with
the /v option to verify the version information.

Solution Specifics:

The new version of LOGIN.EXE will be incorporated in future versions of
NetWare 4.x.


                    NOVELL TERMS and CONDITIONS 

The software files enclosed in this self extracting file ("FILE") are
protected by the copyright laws of the United States and international
copyright treaties.  This FILE contains software files which are intended
to replace, patch or otherwise run with commercially available versions of
Novell software products.  You may without charge, reproduce and distribute
copies of the FILE and use copies of the files contained within the FILE
for their intended purposes to replace legally obtained, commercially
available Novell software; provided you do NOT (1) receive any direct
payment, commercial benefit, or other consideration for the reproduction,
distribution or use, or distribute the FILE as part of or in combination
with any other software or hardware product without the prior written
consent of Novell Inc. (2) change or omit any proprietary rights notice
appearing on or in the FILE.

EXCEPT AS RESTRICTED BY LAW, THE SOFTWARE PROGRAMS CONTAINED IN THE FILE
ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, TITLE OR FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT
YOU USE THIS SOFTWARE, YOU DO SO AT YOUR OWN RISK.  IN NO EVENT WILL NOVELL
BE LIABLE TO YOU FOR ANY DAMAGES ARISING OUT OF YOUR USE OR YOUR INABILITY
TO USE THE SOFTWARE.

  !!! By extracting the FILES, You AGREE to these TERMS AND CONDITIONS !!!

