When it comes to network security, it is best if your NetWare is net-wary. On February 1st, John Sheesley shared his expertise on NetWare and NDS. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

When it comes to network security, it is best if your NetWare is net-wary. On February 1st, John Sheesley shared his expertise on NetWare and NDS. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the meeting
MODERATOR: Welcome all to tonight’s Guild Meeting. This evening we welcome John Sheesley. He’ll be talking about NetWare security issues. Take it away Mr. Sheesley.

JOHN SHEESLEY: OK, welcome to tonight’s Guild Meeting. The topic for this evening is NetWare and security. Just how safe is NetWare? As you’re probably aware, it seems like almost every week we hear of a new exploit for Windows NT, or UNIX, even Linux. But very rarely do we hear about exploits for NetWare. We’re pretty lucky when it comes to running a NetWare network because NetWare is rarely the target for hackers and crackers.

TCW: Even “security” books only offer a chapter at most about NetWare.

JOHN SHEESLEY: There are several reasons for this. First of all, Novell isn’t quite the lightning rod for attacks that Microsoft is.

TCW: Why isn’t NetWare a prime target?

JOHN SHEESLEY: Second, NetWare isn’t widely used to connect to the Internet. It’s most often used on LAN and WANs that aren’t open to attack from the outside. Third, sadly, because NetWare isn’t as ‘popular’ as NT nowadays, few people, including hackers, pay much attention to it.

MIKKILUSA: But GroupWise is and is part of NDS right?

JOHN SHEESLEY: Fourth, Novell has worked hard to make security a fundamental part of NetWare from the start. From NDS to NCP, security is one of the key ingredients. Yes, GroupWise is, but it’s not nearly as popular as Notes or Exchange. And it’s also not subject to some of the attacks that Exchange servers are because of architectural differences. Does anyone here have NetWare connected to the Internet?

Are you connected?
MIKKILUSA: Yes.

TCW: NetWare network, clients can get to Internet. Servers not attached to Internet.

MIKKILUSA: Same here.

JOHN SHEESLEY: Good. Are you using the IPX/IP gateway or Border Manager? Or just direct TCP/IP? OK.

TCW: TCP/IP from clients.

JOHN SHEESLEY: One of the nice things about NetWare is, that up until Netware 5, its primary transport protocol is IPX.

MIKKILUSA: TCP/IP

JOHN SHEESLEY: IPX is routable, but it’s not accessible from the Internet. NetWare servers don’t show up to hackers from the Internet unless you’ve installed TCP/IP.

TCW: Not using NetWare 5 yet.

JOHN SHEESLEY: Even if you HAVE installed TCP/IP, by default there are no available ports such as port 21 for FTP or port 23 for Telnet that are open for a hacker to exploit. You’d have to install UNIX Print services for FTP or printing to make those ports available. Likewise, you’d have to install Netscape Enterprise server to make port 80 for HTTP attacks available. Hackers can’t hack what they can’t see.

TCW: What about the open dialup connection from a client?

JOHN SHEESLEY: What do you mean?

TCW: Can someone use the open dialup connection to get back into my network while I’m surfing?

JOHN SHEESLEY: Do you mean across the Internet or by dialing into your server with the remote services?

Across the Internet
TCW: Across the Internet. My servers don’t even have modems. But you mean, by dialing into the modem that connects the LAN to the Internet.

JOHN SHEESLEY: OK… that’s not a function of your client then. The whole point of the remote access services is to allow someone in, but whether someone can exploit that depends on the security you’ve configured on your server. The hacker would have to have some idea of the user id’s and passwords available on your network before he could even begin. No! I mean the modems that you were using to allow remote users to connect to YOUR LAN and then getting out to the Internet through your LAN. That’s possible as well, but again depends on the luck of the hacker getting the phone number, and then cracking your passwords.

TCW: No remote users.

JOHN SHEESLEY: There are some things you can do to make life difficult though. By default when you install Netware, It creates the Admin and Guest accounts. First, get rid of the Guest user. There’s no point in having it there and it just leaves a gaping hole.

TCW: Guest is gone, Admin has new password.

JOHN SHEESLEY: Second, rename the Admin account or change its password.

MIKKILUSA: Yea done that.

JOHN SHEESLEY: Don’t delete Admin. If you accidentally do that, you’re in BIG trouble. But, there are other accounts that you must watch for. There’s a whole list of accounts that are created by utilities that can leave openings.

BEMBW: How bout a back door to Admin? You mean a user with Admin-equivalent rights? That’s what you should use for day-day administration, not Admin itself.

JOHN SHEESLEY: Making sure you rotate passwords on that account frequently.

BEMBW: Yep, that’s the first user I always set up!

MIKKILUSA: Same here.

Be careful what you create
JOHN SHEESLEY: Some VARs will create their own backdoor Admin accounts. You should make sure that you’ve checked for those users and either deleted them or disabled them.

TCW: I just skipped the whole var step. It’s just me. And a pile of books <g>.

JOHN SHEESLEY: For example, one Netware hacking FAQ on the Internet lists 7 different VAR logon ids and passwords that have ADMIN rights. Of course, chances of them actually being any good are nil.

JOHN SHEESLEY: Have any of you seen the article on TR about what to do if you forget your Admin password?

MIKKILUSA: Seen it remember it no.

TCW: Forget the Admin password? Nope.

MJACKMAN: I don’t remember, either.

JOHN SHEESLEY: It’s using a program called SETPWD.NLM. Using that program, from a NetWare server console, you can change the password of any account on the system. Including Supervisor/Admin.

TCW: Whom are we protecting from at this point? The wily hacker with a demon dialer?

JOHN SHEESLEY: It’s a handy utility, but one that you should keep on a floppy, not on your server. (Also, don’t forget to keep your server someplace secure.)

BEMBW: I still have a hard time with All rights & Selected rights :(I know not to grant all rights especially Public, but selected is where I mess up. Nope. The person you’re most concerned about isn’t an Internet hacker or the hacker with a war dialer. It’s the guy down in accounting with too much time on his hands. Or any curious/disgruntled employee.

BEMBW: I agree!

JOHN SHEESLEY: You’ll find more attacks and hacks coming from your own users than you will from the outside.

We’re being attacked!
MIKKILUSA: Must be why we do not give them key to com.room.

JOHN SHEESLEY: Yup.

BEMBW: That’s how I got into networking.

JOHN SHEESLEY: At least NetWare servers are more secure than NT servers when it comes to the server.

TCW: Yes, there is a key. And they don’t have it.

JOHN SHEESLEY: For example, you can walk up to any NT server, log on, and access the files on the server. Or just reboot the thing with a DOS disk or DOS disk with an NTFS driver and take files off of it. You can’t do that with NetWare.

MIKKILUSA: NT gives all people rights you have to take away NetWare you got no rights unless I give them to you.

JOHN SHEESLEY: However. There’s a handy utility called JCMD.NLM which emulates a DOS prompt on your NetWare sever.

TCW: That’s why we chose NetWare!

JOHN SHEESLEY: Using it, you can access files on the server. It’s good for the old Admin diskbox and one to keep an eye out for on your network. (We’ll be reviewing it in an upcoming Daily Drill Down to tell you more about it.)

MIKKILUSA: Will it be in the download section of TR?

TCW: And the disgruntled user gets jcmd.nlm from the Internet and installs it?

JOHN SHEESLEY: No. It needs to be run from the Server just like any NLM, or over Rconsole.

MIKKILUSA: Cool.

JOHN SHEESLEY: Which is a good reason NOT to run Rconsole on your network. OR at least running Rconsole without a password.

TCW: But he doesn’t have the right to Rconsole.

JOHN SHEESLEY: Yes, we’ll make the NLM available in the download section. Don’t trust the Rconsole password to protect you from a Rconsole attack.

BEMBW: Or leave your term while in RCONSOLE.

MIKKILUSA: Why not?

TCW: Bembw, Right!

JOHN SHEESLEY: A user can easily find the Rconsole password if you’ve included in your AUTOEXEC.NCF file. It’s best to load it manually, rather than using AUTOEXEC.NCF.

BEMBW: Then you don’t need a key for the server room.

JOHN SHEESLEY: And yes, you can use the SECRET command to encrypt it, but the encryption key for that command has recently been let loose on the Internet.

MIKKILUSA: OK I understand we do not must enter password for Rconsole is our setup.

JOHN SHEESLEY: Nope. If you can use Rconsole, it’s just as good as being at the console. Using Unicom, you can configure a Rconsole that’s accessible using Telnet. Big no, no.

BEMBW: Don’t trust anyone while using RCONSOLE.

TCW: What’s Unicom?

BEMBW: OMG!

JOHN SHEESLEY: Sorry. Inetcfg, not Unicom.

BEMBW: Not you tcw, Unicom.

MIKKILUSA: We password protect screen savers with people who have Admin access so if called on help desk we are covered.

TCW: Yup.

MIKKILUSA: But if we get caught with Rconsole on while gone we get nailed.

JOHN SHEESLEY: Unicom controls accesses to the UNIX print services. Which includes FTP services.

TCW: Unicom controls UNIX print services connected to NetWare, or native UNIX?

Screen saver passwords
JOHN SHEESLEY: As for screen saver passwords… You know that you can lock the console using the screen saver in MONITOR. However, that’s not bulletproof.

MIKKILUSA: Yep.

BEMBW: Have you discussed Remote Admin yet & RCONSOLE?

JOHN SHEESLEY: Someone who knows enough about NetWare can easily go into debug mode and turn off that password. It’s just couple of keystrokes.

MIKKILUSA: At my last class our instructor said InocuLan was no longer Novell favored son who is?

TCW: But they have to get to the console or hack an Admin password to go into debug mode.

JOHN SHEESLEY: Yes, you do have to be able to get to the console to do that. You can’t go into debug from Rconsole. InocuLan isn’t. I recently reviewed Inoculate IT for NetWare and was less than impressed.

MIKKILUSA: It locks are GroupWise server every time it runs.

JOHN SHEESLEY: NetShield still looks pretty good. That’s the one made by McAfee.

MIKKILUSA: Does it handle open files?

TCW: I haven’t gotten brave enough to install NetShield yet. Soon.

JOHN SHEESLEY: Much of CA’s software for NetWare has been pretty shoddy lately. Both Inoculate IT and ArcServeIT have been less than impressive.

MIKKILUSA: Went downhill after the buyout.

JOHN SHEESLEY: (As most CA software does, but I digress.)

TCW: ArcServe is driving me nuts, too. But it talks to hsm. I need that.

You’re driving me nuts!
MIKKILUSA: ArcServe drives me nuts period.

JOHN SHEESLEY: Now, everyone knows there’s a utility available to crack NDS, right? Pandora.

TCW: Heard of it.

JOHN SHEESLEY: Pandora is a utility released by a hacker known as Simple Nomad. He’s taken umbrage at some of the claims that Novell has made about NDS’s security.

TCW: Where do I have to be to use it? At the console? Rconsole? Remote?

JOHN SHEESLEY: And has created Pandora to help attack it. It’s a SET of utilities. Mostly executed from workstations.

BEMBW: Jeez, I don’t like that news.

JOHN SHEESLEY: I just got a buzz from the moderator about a 10-min. warning. Don’t panic. :o)

TCW: So the disgruntled user gets Pandora from the Internet and runs it from his desk!

JOHN SHEESLEY: Yup.

TCW: AGH!

JOHN SHEESLEY: Just like Lophtcrack on an NT network. Don’t panic however.

TCW: Yup. You’re about to soothe our fears…?

JOHN SHEESLEY: On NetWare’s support site, TID 2941119 discusses Pandora.

MIKKILUSA: We hope?

BEMBW: I hope!

JOHN SHEESLEY: Most of the hacks rely on weaknesses in NCP, the security protocol that Pandora uses. If you increase the packet security signature level to 3, it will render Pandora useless. This can affect SOME IPX dependent software, but usually only custom apps.

BEMBW: Kewl :)) I like that!

He likes it! He really likes it!
MIKKILUSA: Cool.

TCW: Me, too!

JOHN SHEESLEY: You can find that TID by going to www.support.novell.com and searching for keyword PANDORA or for TID #: 2941119.

BEMBW: What an easy fix.

JOHN SHEESLEY: We’ll cover Pandora in upcoming DDDs, but if you can’t wait, go to www.nmrc.org. It also includes a Hack FAQ that covers common exploits in NetWare, NT and UNIX.

MIKKILUSA: Way cool.

BEMBW: I’ll check that out when I wake up in the middle of the night.

JOHN SHEESLEY: Most of the exploits are ones that are easily closed and due to administrator laziness or ignorance. A properly configured NetWare network is pretty tough to crack. You’ll discover the users on your network who are being nosy before they get too far. And most hackers on the Internet will just go for a nice fat juicy NT server and leave your NetWare box alone.

TCW: I know where he sits. I know where he lives.

MIKKILUSA: Then take away keyboards and give them a typewriter.

JOHN SHEESLEY: A typewriter or a Macintosh. Oops. Did that go public? ;o)

MODERATOR: Okay folks. That’s about a wrap, but wait.

MIKKILUSA: Same thing.

TCW: Even better!

JOHN SHEESLEY: Mr. Moderator?

Thanks for coming
MODERATOR: Thanks to John Sheesley tonight for a great meeting!

JOHN SHEESLEY: Thank you all for attending and your participation.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.