---------------------------------------------------------------------------

Section 03

Accounting and Account Security

---------------------------------------------------------------------------

03-1. What is Accounting?

Accounting is Novell's pain in the butt way to control and manage access to
the server in a way that is "accountable". The admin set up charge rates for
blocks read and written, service requests, connect time, and disk storage.
The account "pays" for the service by being given some number, and the
accounting server deduces for these items. How the account actually pays
for these items (departmental billing, cash, whatever) you may or may not
want to know about, but the fact that it could be installed could leave a
footprint that you've been there.

Any valid account, including non-supe accounts, can check to see if 
Accounting is turned on. Simply run SYSCON and try to access Accounting,
if you get a message that Accounting is not installed, then guess what?

Since it is a pain to administer, many sys admins will turn it on simply
to time-stamp each login and logout, track intruders, and include the
node address and account name of each of these items.

---------------------------------------------------------------------------

03-2. How do I defeat Accounting?

Turn it off. And spoof your node address. Here's the steps -

 - Spoof your address (see 03-6). Use a supe account's typical node
address as your own.

 - If you are using a backdoor, activate it with SUPER.EXE.

 - Delete Accounting by running SYSCON, selecting Accounting, Accounting
Servers, hitting the delete key, and answering yes when asked if you
wish to delete accounting. The last entry in the NET$ACCT.DAT file will
be your login time-stamped with the spoofed node address.

 - Now do what you will in the system. Use a different account if you
like, it won't show up in the log file.

 - When done, login with the original account, run SYSCON and
re-install Accounting. Immediately logout, and the next line in the
NET$ACCT.DAT file will be your logout, showing a login and logout
with the same account name, nice and neat.

If you can't spoof the address (some LAN cards don't allow it or require
extra drivers you may not have), just turn off Accounting and leave it
off or delete the NET$ACCT.DAT file located in the SYS:SYSTEM
directory.

It should be noted that to turn off and on Accounting you need supe
equivalent, but you don't need supe equivalence to spoof the address.

---------------------------------------------------------------------------

03-3. What is Intruder Detection?

Intruder Detection is Novell's way of tracking invalid password attempts. While 
this feature is turned off by default, most sites practicing any type of security 
will at minimum turn this feature on. There are several parameters to Intruder 
Detection. First, there is a setting for how long the server will remember a bad 
password attempt. Typically this is set to 30 minutes, but can be as short as 10 
minutes of as long as 7 days. Then there is a setting for how many attempts will 
lockout the account. This is usually 3 attempts, but can be as short as 1 or as 
many as 7. Finally is the length the account is locked out. The default is 30 
minutes but it can range from 10 minutes to 7 days.

When an Intruder Detection occurs, the server beeps and a time-stamped message is 
displayed on the System Console with the account name that is now locked out and 
the node address from where to attempt came from. This is also written to the 
File Server Error Log. A Supervisor or equivalent can unlock the account before 
it frees itself up, and the File Server Error Log can also be erased by a 
Supervisor or equivalent.

In a large shop, it is not unusual to see Intruder Lockouts even on a daily 
basis, and forgetting a password is a typical regular-user thing to do. Intruder 
Lockouts on Supervisor or equivalent account is usually noticed. 

---------------------------------------------------------------------------

03-4. How do I check for Intruder Detection?

The easiest way to check for Intruder Detection is to play with a valid
account that you know the password of. Try the wrong password several times.
If Intruder Detection is on, the account will be locked out once you try to
get back in with the correct password.

---------------------------------------------------------------------------

03-5. What are station/time restrictions?

Time restrictions can be placed on an account to limit the times in which
an account can be logged in. In the account is already logged in and the
time changes to a restricted time, the account is logged out. The 
restriction can be per weekday down to the half hour. That means that if
an admin wants to restrict an account from logging in except on Monday
through Friday from 8-5, it can be done. Only Supervisor and equivalents
can alter time restrictions. Altering the time at the workstation will
not get you around time restrictions, only altering time at the server
can change the ability to access.

Station restriction place a restriction on _where_ an account can be used.
Restrictions can be to a specific token ring or ethernet segment, and can
be specific down to the MAC layer address, or node address. The only way
around a station restriction at the node address is to spoof the address
from a workstation on the same segment or ring as the address you are
spoofing. Like time restrictions, only Supervisor and equivalents
can alter station restrictions.

Of course you can remove station and time restrictions in SYSCON if you are
a Supe equivalent.

---------------------------------------------------------------------------

03-6. How do I spoof my node or IP address?

This will depend greatly on what kind of network interface card (NIC) the
workstation has, as to whether you can perform this function. Typically you
can do it in the Link Driver section of the NET.CFG file by adding the
following line - NODE ADDRESS xxxxxxxxxxxx where xxxxxxxxxxxx is the 12
digit MAC layer address. This assumes you are using Netware's ODI drivers,
if you are using NDIS drivers you will have to add the line to a
PROTOCOL.INI or IBMENII.NIF file, which usually has the lines already in it.

For an IP address, you may have to run a TCPIP config program to make it
work (it depends on whose IP stack you are running). Some implementations
will have the mask, the default router and the IP address in the NET.CFG,
some in the TCPIP.CFG. It is a good idea to look around in all network-
related subdirectories to see if there are any .CFG, .INI, or .NIF files
that may contain addresses.

Getting the target node address should be pretty easy. Login with any
account and do a USERLIST /A. This will list all accounts currently logged
in with their network and node address. If your workstation is on the same
network as the target, you can spoof the address no problem. Actually you
can spoof the address regardless but to defeat station restrictions you
must be on the same network.

---------------------------------------------------------------------------

