Especially now, having one's network
hack-resistant is more important than ever. More often emphasis is against
external hacks; however, this should not lead to inattention to internal
network security. This article is paraphrased out of Netware security FAQ.
Here are some suggestions to make your NDS less prone to hack
attempts.
- The first step in any internal security plan is physical
security. This entails locking the server room, maintaining accurate key
logs to the computer room, watching 3rd party technicians and their access,
and otherwise preventing direct, unmonitored access to the server.
-
Remove the ability for anyone to read the NDS tree (check the rights for
[Root], they should not be public). If public does require rights give those
rights specifically at the container level, and not at the [root].
-
Isolate servers on one Ethernet segment, admins on another, and end users
elsewhere, or go to switched Ethernet. This segmentation of network traffic
will aide in tracking network sniffers, auditing, and intrusion
detection. The admin passwords will not be broadcasted to each node in a
segmented network as well.
- Use Packet Signature at the highest settings
on servers and workstations at all times.
- Use the latest patches
on servers and workstations. Novell is always dropping in security fixes in
maintenance patches and not telling anyone about it. In the past,
maintaining the current service pack level was only important in
troubleshooting network problems. Now with security fixes being reported
often, it is more important than ever to make sure you are at the latest
service pack level.
- The SET PACKET SIGNATURE line should be in the
STARTUP.NCF, not the AUTOEXEC.NCF. This prevents access to the signature
from the networ. It requires shell access to local C: drive on the
server.
- Build an NDS account named SUPERVISOR, give it no rights
and disable it. This procedure and renaming the admin account will
prevent a majority of brute password hacking, and access to your
NDS.
- Give the bindery Supervisor account a huge password. Again
password security is critical to prevent administrative access to NDS. I
would recommend a combination of alpha- numeric-symbol for this password. The
larger the password the longer it will take to brute-crack as well.
-
Make sure the server object is not in the same container as the Admin
account.
- Turn on Intruder Detection on every container.
-
Minimum password length should be 8 for most users, LAN administrators
should have an even longer password.
- Never use RConsole. Walk to the
server, or use an out-of- band method for access if it is truly in a remote
location. It is simply to easy to sniff the password through rconsole.
These actions will greatly increase your hacker resistance of your
NDS environment.
Email this Article
Print this Article
