Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Patrick Coomans (Patrick.Coomans4ALL.BE)
Date: Mon Jan 08 2001 - 03:47:53 CST
Apart from third party software to protect or evaluate the protection of your Novell servers,
I think it may be helpfull for some of you if I include my little to-do list for securing Novell 5 servers.
There are a lot more parameters out there, I also advise you to check out SECURE.NCF on your server.
Should you want to be able to see all possible SET parameters (also the hidden ones) try using MONITOR /HELP then check out all the extra parameters visible in the Server Settings.
Here part of my little list:
1) SET NCP Include IP Address
I very much appreciate a this new parameter in NW5 SP5 or NW5.1 SP1.
The parameter syntax is "SET NCP Include IP Addresses = a.b.c.d; u.v.w.x; o.p.q.r; etc..."
and is meant for servers that have both "Public"-type as well as "Private"-type of NIC's.
This parameter allows you to stop the NCP advertisement (and NDS Server IP address registration) for the IP addresses which are PUBLIC.
2) Set NCP Packet Signature Level=2
I did experience a lot of trouble with enforcing NCP Packet Signatures on all servers to level 3 (always require NCP Packet signatures), it seems that a lot of 3rd party boxes don't support packet signing well, and I had to reduce the NCP Packet Signature level to 2 (do signatures if the client can, but don't if the client doesn't support it)
3) Filter incoming connections to services like RCONJ and FTP
Use FILTCFG to configure filtering for those services so that you can limit connection attempts to source IP addresses in the networks which are allowed to initiate those connections.
You can also configure a Novell server to create a logfile of all packets that were "dropped" by your filtering configuration by changing the file \sys\etc\ippktlog.cfg
4) Limit the NCP Login IP Addresses for all your User ID's to valid IP addresses. (use console one or nwadmin32 to do this - user properties).
5) Make sure you have a proper CONSOLE LOGGING configured. I usually do this
Load CONLOG Archive=Yes Next=05:00 Entire=Yes Maximum=20000
which makes CONLOG archive all its console logging files for later retrieval
Also, invalid NCP login attempts are sent to the console.log
6) Set NCP Enable IPX address = Off
can be set only if your network is IP only. This will completely remove all IPX NCP-support from all loaded modules.
7) Reject bad NCP packets. You have to take care with this one, since -again- some manufacturers simply send out bad NCP packets. An example are some QMS network printer-boxes, who will fail to attach to a server if you reject bad NCP packets.
Set display NCP bad component warnings = on
Set reject NCP packets with bad components = on
Set display NCP bad length warnings = on
Set reject NCP packets with bad lengths = on
8) Set a lot of other IP communication parameters
Set filter packets with IP header options = on
Set filter subnet broadcast packets = on
Set discard oversized UDP packets = on
Set discard oversized ping packets = on
Set tcp defend land attacks = on
Set tcp defend syn attacks = on
Set ipx netbios replication option = 0 (completely disallow all netbios forwarding)
9) Configure your stack to reject incoming rip or ospf from public or semi-public interfaces
10) Configure your SLP architecture with a NAMED scope, do not use "UNSCOPED".
11) Make sure you have to BINDERY CONTEXT set in your autoexec.ncf
12) Do not use RCONSOLE. It sends console password cleartext. (you can't anyway if your server is pure IP)
13) Enable netware's intruder detection
14) Enfore strong passwords on the users
download the tools to do this at http://www.connectotel.com/ppm/