Chapter 15 Effectively Setting Up eDirectory Security
Management tools and techniques are very important to effectively prevent NDS/eDirectory problems, but they do not address a serious issue facing modern network administrative staff: securing resources from unauthorized access. Experience has shown that the danger of unauthorized access often comes from an internal source (employees, disgruntled or not) rather than from sources outside the organization (hackers).
Another reason to provide security on your network is to prevent the accidental destruction of data. Security is an effective means to limiting the scope of potential damage done by people who do not fully understand how to administer the system or how to properly use administrative tools. Security can prevent non-administrative users from inadvertently causing problems because they deleted something they should have been unable to delete or moved a directory that should not have been moved.
Effectively securing your system—whether from a deliberate attack or from unintentional error—needs to start with the basic premise that your system is not secure. A good security policy puts enough barriers in the way that the cost of obtaining information is higher than the value of the information to the would-be attacker. These barriers, however, have to be balanced against usability of the system.
This chapter takes an in-depth look at the features of eDirectory security and how to effectively implement security policies so the system is secure and usable.
Before addressing directory services (DS) security, we need to touch on the need for physical security on the servers holding DS replicas. If at all possible, you should take the following measures:
Lock the server room
Limit access to that room
Use an access method that includes a mechanism to trace access to the room
If these measures are not possible, you should find a way to physically secure the system. If someone breaks in and steals the server, no matter how good your security policy is, that person has all the access needed and more than enough time to break into the data.
TIP
It often escapes administrators’ attention, but you also need to secure all your backup media. Having access to the data on your system backup is as good as having access to the data on your server.
TIP
If you have a small server that needs to be secured, one option may be Kanguru Solution’s Kanguru Encryptor (www.kanguru.com/encryptor.html). It is a real-time data encryption/decryption device and is hardware based. Even if the server is stolen, the data stored on the hard drive is useless to anyone without the correct access key.
Almost all companies have firewalls to protect their data from external attacks across WAN/Internet links. Often overlooked, however, is another aspect of physical security—the various LAN access points located within a network. As with your server room, you should restrict access to network switch rooms where someone can easily plug in a laptop computer running a packet sniffer and gather information that would otherwise require a privileged user ID and password to obtain.
NOTE
With the popularity of wireless networking, many companies have wireless access points that are interconnected with the LAN infrastructure. It is prudent to enable Wired Equivalent Privacy (WEP) encryption, but even 128-bit WEP is not as secure as you might think, but it’s better than not using any security. It is a good idea to change the passphrase or secret key frequently.
Ensuring console security is the next important task in securing the server. If someone can obtain access to your file server’s console, that person can copy the DS database files to a publicly accessible directory and take those files offsite for an offline attack (because in DS you do not store the actual password but its public/private key pair). Although the DS database files only yield the password hash, knowing the user ID and length of the password are enough to provide a starting point for a brute-force attack to determine the password.
Unfortunately, when you use RConsole, XConsole, AConsole, and RConag6, passwords may be transmitted in clear text (XConsole) or you might be using an easily reversible encryption scheme (RConsole, AConsole, and RConag6). These problems can open you up to attacks on the console remotely. They provide enough access to obtain the Directory Information Base (DIB) files for such an offline attack. Evaluations of remote console security have turned up problems with using RConsole, even when using encrypted passwords (for example, using the REMOTE ENCRYPT console command and storing the password in LDREMOTE.NCF).
Several services that can be installed on the server grant access to the SYS:ETC directory, where the network configuration information is stored if you configure your system with INETCFG NLM. If you configure remote access to your system and use Unix Print Services, NFS, or FTP services, the possibility exists that access to your SYS:ETC directory is open.
If you set up remote access with RConsole through INETCFG.NLM and if unauthorized users have read access to the SYS:ETCNETINFO.CFG file, your console is not secure because the RConsole password is stored in that file in plain text.
WARNING
We will not go into the details here, but suffice it to say that from a packet capture of an RConsole session, one can easily determine the password, even when it is encrypted.
Unfortunately, the best policy for remote access is the one that is least feasible: Do not use it. Many system administrators depend on having remote console access to the server for various administrative tasks.
A potentially better solution is to not load the remote console modules until you need them. It is possible to remotely load and unload NetWare Loadable Modules (NLMs) on the server console by using a tool such as Wolfgang’s Remote utility (www.geocities.com/wstools). Setting up RConsole in this manner provides a little more control over who has access to the console and when.
NOTE
Using remote load/unload commands requires Console Operator privileges on the server you want to execute the command on.
TIP
If you are running NetWare 6 and higher, you can use the RconJ module, which supports secured connection via Secure Sockets Layer (SSL). Using that module helps keep your remote access password from being sniffed, but it does not address the problem of finding the password from configuration files that store it in clear-text format.
Good security for the console is not easy to achieve, but it can be done. You can start by “locking” the console screen, using a password-protected screensaver, or “blanker” (so that the monitor screen does not get burned in). Many people rely on the security of MONITOR NLM’s console lock (in NetWare 4.2 and earlier) and the screensaver SCRSAVER NLM in NetWare 5 and higher.
The MONITOR console lock is based on either an entered password or the bindery Supervisor password for the server—even if a bindery context is not present. MONITOR does not, unfortunately, prevent someone from unlocking the console through the NetWare kernel debugger. A password entered at the MONITOR console lock prompt is stored in memory in clear text. If you know where to look, you can read the password directly from memory, continue the server’s execution with the G debugger command, and then work from the server console by entering the password discovered in memory.
If you press Enter at the MONITOR lock option, however, the only password that unlocks the console is the Supervisor password, and it is stored like any other DS password—after being passed through a one-way hash. Unfortunately, there is a problem with this as well: It is possible, through the NetWare kernel debugger, to completely bypass the security checks in MONITOR and cause MONITOR to think you entered the correct password when you did not. Someone who knows what he or she is doing can do this quickly enough that services hosted by the server are not interrupted. This demonstrates how dangerous it can be to have access to the kernel debugger.
Breaking into the kernel debugger is a simple task: You simply press the left and right Shift keys, one of the two Alt keys, and the Esc key simultaneously—the so-called four-finger salute.
WARNING
Do not attempt the four-finger salute on a production system. Breaking into the kernel debugger causes the system to stop responding to client requests. You can restart it with the G debugger command, but it is not recommended that you experiment with production systems.
NetWare 5 and higher remove the screensaver (affectionately referred to as “the snake”—on servers with multiple CPUs, you get multiple snakes, one for each CPU) and console lock components from the MONITOR utility and put them in a separate NLM called SCRSAVER. SCRSAVER, however, requires that the person accessing the console have Supervisor rights to the NCP Server object in the NDS tree. This may not be practical in all cases, and the SCRSAVER NLM does not restrict access to the kernel debugger.
TIP
SCRSAVER depends on DS to verify and authenticate the user to unlock the screensaver. If the DS is locked (such as when DSRepair is running) when SCRSAVER activates, authentication for the admin user cannot take place, resulting in the screensaver hanging in activation mode. However, you can load SCRSAVER with the NO PASSWORD option, and it will allow you to unlock the screensaver with no password required when eDirectory is not available.
For better or stronger console security, you need to look at some third-party solutions. SSLock for NDS (see www.dreamlan.com/sslock.htm), runs on NetWare 4.11 and higher and is an alternative to SCRSAVER and MONITOR’s keyboard locking function. The following are some of the features that SSLock v6 offers:
Sending of console status change alerts via SMTP email. For instance, when the console is locked or unlocked.
Sending of intruder detection warnings via SMTP email.
Disabling of access to kernel debugger via the four-finger salute.
Requirement of a valid DS user login ID and password.
Emergency access in case the DS database is locked or corrupted.
Remote status information of SSLock and unlocking of the console via a Windows 32-bit operating system GUI client.
Displaying of legal information and requirement of acceptance before the user is allowed to unlock the console.
As with SCRSAVER, users who have Supervisor object rights to the NCP Server object can unlock and unload SSLock. In addition, you can define users to be members of a group (SS_UNLOCK) in order to unlock the console (but not unload the NLM). To unload the NLM (that is, to turn it off), the user needs to be a member of a different group (UNLOAD_SS). Therefore, when you use SSLock, the users no longer need to be given Supervisor object rights in order to access the server console. Figure 15.1 shows the login screen for SSLock.
If you need something more comprehensive than SSLock, you might try SecureConsole (www.protocom.com/html/secureconsole.html), which addresses many needs for console security and provides a high degree of console security. Among other things, SecureConsole does the following:
Requires a valid NDS user login ID and password.
Requires that the login ID be granted explicit access to the server’s console. Having Supervisor rights to the server is not sufficient (much like having Supervisor rights is not sufficient to perform print queue operator functions).
Is capable of creating an audit trail of all console commands.
Has the capability to restrict console commands and access to special console functions, such as the NetWare kernel debugger and the fast restart key sequence introduced in NetWare 4.11.
Has a configurable login screen.
Can have multiple emergency users (non-DS users) in case the DS database is locked or corrupted.
Provides encrypted remote access via IP or IPX.
Supports the use of passwords that are available for a specified amount of time for emergency user accounts.
In addition, SecureConsole can be configured through NetWare Administrator, ConsoleOne, or Protocom’s server-based administration utility, SCADMIN.NLM. Figure 15.2 shows the login screen for SecureConsole.
A well-written data security policy is like a good disaster recovery policy: Everybody says and knows it’s important, but only a few people actually implement it. Part of the reason people may be reluctant to write an official security policy is that they hope they never need it—just like they hope they never need a disaster recovery policy. Most people realize they need it only after a problem has been discovered.
A security policy does not need to be very complicated. It should establish the following:
Procedures for users requesting access to resources
Procedures for granting users access to resources after the request is approved
Consequences for accessing unauthorized resources
In addition, if your Information Systems department has multiple levels of administrative authority, the security policy documentation should outline which groups have responsibility for which aspects of the network. In many organizations that implement such a written policy, the policy can be added to the Human Resources manuals or documentation.
It is also recommended that competency testing be implemented. This enables you to verify that people who have a certain level of administrative access know how to properly use their access to perform their job functions. Granting administrative authority of any kind to a resource on the network should be done only if you (or management) have confidence in the people assigned those tasks.
Now that we have covered the physical aspects of security, we can talk about logical, or software-based, security—the security that is inherent in NDS.
There are many for good logical security. Many of the easiest ones to implement are often overlooked because they are not completely obvious. Because many attacks on a network’s security system come from inside the organization and can come from people who have help-desk–level authority (that is, authority to change passwords), it is important to protect against that sort of attack.
Figure 15.3 shows a basic structure for granting administrative rights that is used throughout the rest of this chapter. The idea behind this particular architecture is to remove the security administration from the main part of the tree and lock it away where only a few people can make changes—that way, you increase your accountability without compromising flexibility.
NOTE
There are many other ways to structure security, but experience has shown that the model discussed here provides a high degree of flexibility and security because the groups used to assign rights are contained in a separate container (tree branch) that only a few people have access to.
As shown in Figure 15.3, the Admin ID is located in the security administration container. We recommended that you make this branch not browsable by [Public]. You can accomplish this by granting [Public] an explicit object right of “nothing.” This helps to limit not-logged-in stations from being able to browse for Admin.
TIP
Do not use the Admin ID for daily administrative tasks; use it for emergency situations only. By not using it for daily administrative tasks, you increase accountability for various changes made to the tree.
Another good idea is to generate a long password for the Admin account and store it in a safe, secure place. In one production environment we have worked with, the Admin account is protected with a 40-character randomly generated password. Only two people in the organization—an organization of over 100,000 people—know where that password is stored. Note that if this organization did not implement proper physical security access controls, it would be only a matter of time before that password was compromised.
When creating additional tree administrators, it is generally considered good practice to assign these users explicit rights to the [Root] object in the tree rather than grant them security equivalence to Admin. If something should happen to the Admin account that results in object corruption or deletion, any accounts that are the security equivalent to Admin will lose their rights to the tree.
The first level of providing good logical security is to protect administrative accounts. This might seem fairly obvious as a need, but the how-to aspect is something that many administrators do not give thought to.
Protecting administrative accounts is quite easy to do. First, you should try to limit the number of partitions that contain administrative accounts and make sure the replicas that hold those objects are on servers that have an extra degree of physical and console security. As discussed earlier in this chapter, if someone can gain access to a server console, he or she can grab the DIB files and attack them offline.
Second, containers where there are administrative accounts should have intruder detection turned on. You can turn this on in NetWare Administrator, for example, by selecting the details of the container and then selecting the Intruder Detection tab. By default, this feature is turned off, and when it’s turned off, someone trying to break into your system can try as many passwords as he or she wants in an online brute-force attack. Figure 15.4 shows how to set up this feature.
TIP
If you use ConsoleOne to configure intruder detection, the setting is under the General tab and not under the Restrictions tab, as you might expect.
Third, you want to limit the number of workstations the administrative accounts can log in at simultaneously. You may elect to enable administrators to only log in from certain workstations; you can also do this by using a network address restriction. As shown in Figure 15.5, you can enable network address restrictions based on IPX or IP addresses. Although Figure 15.5 also show a number of other address types—Ethernet/Token Ring, AppleTalk, and so on, these entries may be used by custom-developed applications, but they are not used by the Novell Client software to restrict user logins.
TIP
You can set an address range for the network address restriction instead of entering each node into the list. For instance, to restrict a user to any node on a given IPX segment, you can specify 12 F ’s for the node address.
For IP, on the other hand, the trick is to set the host address to 0. For example, if you have an IP subnet with an address range from 192.168.1.1 through 192.168.1.254 (a Class C subnet mask of 255.255.255.0), you enter 192.168.1.0 as the address restriction. If you have a nondefault subnet mask (say, 255.255.255.192), you enter the address 192.168.1.64 because IP address restriction will allow login from all computers (192.168.1.64 through 192.168.1.127) in the subnet.
Refer to TID #10065373 for additional information about network address restrictions.
Novell Client software prefers to use IP instead of IPX to connect to NetWare 5.x or higher servers. Therefore, if you have an address restriction set only for IPX, it will not allow the IP connectivity, and this results in the user not being able to log in.
NOTE
Enabling some of the additional security options, such as concurrent login restriction and network address restriction, may require you to limit administrators’ access to modify their own accounts. If you choose to restrict the number of simultaneous workstations the administrator can use, you might want to prevent administrators from changing that value on their own.
In DS, it is possible to block Supervisor rights to an object or a branch of the tree. The only caveat is that Supervisor rights must be explicitly assigned to at least one user object that is being protected with an Inherited Rights Filter (IRF). Otherwise, you will end up with an unmanageable object.
WARNING
Checks are performed by Novell-supplied management utilities, such as NetWare Administrator and ConsoleOne, to validate that at least one user has Supervisor access to a container before an IRF is set. The safety checks are not performed by DS, therefore, when you’re using a third-party utility. Therefore, you need to take care when assigning IRFs as NDS may not perform such checks, and you could lock yourself out of a container or from managing an object.
Figure 15.6 shows the Inherited Rights Filter dialog box in its default state. To block a particular right, you simply uncheck it. The arrow next to the check box reflects the state of the filter; when blocked, the arrow icon changes to indicate that a right is blocked. For protecting an administrative account, we recommend blocking all object rights except Browse rights and all property rights except Read and Compare. This prevents someone from deleting the account and re-creating it without the IRF, and it also prevents people from making other changes to the account.
NOTE
ConsoleOne shows only the attributes that have an IRF set, which makes checking for IRFs a little easier in ConsoleOne than in NetWare Administrator.
NOTE
You access the Inherited Rights Filter dialog box through the Trustees of this Object context menu option.
With the Property Rights portion of the Inherited Rights Filter dialog box, you can block rights to specific attributes, such as password management, or to all attributes. The default is to set up the IRF for all properties. By selecting a specific attribute, though, you can be very granular in what you revoke rights to, just as you can when granting rights.
When you’re protecting an administrative account, we recommend that in addition to giving a user explicit Supervisor rights to his or her own object, you give another user or group of users rights as well. For example, in Figure 15.3 we have a group called RootAdmins located in the Groups.IS_Admins container that would be ideal for this type of role. The idea behind doing this is that if an administrative user gets locked out of his or her account, somebody else should be able to unlock the account or change the password. Remember that by applying an IRF to an object, you remove some degree of administrative access to that object.
You might wonder why a special group called RootAdmins exists in this example. After all, Admin has explicit rights to [Root], and the discussion thus far has suggested granting explicit rights to [Root] for objects that need Admin equivalence. In a large environment, it might make sense to use a group to house administrative accounts other than Admin and possibly one other account; that way, at least one person can get back in if something happens to both the Admin user and the RootAdmins group. Using a group membership is somewhat easier to manage if you have a few people with that level of access.
It is also strongly recommended that administrative users change their passwords on a regular basis (perhaps more frequently than the typical end users); it is very easy for administrators to make exceptions for themselves with their own administrative accounts and remove otherwise standard password restrictions and length limitations. If anything, administrative accounts should have their passwords changed more frequently, have longer minimum password lengths than standard user accounts, and be used only for performing administrative tasks. Any other work the administrator does should be performed through a separate account set up as a typical user account.
TIP
Administrative accounts should have strong passwords. A strong password is a password with at least a certain number of numeric digits and alphabet characters so that it is not a word that can be found in a dictionary.
You can add strong password support to NetWare 6 by purchasing NMAS, Enterprise Edition. NetWare 4 and 5, on the other hand, do not ship with an option for strong passwords. However, there are third-party solutions available that work with all versions of NDS and eDirectory and do not rely on NetWare servers. One example is Password Policy Manager (PPM) for NDS, from Connectotel Ltd. (www.connectotel.com/ppm). For more information, refer to the Novell August 2002 AppNote at http://developer.novell.com/research/appnotes/2000/august/02/a000802.htm.
Also suggested in our tree structure example is a special group called OU_Admins. As the name implies, this group is used for granting rights to all organizational unit (OU) objects and all objects under those containers. The only exception to this is the IS_Admins container itself; only Admin and members of RootAdmins should have rights to the IS_Admins container because these users determine what administrative groups should exist, what rights these groups should have within the tree, and who the group members are.
Having Supervisor rights to the [Root] object grants you another special right: the capability to make changes in the schema partition on all servers. Extending the schema is one of the things that make NDS and eDirectory so versatile. At the same time, you need to control changes to the schema, or you might run into problems due to schema definition clashes. This is a real danger if you have programmers who write programs using the Novell Developer Kit for eDirectory. In most cases, extensions added to the schema can be very difficult to remove, and in some cases, they cannot be removed after they’re added.
ConsoleOne includes the Schema Manager (accessed from the Tools pull-down menu; see Figure 15.7) that has the capability of adding extensions to a schema. Administrators who are learning may have a tendency to play with this feature and create new object classes and attribute definitions. If you or another part of the administrative staff want to experiment with this functionality, it is best to test it on a nonproduction tree. For this reason, we recommend using a group for rights at [Root] (the RootAdmins group in the preceding example) and a second group that has rights to all objects under [Root] (the OU_Admins group).
Limiting the access to [Root] also limits the possibility of someone who is trying to break into your system causing damage. If the administrative accounts are few and are relatively difficult to locate, and if the accounts that are found do not have rights to [Root], the ability for a would-be hacker to extend the schema and create a special class object to be a backdoor into the system is limited.
Another aspect of DS that should be closely controlled is the capability to modify login scripts. Refer to Figure 15.3, where another special group is called Script_Admins. The idea behind the Script_Admins group is that only members of the Script_Admins group can change the majority of login scripts.
One large company has implemented this on a rather large scale. Each of the OUs in the tree contains a subcontainer called Scripts. The Scripts container contains profile objects that make up the login scripts for that container. The container script itself contains only one line:
INCLUDE ".Main.Scripts.East.Company.XYZCorp"
The main script indicated in the INCLUDE statement contains all the standard script components—validation of network address for dial-up accounts (to abort the script and not run programs in the script over a dial-up connection) and execution of an operating system–specific login script.
The operating system–specific script is called with the following line:
INCLUDE ".%OS.Scripts.East.Company.XYZCorp"
The client performing the login request fills in the %OS portion of the command with the name of the operating system. The Scripts container then contains the following scripts to be included:
MSDOS
PCDOS
DRDOS
WIN95
WIN98
WINNT
These are all created as profile objects and contain commands specific to the operating system in question. The reason this is done is because as the Novell Client has evolved, its login script interpreter has come to include capabilities that are not supported in the old LOGIN.EXE DOS program.
On 32-bit Windows platforms, the @ command executes an external program and immediately continues the script. It is very similar to the # command (which these interpreters also support), except for the fact that it does not wait for the program that was run to return control back to the interpreter.
Unfortunately, the LOGIN.EXE script interpreter does not understand the @ command, and even if you attempt to check for the operating system in the login script as shown here, the script interpreter still interprets the line and returns an error:
IF "%OS" = "WINNT" BEGIN
@NALEXPLD
END
You might notice that the list of different script names includes three DOS names and both WIN95 and WIN98. This is because the %OS variable actually returns these values, depending on the workstation’s operating system. In the case of DOS workstations, however, the scripts for MSDOS, PCDOS, and DRDOS are really the same. Rather than copy the script and have to maintain three copies, you can simply work with one (MSDOS is what we use) and then include that script in the others, using the login script INCLUDE command. The same holds true for Windows 98, which is frequently considered by software to be an upgraded Windows 95—the client is the same, the environment is the same, so the script probably should be the same as well.
Protecting login scripts really serves two purposes:
It prevents accidental errors (such as deleting the wrong file from the workstations) in login scripts from causing widespread problems.
It prevents a hacker from inserting commands in the login script to capture passwords or other information or to cause harm to workstations.
When a script change is made and causes problems, it can be difficult to determine what change was made and who made the change. By limiting editing access to the login scripts, you reduce the number of people who might have caused the problem. A good side effect of this is that you can more easily create an environment where script changes are thought out and discussed before implementation.
To limit access to edit the scripts, you need to secure the container. First, you grant Admin and the Script_Admins group explicit Supervisor rights to the Scripts container, as shown in Figure 15.8.
Next, you block all rights to the container except for Browse object rights and Read and Compare rights to all properties.
In some environments where tree administration is decentralized, it may be necessary to set up regional administration—possibly even site-level administration. If you have administrative groups in Salt Lake City and Toronto, for example, you may not want the administrative group in Toronto to be able to make changes to the users in the Salt Lake City container.
Setting up administrative authority to do this is easy. Using the base model shown in Figure 15.3, you add two groups to the Groups.Admin container—one called TorontoAdmins and another called SaltLakeAdmins. For the high-level container in the tree for Salt Lake City, you grant the SaltLakeAdmins group Supervisor object rights. Similarly, for the Toronto high-level container, you grant the TorontoAdmins group Supervisor object rights.
If multiple sites within a location have their own administration, you can take this a step further. In Salt Lake City, you may have a regional office but also several branch offices with their own IT staff, in Murray, Provo, and Logan. Assuming that these containers are listed under Salt Lake City’s container, you would create a container in Groups.Admin called Salt Lake City and under that container create the groups MurrayAdmins, ProvoAdmins, and LoganAdmins.
The reason for this setup is that you might want to design a hierarchy for adding people to these groups. Putting the branch office administrators in a container named after the region means that you can grant the regional Admins groups Supervisor rights to the container. The regional Admins groups can add people to those groups, but without having the capability to add people to the regional group.
This type of design is very scalable and easy to manage, and at the same time, it provides a foundation for smaller organizations that will not have to change as the organization grows.
You should do security equivalence checks from time to time. It never hurts to make sure security is set up the way you think it is.
The first thing you need to understand is how security equivalence works. Figure 15.9 shows three users—AmyP, JimH, and PeterK—and how security equivalence works.
In this figure, JimH is assigned a security equivalence to PeterK, and AmyP is assigned a security equivalence to JimH. In some environments, the result might be that AmyP receives security equivalence to PeterK, but in DS or the bindery, that is not the case. Security equivalences are not transitive—they are evaluated only to a single level. This makes the evaluation of security equivalence much simpler.
NetWare 5 introduced a new feature called an Inheritable Access Control List value. As you will see in the section “Setting Up eDirectory Security Access for a Help Desk,” later in this chapter, the capability to set this up simplifies administration greatly, but it introduces an additional complexity to evaluating security equivalence—also commonly referred to as the effective rights of an object.
Fortunately, NetWare Administrator and ConsoleOne have the capability to perform the evaluation for you, even with the changes that became effective with NetWare 5. Figure 15.10 shows the Effective Rights window in NetWare Administrator.
The evaluation of one object’s effective rights to another object’s attributes includes several checks:
The trustees of the object being examined (the target object)
Rights granted to parent containers for the target object
Security equivalences of the source object
Rights flagged as Inheritable for the parent container objects to the target object
You might notice that group membership is not one of the things tested. Group membership itself does not grant rights to another object. However, because members of a Group object are also security equivalents to the Group object, each member will have whatever rights the Group object has.
Starting with the release of NetWare 4, Novell has included a feature for providing an audit trail. The original auditing in NetWare 4.0, and even as late as NetWare 4.10, was not very easy to use. The utility used for manipulating auditing, AUDITCON.EXE, was fairly cryptic, and its reports contained too much information to determine who was doing what. In short, it was difficult to find specific information you might look for because the reports were so difficult to read.
In NetWare 4.11, the Auditcon utility became more robust. Gone were the auditing passwords, and in their place was an object placed in the tree to control access to various features of auditing. Auditing in NetWare 5.x is still handled through Auditcon, shown in Figure 15.11. The utility still maintains its somewhat cryptic interface, but the tool has been greatly improved. Because this is a largely unfamiliar utility for administrators, we examine it in some detail. A brief discussion about Novell Nsure Audit (NNA) is presented after the discussion of Auditcon.
NOTE
Although NetWare 6 no longer ships with Auditcon—NetWare 6.0 ships with Novell Advanced Audit Service (NAAS) and NetWare 6.5 ships with NNA—you can still use Auditcon against eDirectory running on NetWare 5.1 platforms to perform some basic tracking. However, Auditcon only works in a NetWare environment.
Auditcon is capable of auditing a large number of events—both file system and DS events. The following are the audited DS events:
|
Abort join partitions |
Clear NDS statistics |
|
Abort partition |
Close bindery |
|
Add attribute to schema |
Close stream |
|
Add class to schema |
Compare attribute value |
|
Add entry |
Create backlink |
|
Add member to group property |
Create bindery property |
|
Add partition |
Disable user account |
|
Add replica |
Enable user account |
|
Add subordinate reference to |
End replica update |
|
partition |
End schema update |
|
Backup entry |
Inspect entry |
|
Change ACL |
Intruder lockout change |
|
Change bindery object security |
Join partitions |
|
Change bindery property security |
List containable classes |
|
Change password |
List partitions |
|
Change replica type |
List subordinates |
|
Change security also equals |
Login user |
|
Change security equivalence |
Logout user |
|
Change station restriction |
Merge entries |
|
Remove replica |
|
|
Modify class definition |
Rename object |
|
Modify entry |
Rename tree |
|
Move entry |
Repair time stamps |
|
Move tree |
Resend entry |
|
Mutate entry |
Restore entry |
|
New schema epoch |
Send replica update |
|
Open bindery |
Send/receive NDS fragmented |
|
Open stream |
request/reply |
|
Read entry |
Split partition |
|
Read references |
Start partition join |
|
Receive replica update |
Start replica update |
|
Reload NDS software |
Start schema update |
|
Remove attribute from schema |
Synchronize partitions |
|
Remove backlink |
Synchronize schema |
|
Remove bindery property |
Update replica |
|
Remove class from schema |
Update schema |
|
Remove entry |
User locked |
|
Remove entry directory |
User unlocked |
|
Remove member from group |
Verify console operator |
|
property |
Verify password |
|
Remove partition |
Auditing is a good way to keep track of what changes are made on a network and who makes them. Auditing can be a very powerful tool, but if it is overused, Auditcon data can become burdensome to maintain and evaluate. Auditing all events is generally not a good idea because of the space needed on all servers and because of the amount of information returned. As you can see, there are many events that can be audited, and many of those events happen very frequently.
You should use auditing when you want to figure out why something is happening. For example, you might want to audit the container objects, but you only see changes in the access control list; this would indicate that someone is granting rights or removing rights in a way that you do not want them to. You might also want to audit changes to passwords or resets of intruder lockouts. In conjunction with a help-desk setup, this is a way to provide checks to verify that only the people you want to be able to make the changes are actually the ones making the changes.
Another use for auditing is to record changes in the DS partitioning and replication scheme. In the Directory Services Auditing dialog box events, there are items to audit partition split/join operations as well as replica additions, deletions, and changes of replica types.
Because an object in the DS tree controls auditing, you can block access to even see the object, thus making the auditing operation transparent to the users and other administrators on the system.
When you have Auditcon running, you can select Audit Directory Services and then select a container to audit by pressing F10. If the container does not have auditing enabled, you see a menu like the one in Figure 15.12.
When auditing is enabled, the menu in Figure 15.13 is displayed.
The first option in the menu, Change Replica, enables you to select the replica you want to view. DS auditing is stored along with the directory itself and is a part of the partition. Therefore, its information is replicated along with the rest of the partition.
WARNING
Because DS auditing is replicated with the rest of the information in DS, you need to ensure that you have sufficient space on the SYS: volume for the servers that hold replicas of audited containers. If there is insufficient space, you will encounter problems with server utilization and potentially have issues with DS corruption due to insufficient space.
When you’re setting up auditing, the menu item you want next is Auditing Configuration. The menu that appears when you select this item, shown in Figure 15.14, is where you select what you want to audit and which objects in the tree you want auditing enabled for.
The first item on this menu, Audit by DS Events, enables you to toggle specific events by highlighting the event and pressing F10 (see Figure 15.15). When you have auditing enabled and have selected the events and users you want to audit, you can extract the auditing information from the audit logs. Selecting the Auditing Reports option from the Available Audit Options menu shown in Figure 15.13 brings up the Auditing Reports menu, shown in Figure 15.16.
There are several options in the Auditing Reports menu; these options create a readable file that can be browsed offline. If you have few events enabled, browsing offline can be a fast way to see what has been happening on the system. The second type of report is viewed onscreen; this is similar to the report options, except that the information is displayed directly to the screen.
NOTE
Each audit record has an event number and a short description associated with it, as in the following example:
23:48:34 Active connection, event 58,
address 0000E100:0001803750E2, status 0
user .CN=admin.O=XYZCorp, replica 1
If the description text is absent, you can refer to TID #10054493, where many of the event numbers are defined.
The most useful of the different reporting methods is the database report. This creates a comma-delimited file that can be imported into a database or spreadsheet for more detailed analysis. This file format does not lend itself to easy visual examination, but if you are attempting to keep a history of old audit files to establish trends in certain events, this is the best format to use.
The Auditing Reports menu contains the option Edit Report Filters. You can edit these filters either from the menu or after selecting a reporting method. Figure 15.17 shows the options available for creating reporting filters.
In addition to performing DS auditing, you can audit a number of other services. By returning to the main Auditcon menu and enabling volume auditing, you can select the other types of events that can be audited. The information recorded for all the volume-specific auditing events is stored on the volume being audited in the _NETWARE directory on that volume.
All the different types of auditing include the capability to control the configuration of auditing. We mentioned earlier in this chapter that auditing can cause disk space problems if you are not careful with how you use it. The Audit Configuration menu, shown in Figure 15.18, enables you to limit the use of disk space and define what should happen when the audit log is full.
The Audit Configuration menu options are set on a per-volume or per-container basis. Another configuration option is the capability to audit not-logged-in users or to enable auditing of specified users as opposed to all users. The User Restriction menu options are shown in Figure 15.19.
The other option on the User Restriction menu, also called User restriction, allows you to specify whether all users are audited (value set to NO) or just the specified users selected from the Audit Configuration menu (value set to YES). This is useful if you have containers with a large number of users in them and do not want to have to enable auditing for every user manually or figure out when users are created so you can enable auditing for them.
TIP
The user interface to Auditcon is not one of the friendliest around. If you work for an educational-type establishment, you will probably have to create a number of OUs for new students every semester and then start up Auditcon, enable auditing, and get all the settings right.
A utility called SETAUD.EXE (see www.caledonia.net/setaud.html) may be of help to you. First, you create a template file with the events to audit, and then you simply invoke SETAUD, directly or from an automated procedure that creates the users, to enable and configure the necessary auditing settings. As an added bonus, SETAUD can also disable auditing and clear out the log files before you delete an OU. It can export the auditing logs in a format suitable for importing into Excel for further reporting and analysis.
NOTE
Auditcon works with IPX only. If your NetWare servers are IP only, you need to use the SETAUD utility to enable, disable, and configure auditing.
Because managing auditing requires a fair amount of time and energy, you should not turn on auditing frivolously. Rather, you should use it as a preventive tool. There are two differing philosophies when using auditing:
Let people know you are using an auditing tool.
Do not let people know you are using an auditing tool.
There are advantages to both options. With the first option, people know you are watching what is happening on the network and know that they will be held accountable for the changes they make. This tends to make people think more before they make a change because they know you will find out if something goes wrong.
On the other hand, by not telling people you are using auditing, they do not feel that Big Brother is watching everything they do. Used in this way, auditing can be a tool for helping you learn what shortcomings other administrators have in their education, and you can teach them how to properly do things.
With the second option, if you are not careful, people will find out that you are watching every move they make. It is important when dealing with people that they be at ease and not fearful that you are going to make life difficult for them when they make mistakes. A big part of successfully implementing auditing without letting people know you are auditing them is making sure they cannot see the Audit:File objects in the DS tree. If those objects are not blocked, people will likely know that something is up, particularly if they are familiar with how auditing works.
While no method is completely effective for keeping people from knowing auditing is going on, it is possible to make it more difficult to detect. Using an IRF to block rights to the object is a starting place.
NetWare 6.0 shipped with NAAS, but NAAS is no longer supported as of January 1, 2004. NNA, included with NetWare 6.5, supercedes NAAS. NNA is a centralized, cross-platform, client/server-based auditing service. It can collect event data from multiple applications across multiple platforms; it writes the data to a single data store, using a common data structure; and it includes tools for reporting the logged data. It also provides real-time event information for notification and monitoring.
NOTE
NNA’s installation extends the eDirectory schema and includes Novell iManager 2.0 plug-ins for administration and management. You can configure and manage the various NNA components—including Logging Applications but not Platform Agents—by using Novell iManager or, in environments where eDirectory is not present, by using Novell WebAdmin (see Figure 15.20).
NNA is composed of four primary components (see Figure 15.21):
Logging applications
Platform agents
Secure logging server
Data store
Logging applications, also called reporting applications, are software that reports events to platform agents, using the NNA SDK. Novell has already instrumented many of its systems to log to NNA, including all currently supported versions of NDS and eDirectory; NetWare 4.2, 5.1, and 6.x; BorderManager 3.8; and NetMail 3.5. You can add the instrumentation (that is, event reporting) to your own applications by using the NNA SDK that is freely downloadable from Novell DeveloperNet (http://developer.novell.com).
A platform agent is a shared library that collects events from all logging applications on the platform on which it runs and forwards the data to the logging server. One platform agent must reside on every platform that has one or more logging applications. When the platform agent cannot communicate with a secure logging server—due to a downed link, for instance—the collected events are sent to the secure logging cache module, which stores them in a local disconnected mode cache file(s). When the link is reestablished, the contents of these files are transmitted. Similarly, if the platform agent receives a flood of events that might cause network congestion if immediately transmitted, it buffers the events in the secure logging module and trickles the data flow until the traffic lightens.
NOTE
Unlike other components in NNA, platform agents are not configured through eDirectory. Instead, they use a simple, plain-text configuration file. This makes platform agents small and self-contained and permits them to run on platforms that do not have eDirectory installed.
The communication links between platform agents and the secure logging server can be encrypted using SSL/TLS to ensure the privacy of the events. In addition, platform agents employ two methods—event signing and event chaining—to ensure that the logged events are not otherwise modified by any intervening third parties. In event signing, the platform agent (or the logging application, in some cases) embeds a digital signature to each event before the platform agent forwards the event data to the secure logging server. This signature enables the secure logging server to verify the integrity of the event data it receives, ensuring that the data has not been modified.
In event chaining, the platform agent establishes a sequential, tamper-evident link of all events. The platform agent (or the logging application, in some cases) includes with each new event from a given logging application a hash of the previous event from the same logging application. The platform agent signs the hash, along with the data from the current event, before sending it on to the secure logging server. The hash enables you to inspect logs to ensure that all events that have occurred are contained in the log in the sequence in which they occurred and that no events are missing.
The secure logging server is a centralized and secure server that aggregates the logging entries received from the various platform agents that it serves. The secure logging server event manager receives the data and forwards it immediately to the logging, notification, and monitoring services provided by the secure logging server. The logging service records the events in the data store. The notification service alerts the appropriate people or systems of particular events or absence of events via one or more of the defined means, such as SNMP and SMTP. The monitoring service sends values in realtime to monitoring applications.
TIP
The Critical Value Reset (CVR) channel in the notification service allows you to automatically and immediately reset particular eDirectory attributes’ values—but eDirectory attributes only—in the event that those attributes are changed. For instance, say you have a policy that dictates that no user can be the security equivalent to Admin. To enforce this policy, you can create a notification filter object that routes notifications to the CVR handler through a CVR channel object each time a user object is granted security equivalency to Admin. In the CVR channel object, you define a rule that the CVR handler should delete the Security Equals entry by setting the value to NULL.
The secure logging server records all events in a centralized data store, using a format that is similar to the syslog packet format. The data store can be kept in a number of different database formats, such as MySQL or Oracle, depending on your selection during NNA installation; if MySQL or Oracle is not already installed, a flat-file database is used instead. NNA is also capable of creating filtered data stores. Based on criteria you define, NNA captures specific types of events and writes those events to secondary data stores. You can query the data stores by using included custom reports and log drivers that support MySQL database, Oracle database, flat-file database, and syslog. Novell has planned support for other databases, including DB2 and Sybase. You can also develop your own custom log drivers by using the NNA SDK.
NOTE
Originally developed for Unix systems, the syslog protocol, now an Internet standard (see RFC 3164), provides a transport to allow a machine to send event notification messages across IP networks (using UDP with a destination port of 514) to event message collectors—known as syslog servers. Because each process, application, and operating system was written somewhat independently, there is little uniformity to the content of syslog messages. For this reason, no assumption is made upon the formatting or contents of the messages. The protocol is simply designed to transport these event messages. In all cases, there is one device that originates the message. The syslog process on that machine may send the message to a collector. No acknowledgement of the receipt is made.
The NDS/eDirectory Instrumentation application (or agent) for NNA, called auditDS, allows NNA to log eDirectory events. To log replicated eDirectory events (such as object creation and deletion) on NetWare, Windows, and Linux/Unix systems, auditDS should be loaded on one server per DS replica. To log nonreplicated events (such as those associated with DirXML), it must be installed on each individual server for which you want to log nonreplicated events.
NOTE
When auditDS is loaded on more than one server per DS replica, duplicate entries for replicated events will be recorded in the data stores.
NOTE
You can find a list of NDS/eDirectory events that can be logged by NNA at www.novell.com/documentation/lg/nsureaudit/html/edirectory_events.htm.
The following are two excerpts from the NNA eDirectory event log (in flat-file format)—with the timestamps removed—showing the events associated with Admin logging in and the creation of a new Group object:
[eDirInstObject]: User .Admin.XYZCorp has been allowed to login (Flags: 0)
by .[Public].
[eDirInstObject]: User .Admin.XYZCorp (using null password: No)
logged in (NDS Login: 1).
[eDirInstAttribute]: A value has been removed by .VEGA-W2KC- NDS.XYZCorp
from the attribute Last Login Time on the object .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .VEGA-W2KC- NDS.XYZCorp
to the attribute Last Login Time on the object .Admin.XYZCorp
[eDirInstAttribute]: A value has been removed by .VEGA-W2KC- NDS.XYZCorp
from the attribute Login Time on the object .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .VEGA-W2KC- NDS.XYZCorp
to the attribute Login Time on the object .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .VEGA-W2KC- NDS.XYZCorp
to the attribute Network Address on the object .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .VEGA-W2KC- NDS.XYZCorp
to the attribute monitoredConnection on the object
[eDirInstAttribute]: Attribute Object Class was added on object
.new_group.XYZCorp by .Admin.XYZCorp
[eDirInstObject]: A new eDirectory object called .new_group.XYZCorp
(Class: ) was created by .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute Object Class on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute modifiersName on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute creatorsName on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute Object Class on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute CN on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute GUID on the object .new_group.XYZCorp
[eDirInstMeta]: Access Control List modified on object .new_group.XYZCorp
by .Admin.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute ACL on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been removed by .Admin.XYZCorp from
the attribute modifiersName on the object .new_group.XYZCorp
[eDirInstAttribute]: A value has been added by .Admin.XYZCorp to the
attribute modifiersName on the object .new_group.XYZCorp
As you can see, each event generates a fair number of entries in the log. Therefore, you need to spend some time considering, deciding, and selecting the types of events to track.
NOTE
The version of NNA that is included with NetWare 6.5 is the NNA Starter Pack. The Starter Pack allows you to run one logging server (with limited functionality) and one platform agent; the agent must be on the NetWare 6.5 server. In order to monitor other non-NetWare 6.5 servers, you must purchase additional platform agents. For more information about NNA, visit www.novell.com/products/nsureaudit.
TIP
Those of you who have tried to set up NAAS and NNA may have found that these products are not straightforward in their configuration or that they do too much (as they provide full-blown event auditing services). Blue Lance, Inc. (www.bluelance.com) has been a vendor of NetWare auditing applications since NetWare 3 was introduced. Its new LT Auditor+ suite of applications, which identify eDirectory/NDS vulnerabilities, among other features, may be of interest to you.
The majority of the discussion so far in this chapter has been about guarding against internal threats to your NDS tree and servers. External threats can present themselves, as well, and it is therefore necessary to take steps to limit the possibility of someone outside your organization breaking in. The easiest way to accomplish this is to not enable external access to your production network. However, not being connected to outside networks is simply not an option today, due to the need for external email and Internet connectivity.
Because the default protocol for NetWare 5 and higher is TCP/IP, external hackers can become more of a threat if you do not protect your network adequately by using a firewall (if connected directly to the Internet). Using IPX on your LAN puts a distinct barrier into your system—it becomes impossible for you to connect to IPX resources without some sort of IPX-to-IP translation gateway.
There are several things you can do to address this issue:
Use a TCP/IP Network Address Translation (NAT) gateway.
Use a software-based firewall product, such as Novell’s BorderManager, or a hardware security appliance, such as Cisco’s PIX 535 Firewall, to provide a demilitarized zone (DMZ) between the Internet and your intranet. At the very least, you should put a firewall at your point of presence on the Internet.
Perform your own tests and try to break in to your network from outside your network.
A problem as serious as the threat of someone breaking into your network is the threat of a denial-of-service (DoS) attack. This is an attack on a service hosted on one of your systems that denies users access to the service. Several DoS attacks have surfaced recently, but the concept of DoS attacks has been around for a long time (although it has not always been known by that name).
NOTE
There are not many DoS attack methods that can be used directly against NetWare, but because many NetWare servers run LDAP and Web-based services, your NetWare servers can easily fall victim to DoS attacks via LDAP and Web ports.
No matter what vendor’s firewall product you use at your connection to the outside world, you should be certain you are current with any patches the vendor makes available—especially patches that address security and DoS attacks. DoS can take many forms, from flooding a network interface on a router or server with garbage traffic to intentionally crashing a system that hosts critical services.
Another recommendation is that you keep up on security issues. There are several newsgroups on Usenet as well as mailing lists that discuss security issues. You might also want to search the Internet for sites that specialize in hacking networks. The hackers out there use the information on those sites to learn how to break into other people’s systems. You should search those sites and be familiar with the tools of the trade. If you are familiar with those tools, you are better equipped to defend against them.
WARNING
If you decide to experiment with hacking or cracking tools, we strongly suggest that you test on an isolated nonproduction system. Many of the hacker-programmers out there do not take precautions that professional programmers would take, and it is not worth taking a risk with your production network. If you choose to work with these types of tools, it might be wise to let others in your organization know what you are doing and why; otherwise, when they find out what you are doing, they might not understand your motivations.
Earlier in this chapter, we discussed the use of IRFs to block access to certain objects in your tree. Using IRFs in your tree can be beneficial if done properly, but it can be disastrous if the only user object with Supervisor rights to a container or an object is deleted. In addition, you might find that an ex-administrator created a backdoor account in the system and hid the object. Locating hidden objects with excessive authority is not very difficult; the ones that are difficult to find are the ones that are hidden and have no special rights. This type of object is referred to as a zero-footprint hidden object.
Tracking down hidden objects with excessive rights is a relatively simple task; however, it can be very repetitive and time-consuming in a large tree. If you have a large network, you might want to look at some of the NDS reporting tools or spend more time learning how to combine NList with awk scripts, as discussed in Chapter 10, “Programming for eDirectory.”
Locating hidden objects with excessive rights involves looking at the following:
Objects with administrative rights at [Root]
Objects with administrative rights at all container levels
Objects with administrative rights to Admin and related objects
Objects that are listed in the Security Equals attribute for administrative objects
You should also look for objects with administrative rights (specifically, Supervisor rights to [All Entry Rights]) to NCP server objects. These rights grant the user full file system Supervisor rights on all volumes associated with that server.
After you have looked in these places, you will have a list of objects that potentially have Supervisor access to your tree. You can then search your tree for each of the objects you have found to have administrative rights.
Objects that do not have administrative rights but exist in the tree can be a nuisance. For example, if you are attempting to reorganize your tree and need to delete a container, a hidden object or container makes this impossible.
Novell Consulting Services created a utility that is capable of locating hidden objects in the tree. You can find the Hidden Object Locator NLM utility (HOBJLOC.NLM) at www.novell.com/coolsolutions/tools/1098.html. This tool can be extremely useful when you’re trying to determine the cause of problems when attempting to delete a container object. For instance, if NetWare Administrator indicates that a container could not be deleted because there are still subordinate objects, there are two possibilities:
There are obituaries for objects that used to be in the container that have not purged yet.
There are one or more hidden objects in the container.
NOTE
HOBJLOC.NLM stores its log files, created every time the NLM is run, in the SYS:SYSTEMHOBJLOC directory.
It is easy to use the Hidden Object Locator utility to rule out the second option as the cause of the problems. If the Hidden Object Locator finds an object (see Figure 15.22), there are at least two options:
Call Novell and ask it to correct the problem.
Visit the DreamLAN Consulting Web site and obtain the MakeSU NLM (www.dreamlan.com/makesu.htm) utility.
NOTE
At this time, all third-party solutions that deal with IRF-blocked objects are NLM based. That means they require a NetWare server to host the writable replica in which the stealth object resides. If you have a pure-Windows or Unix environment, you need to call Novell.
TIP
Refer to the “Dealing with Stealth Objects” section in Chapter 11, “Examples from the Real World,” for additional information on tracking down hidden objects using Novell-supplied tools such as DSBrowse.
Ever since NetWare 4.0 was first released, administrators have suggested to Novell that it would be nice to be able to set up password administration in NDS without having to grant rights that enable modification of other parts of the User object or tree. Many solutions have been created to solve this need. For example, Novell’s own Developer Support group developed a sample utility, called Change Password Service (developer.novell.com/support/sample/tids/chpasswd/chpasswd.htm), that involved setting up an NLM on the server and building a custom snap-in for NetWare Administrator that communicated the password change to the server.
In order to change a user’s password without knowing the current password, you needed to have Write rights to the User object’s ACL attribute. As a result, many companies resorted to granting help desk Write access to the ACL attribute of every single User object in the tree—a very long and tedious process. The idea behind using this method was that the password administrators could damage users only if they knew that they could grant themselves additional rights to the User object. This sort of security through obscurity works, but it is dangerous because it leaves the door wide open for those who know what they are doing.
However, in order to achieve the desired goal without purchasing an additional product, this method of granting rights was the only way to solve the problem—until NetWare 5 shipped. With the release of NetWare 5, Novell introduced two features to make setting up help desks a simpler task. The first feature is pseudo-attributes that can be used to grant rights to change passwords and reset intruder lockouts. The second feature is one we have already discussed—the capability to set rights on a container and make those rights inheritable through the tree. By using these two new features, it is now possible to set up password administration for the entire tree with just a few mouse clicks in NetWare Administrator.
To set this up in a tree, you can create a group called Password_Admins. This group is going to be granted rights to set passwords and reset intruder lockouts on accounts through the tree. As Figure 15.23 shows, you start by adding this group to the trustees list.
You need to select the Selected Properties item and scroll down to the Password Management attribute. Next, you grant Supervisor rights and check the Inheritable box. Then you find the Reset Intruder Lockout attribute. Next, you check the Supervisor and Inheritable boxes, just as you did with the Password Management attribute. When this is set up, all you need to do is add your help desk staff to the Password_Admins group, and they will be able to change passwords and reset intruder detection.
TIP
For most help desk administration tasks, rights should be granted to the following attributes:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You might want to ensure that the following attributes are not under the control of the help desk because these settings should be part of your standard security policy and should not be changeable by non-administrators:
Intruder Attempt Reset Interval
Intruder Lockout Reset Interval
Lockout After Detection
Refer to the following TIDs for the minimum DS rights required for specific help desk–related tasks:
TID #10051803—NDS for NT user passwords and login settings
TID #10084860—Novell Account Management (NAM) 2.1 for Windows 2000
TID #10016467—Remote control of a workstation in ZENworks
TID #10057330—Managing group memberships
TID #2949136—Reset intruder lockouts
TID #10011322—Minimum rights for a GroupWise administrator
TID #10015319—Password management in NetWare 5 and higher
TID #10068330—Check file system effective rights
TID #10067797—Reset grace logins
NOTE
The password administration feature was first introduced in NetWare 5. In order for it to function correctly, all servers in the tree must be running NetWare 5 and higher. NetWare 4.11 servers running DS.NLM 5.99a or later and NetWare 4.10 servers running DS.NLM 5.12 or later will pass the Inheritable attributes on but do not evaluate, and therefore act on, the security properly for rights flagged as Inheritable. Therefore, if your tree still has NetWare 4 servers, the password administrator’s workstation must be attached to a non-NetWare 4 server as its primary connection.
Earlier in this chapter, we talked about protecting administrative accounts. Part of that process was not enabling users with less administrative authority than an account to change administrative account passwords. With this setup, how do you accomplish this?
To start with, the Password_Admins group rights should be granted at the organizational level and not at the [Root] level. This prevents the Password_Admins group from automatically being able to change the Admin user’s password. This works well if the administrative accounts are all located in other organizations in the tree (as is the case in this example). If they are mixed in with the typical user accounts, though, this is not going to work.
Let’s look at what happens if we set up an IRF on the Admin account that specifically blocks rights to the Password Management attribute. The default right users have to other objects is Browse object rights, and you only granted the Password_Admins group Supervisor rights to the attribute, so all you need to do is block the Supervisor right to the attribute on the Admin user.
TIP
To place an IRF on pseudo-attributes such as Password Management, you need to use ConsoleOne instead of NetWare Administrator.
A quick check of the Password_Admins group’s effective rights to the Admin user reveals the results in Figure 15.24. As you can see in this figure, with the IRF in place, Password_Admins can no longer modify the Admin password.
FIGURE 15.24 The results of checking the Password_Admins group’s effective rights to the Admin user’s Password Management attribute after setting up the IRF.
When users want call a help desk for assistance with logging in, there might be a second item that they need the help desk to fix: the number of grace logins. Intruder detection can lock an account out, but so can using up all your grace logins. Help desk staff should be able change the number of grace logins. To set this up, all you need to do is set the Write rights to the Remaining Grace Logins attribute. When you also check the Inheritable option, this item only needs to be set at the container level, and the rights will be inherited for all objects not explicitly blocked with an IRF.
As mentioned at the beginning of this section, many password-management solutions use a proxy user. This simplifies rights assignment. In addition, these third-party solutions generally provide a GUI front-end that is a lot easier to use than NetWare Administrator or ConsoleOne—and loads much faster, too. Many of these applications also provide options to protect certain users’ passwords from being changed. Figure 15.25 shows one such example, NDS Admin want (www.dreamlan.com/ndsadmin.htm).
You may be wondering why you need to bother with the manual process of setting up security when you can simply use Role-Based Services (RBS). Let’s quickly overview RBS. With the introduction of iManager as the direction for a Web-based management tool, a functionality called RBS was introduced. The concept behind RBS is that you have the ability to assign specific responsibilities to users (say, your help desk) and to present them with only the tools (and the accompanying DS rights) necessary to perform those sets of responsibilities and those sets only. For instance, the Help Desk role allows the user to only reset intruder lockouts, create users, reset passwords, and nothing more.
RBS allows you to focus the user on a specified set of functions (such as reset intruder lockouts and reset passwords), called tasks. One or more tasks can be grouped together and form a role (such as Help Desk). What a user sees then when he or she accesses iManager is based on his or her role assignments stored in eDirectory. Only the tasks assigned to that user are displayed (see Figures 15.26 and 15.27). The iManager plug-in for that task presents the necessary tools and interface to perform the task. You can assign multiple roles to a single user. You can also assign the same role to multiple users.
You can either use the existing roles or define additional custom RBS roles based on your organization’s needs. After you have created the desired roles, you can assign members to each role. In doing so, you also specify the scope (the starting NDS container or context) in which each member can exercise the functions of the role. A user can be assigned to a role in one or more of the following ways:
By direct association.
Through group and dynamic group assignments. If a user is a member of a group or a dynamic group that is assigned to a role, the user has access to the role.
Through organizational role assignments. If a user is an occupant of an organizational role that is assigned a role, the user has access to the role.
Through container assignment. A User object has access to all the roles to which its parent container is assigned. This could also include other containers, up to the root of the tree.
Therefore, instead of having to go through the steps presented earlier to assign individual rights necessary for a user to perform a specific task, you just use the following simple steps to accomplish the same result by creating role associations and scope assignments:
1. In iManager, click the Configure button (see Figure 15.28).
2. Click Modify iManager Roles under Role Configuration.
3. Click the Modify Members button to the left of the role you want to modify.
4. To add an association to the role, specify the full distinguished name of the object (which can be a user, a group, an organizational role, or a container) in the Name field; you can use the Browse button to the right of the field to locate the object. Fill in the Scope field with a container name; you can also use the Browse button for this.
5. Click Add and then click OK.
To remove a role association, you check the box to the left of the listed name(s), click Remove, and then click OK.
NOTE
For more information about setting up and configuring RBS, refer to the “Managing Objects” section in the eDirectory Administration Guide.
TIP
The URL for iManager is https://ip_address_or_hostname/nps/ iManager.html, and the login requires you to use the LDAP syntax (that is, cn=username,ou=org_unit,o=org) and not the NDS FDN syntax.
On the surface, RBS seems to be the ultimate solution to a security nightmare—giving help desk users only what they need and not too much, with just a few simple clicks. By defining custom roles and tasks, you can present the exact list of tasks for your help desk users to utilize. However, there is a security loophole that is often overlooked.
When you associate a user to a RBS role, the user is granted the necessary DS rights to perform the tasks even when he or she is not logged in to iManager! Here is what happens when you add a user to an RBS role, using the example shown in Figure 15.28:
User Helpdesk.DreamLAN is added to the Help Desk role with the scope set to O=XYZCorp.
An rbsScope2 object called XYZCorp is created under the Help Desk Management.Role Based Service 2 container.
The rbsScope2 object is made a trustee of the scope container (O=XZYCorp in this case) and granted the necessary rights for the various tasks defined for the Help Desk role (see Figure 15.29).
The user Helpdesk.DreamLAN is made an rbsMember object of the rbsScope2 object and is made the security equivalent to the rbsScope2 object.
All this happens at the eDirectory level, and the assignments are static. This means that Helpdesk.DreamLAN has all these DS rights, even when not using iManager. Therefore, the user can use other management utilities, such as ConsoleOne, to perform additional tasks that are allowed by his or her DS rights but not when using iManager—not because he or she doesn’t have the necessary rights but because iManager didn’t have these additional capabilities listed as available tasks.
Consider this scenario: The default Help Desk RBS role allows the associated users to create users but not delete users. However, as you recall from the discussion about default ACL templates in Chapter 2, “eDirectory Basics,” because of the default ACL template defined for the Top class, the object that creates another object has full control (Supervisor rights) over the created object. This means that although the Help Desk role users will not be able to delete users they created using iManager (because it does not give them the option), they can delete these User objects by using another tool, such as ConsoleOne. Consequently, you must take care when using RBS roles to delegate network management responsibilities.
WARNING
Many administrators took RBS at its face value: “If iManager doesn’t allow a certain task for a role, then it can’t be performed by members of that role—at all. Therefore, it locks down security assignments.” You’ve seen from the preceding discussion that this perception is inaccurate. Therefore, it is important for you to understand what goes on behind the scene of RBS, especially in regard to the DS rights that are assigned for the different roles.
TIP
You should use some form of auditing (such as NNA, discussed earlier in this chapter), even just for a short period of time, to ensure that there are no unexpected security weaknesses while using RBS roles.
Because RBS role assignments are based on scopes (DS contexts), you should place your administrative users in containers that are not managed by your typical help desk roles to ensure that these users do not get modified accidentally. You should take the precautions and steps outlined earlier to protect your administrative users.
RBS is an excellent tool when used with the right expectation and maintenance. Because it is a Web-based application, its performance and functioning are heavily dependent on a number of factors:
A working Web server, such as Apache.
A working Tomcat servlet engine. (Servlets are protocol- and platform-independent server-side components, or programs, that are used to extend the server’s functionality. They are the server-side counterparts to applets, which are software that adds functionality to a client.)
A functioning Java installation.
A working LDAP server (which Tomcat uses), such as for authentication purposes.
A working SSL/TSL certificate.
If any one of these components required by iManager fails, iManager will stop functioning. Therefore, you should not rely on iManager as your sole management platform, and you should have your staff also trained in using other tools, such as ConsoleOne.
The final topic this chapter covers is setting up a proxy user for LDAP services (which in turn provides access to eDirectory). At discussed in Chapter 2, when a user performs an anonymous bind (that is, doesn’t specify a password), the level of access is based on the rights of the pseudo-object [Public]. By default, [Public] can browse the entire tree hierarchy and read a limited number of attributes on entries. The attributes that [Public] can read are those that are flagged as Public Read.
NOTE
You can find a list of attributes defined in eDirectory 8.7.3, along with their flags, in Appendix C, “eDirectory Classes, Objects, and Attributes.”
The default list of attributes accessible by [Public] is generally inadequate (for example, searching for CN is required for contextless login to function, but CN is not one of the Public Read attributes). There are two possible solutions to this issue: grant more rights to [Public] or use a proxy user that has the required rights.
Some administrators are hesitant to grant additional rights to [Public] because every user in the tree is implicitly the security equivalent to [Public]. The additional rights may be undesirable. Consequently, most sites opt instead to use a proxy user authentication for LDAP anonymous binds.
Because the proxy user is a real User object in the tree, you can easily restrict the types of objects and attributes that anonymous users can access by setting the appropriate DS rights the proxy user has in the tree. However, the proxy user must have a blank password (that is, an empty string) in order to work correctly. This is very different from having no password. If any user has no password, that user does not have a public/private key pair to compare against when attempting login. A blank password, however, generates a public/private key pair, although the actual string for the password is empty.
TIP
If you allow anonymous binds to your LDAP server, you should use a proxy user instead of [Public]. You should grant only the minimum necessary rights (such as Browse and Compare attribute rights) to selected attributes; you should not select the All Properties shortcut unless you have a good reason to.
To discourage someone from logging in from a workstation by using this User object, you should ensure that it has no file system rights anywhere and has network address and concurrent login restrictions.
There may be situations in which you want or need to disallow LDAP anonymous binds, perhaps for the security reason that you don’t want just anyone to be able to query your LDAP server. The easiest way to accomplish this is to simply upgrade to eDirectory 8.7 patched to 8.7.0.3 or higher. A new attribute called ldapBindRestrictions was introduced in these patches to control the availability of anonymous bind.
WARNING
Keep in mind that the ability for an LDAP server to accept anonymous binds is an RFC requirement. Disallowing anonymous binds may cause some LDAP-compliant applications to fail as they may first perform anonymous binds to do lookups before binding with the actual user credentials.
You perform the following steps to set the LDAP server to not accept anonymous binds:
1. Start ConsoleOne and browse to locate your LDAP server object.
2. Right-click the object and select Properties from the context menu.
3. Select the Restrictions tab.
4. Change the Bind Restrictions setting to Disallow Anonymous Simple Bind (see Figure 15.30).
5. Click OK to save the change.
You need to restart the LDAP server for the change to take effect.
TIP
Older versions of the LDAP snap-in for ConsoleOne do not have the Bind Restrictions setting. If you’re using such a version, you need to use the Other tab to modify the value of the ldapBindRestrictions attribute. (If the ldapBindRestrictions attribute is not listed, click the Add button, select the ldapBindRestrictions attribute, and click OK.) To disable anonymous binds, put the value 1 in the Attribute Value field. Use the value 0 to allow such connections.
If you are running eDirectory 8.7.0.3 or later, if ldapBindRestrictions is not one of the available attributes that you can add in the Other tab, or if there is no Bind Restrictions setting under Restrictions, your schema may not have been properly extended for this new attribute. Refer to TID #10077872 for corrective measures.
If you are unable to upgrade to eDirectory 8.7.0.3 or higher, you will have to change the rights of [Public] and those of the proxy user if you are using one so that anonymous bind connections will not be able to browse the tree. You can’t prevent users from connecting via anonymous binds, but you can limit what they can see. The reason you need to change the rights of [Public] is that, by default, it has object Browse rights to [Root], which means even if the proxy user has no explicit rights to the tree, the proxy user will still have object Browse rights. You need to take the following measures to make sure the proxy user sees nothing in the tree:
Make the proxy user a trustee of [Root] and grant it no rights of any type.
Remove the object Browse rights of [Public] from the [Root] object.
After you implement these two measures, the proxy user—and thus, anonymous bind connections—will be unable to browse the tree.
This chapter looks at a number of techniques that can be used to secure NDS/eDirectory in order to proactively prevent administrator-created problems through either accidental or intentional misuse of the management tools. It also discusses different ways of protecting your network from external hackers and describes how to set up security access for help desk personnel in order to perform common tasks such as changing passwords and resetting grace logins. This chapter also covers the pros and cons of using RBS for help desk tasks. Finally, this chapter discusses the use of proxy user to secure LDAP access.