When I discussed the NetWare Management Portal in my previous Daily Drill Down “Discover a new way to administer your server: The NetWare Management Portal,” your reaction may have been, “Wow! That’s a really cool utility that'll save me a lot of work.” Alternatively, it could have been, “Great googly moogly! My server is broadcasting information about my network to the whole freaking planet!”
If the latter reaction crossed your mind for even a second, this Daily Drill Down is for you. I’ll show you how to secure the NetWare Management Portal and prevent hackers from using it against you.
Who should worry about security?
You don’t have to worry about anything if your NetWare 5.1 server isn't running TCP/IP, because in your scenario, the NetWare Management Portal won’t even work. Likewise, you don’t have to worry much if your NetWare server isn’t connected to the Internet, because only your internal users can browse the information the NetWare Management Portal provides. Besides, most internal users can easily find that information anyway.
The main security problem occurs when you do connect your NetWare 5.1 server to the Internet and you enable the NetWare Management Portal. When you do so, vital information about your network becomes visible to hackers, competitors, or anyone else who has a simple Web browser. Without even logging in to your server, they can find out such things as:
- The hardware running on the server.
- Memory configurations.
- Volume configurations.
- The names of other NetWare servers on your network.
- Which NLMs your server is running.
Any of this information can be combined with known exploits to attack or crash your server and network. Don’t forget, you can also log in to your network using the NetWare Management Portal. If hackers play "Guess The Password" with administrator accounts and are successful, they can then use the NetWare Management Portal to copy files to your server, take files off your server, shut down your server, or potentially erase every object from your NDS tree.
You may think your NetWare server is lost in the vastness of the Internet. But, using a simple Google search, I was able to find hundreds of NetWare servers broadcasting information across the Internet. Although some of them didn’t broadcast as much information as others, on almost all of them, I could get a login screen where I could have started guessing passwords. If you looked at that list and saw your server on this list, don’t panic. Just read a little faster.
Securing the portal
You have several options to further secure your server, including:
- Removing TCP/IP from your server.
- Removing Internet support.
- Removing the NetWare Management Portal.
- Changing the NetWare Management Portal’s default listening ports.
- Blocking external network access to the NetWare Management Portal.
- Reducing what can be viewed from a guest level.
- Restricting the TCP/IP addresses that can access the NetWare Management Portal.
Of these options, removing TCP/IP or Internet support, while probably the most effective preventative measures, are also probably not the most practical ones. You’ve probably been moving from an IPX environment to a TCP/IP environment for some time, if you haven’t done so already. Removing TCP/IP at this point would be taking a huge step backward.
Likewise, disconnecting your network from the Internet probably isn’t a very progressive step. While perhaps the safest choice, it also severely limits your organization’s ability to exploit the communication that the Internet provides. So if you can’t turn off TCP/IP or pull the Internet plug, what do you do?
Removing the NetWare Management Portal from your server
The first thing you can do is disable the NetWare Management Portal completely. If you haven’t used the NetWare Management Portal until now, then you might not even miss it. Although it can be a very useful tool, if you haven’t used it or don’t plan to use it, you may as well turn it off. If nothing else, you can save the resources it’s consuming.
To turn off the NetWare Management Portal, go to your server’s console. Before you can unload the NetWare Management Portal, you first must unload a few support NLMs. Start with the NDPS Broker. This NLM controls three services for your network, including a registry service for shared printers, a notification service for users and groups, and the resource management service that publishes resources. To unload it, type unload broker and press [Enter].
Next, unload the NetWare Remote Server Access NLM. To do so, type unload nwrsa and press [Enter]. Even though the name of the NLM may suggest otherwise, don’t worry that unloading this NLM will affect RConsole. RConsole uses a separate set of NLMs for remote access.
Finally, you can unload the NetWare Management Portal by typing unload portal and pressing [Enter]. After PORTAL.NLM unloads, the NetWare Management Portal becomes inaccessible.
Make sure you reload the NDPS Broker by typing load broker and pressing [Enter]. If you don’t reload the broker, you’ll cause other problems on your network including possibly stopping all of your network printers.
Even though the NetWare Management Portal is now shut down, if you restart your server, the NetWare Management Portal will restart automatically as well. That’s because NetWare 5.1 loads the NetWare Management Portal as a part of its startup routine. To stop this from happening, you must edit the server’s AUTOEXEC.NCF.
To do so, go to the server’s console prompt, type load edit autoexec.ncf and press [Enter]. When AUTOEXEC.NCF appears, read through the file and check for a line that reads load portal. This is the command that loads the NetWare Management Portal. You can comment this line out by putting a pound sign (#) at the beginning of the line. Alternatively, you can just delete the entire line. Press [Esc] to quit and save the changes to the file. Now when the server starts, it won’t start the NetWare Management Portal.
Changing the NetWare Management Portal’s listening port
If you’re running the Netscape Web server, the NetWare Management Portal accepts incoming requests on TCP/IP port 8008 by default. After you’ve logged in to the NetWare Management Portal, it listens on port 8009. Knowing these defaults, potential hackers can use them to find NetWare servers running the NetWare Management Portal. You can prevent them from finding your server this way by changing the default ports.
To do this, start the NetWare Management Portal and log in as an administrator or with a user ID with administrative rights. In the upper right-hand corner, you can click on the NetWare Management Portal link. The NetWare Management Portal page will appear. On this page, you can change many of the defaults. Scroll down the page until you see the Http Interface Management section shown in Figure A.
You’ll notice there are several port fields available. The Default Port field shows the default port to which the NetWare Management Portal listens if you’re not running the Netscape Web Server. The Alternate Port field contains the port number the NetWare Management Portal listens to if the default port is assigned. Finally, the SSL Port field contains the port number to which it listens for secure transactions after you log in.
Type the values of the ports you want it to listen to and click Apply. To make the changes take effect, click the Restart button next to the NetWare Http Interface Module (HTTPSTK.NLM) Restart field. You’ll also need to scroll up and click the Restart button by the NetWare Management Portal (PORTAL.NLM) Restart field. When you’ve finished, the NetWare Management Portal will then only accept requests on the new ports.
Blocking external network access to the NetWare Management Portal
Although changing the NetWare Management Portal’s default listening port can prevent potential hackers from attempting to connect to port 8008, a hacker could still use a port scanner to find the new port you've assigned. The port scanner may not tell the hacker that this new port is for the NetWare Management Portal. However, finding an odd port open with a port scanner may cause the hacker to want to poke around to see what’s connected to it.
Also, changing the default NetWare Management Portal port may not make your servers invisible from search engines on the Internet either. If you look at some of the servers listed in the Google search we mentioned earlier, you may notice that some of them listen on ports other than NetWare Management Portal’s default port of 8008.
Therefore, you may want to make sure the NetWare Management Portal port isn’t accessible from the Internet. Although this will mean that you can’t directly access the NetWare Management Portal from your house to do administration work, it also means hackers can’t access it either. Nor will your server show up on a search engine.
Naturally, the easiest way to do this is with a firewall. How you’ll do this will vary from firewall to firewall, so going into detail about blocking the port is beyond the scope of this Daily Drill Down. Just make sure that your firewall drops any incoming requests to the NetWare Management Portal's port.
Reduce what can be viewed from a guest level
If you still want to be able to use the NetWare Management Portal but want to minimize what people outside the network can see, you can turn off the default screen that appears when someone connects to it on port 8008. To do this, start the NetWare Management Portal and log in as an administrator or with a user ID with administrative rights. Go to the NetWare Portal Management page by clicking the NetWare Management Portal link in the upper right-hand corner. Scroll down the page until you see the NetWare Portal Management section shown in Figure B.
This is where it can be a bit confusing. Check the value of the Display Only Header On Front Page If Not Logged In button. By default, this button is set to Yes, which would make you think that nobody should be able to see anything unless they were logged in. The exact opposite is true. The Yes value means that the information is visible.
Click the button. You’ll notice it changes to No, which means only someone who logs in to the NetWare Management Portal will be able to see information about your network.
Restrict the TCP/IP addresses that access the NetWare Management Portal
Finally, if you want to make sure only certain addresses or ranges of TCP/IP addresses can access the NetWare Management Portal, you can restrict this as well. While this will prevent you from using the NetWare Management Portal if you have a dial-up ISP (because your IP address will vary every time you log on), if you have a DSL or cable modem at home with a stable TCP/IP address, you can use this to ensure that only your address, or any other specific set of addresses you choose, can use the NetWare Management Portal. That includes stable addresses inside your network.
To do this, start the NetWare Management Portal and log in as an administrator or with a user ID with administrative rights. In the upper right-hand corner, click the NetWare Management Portal link. Again, the NetWare Management Portal page will appear. Scroll down the page until you see the Http Interface Management section. Click the Filter Control Panel link. You’ll then see the IP Address Access Control screen shown in Figure C.
Type the TCP/IP address you want the portal to listen on into the New Address field and click Save. If you’re limiting TCP/IP addresses this way, make sure the first one you enter is the station you’re currently working from, because if you start off adding addresses other than the one you're using, you can lock yourself out. As you continue to add addresses, you’ll see them appear in the Allow Access From The Following Specific IP Addresses file list.
Click the Back button on your browser when you’re finished. Restart both NetWare Http Interface Module and NetWare Management Portal (as described above) to make the changes take effect. After that, if someone tries to access the NetWare Management Portal from a TCP/IP address other than the ones you listed, he or she will see the screen shown in Figure D. At the very least, his or her browser will display a 403 Forbidden Access error.
|If someone tries to access the NetWare Management Portal from a different TCP/IP address, he or she will see this screen.|
While hackers may be able to spoof the TCP/IP addresses you’ve chosen and thereby still access the NetWare Management Portal, they’d have to know which TCP/IP addresses are on that list. That’s a lot harder to do.
The NetWare Management Portal can be a useful tool, but it can also reveal information about your network to people who can then use it as a weapon against your network. Fortunately, there are ways you can minimize the chances of this happening. It may be tempting to just rip the NetWare Management Portal out of your NetWare server or disconnect your server from the Internet, but don’t overreact. If you’re careful, you can keep your network safe while still enjoying the advantages of this useful utility.