|Introduction Back to Top|
Keeping your network resources and data safe from threats such as
human error is a critical administrative task. These
threats can come from internal or external sources. The security
methods you implement should be based on the source of the threat.
For example, an effective method for providing external security is
to implement a firewall; an effective method for providing internal
security is to verify rights for objects in a Directory.
In this section, you learn about some basic methods for internally
securing your network, how you can restrict access to prevent loss
of resources and data, and how to troubleshoot basic internal
|1. The Steps for Developing an Effective Security Policy Back to Top|
To establish a secure infrastructure for your network, you need to
provide the following components: a security policy, user
authentication, encryption, access control, audit, and administration.
Of all these, developing an effective security policy is the most
The security policy is a document (or set of documents) that
describes the security controls to be implemented in your company,
and provides a foundation for establishing a secure environment.
In Mark Edmead's article on security policies , he recommends the following as the basic
steps for developing a security policy:
The Computer Emergency Response Team/Coordination Center
(CERT/CC) at Carnegie-Mellon University (CMU) estimates that
80% or more of the internal security problems they review have to
do with poorly chosen passwords.
By developing an effective security policy that addresses issues such
as passwords, training employees on the security procedures, and
then effectively enforcing the policy, you can eliminate a majority
of your internal security problems.
Classify your systems.
Inventory of all of your systems, and
determine how they are being used in your organization.
Determine your organization's security priorities.
the security priorities for each system. For example, if you have
a Web server, the security priority might be to limit access to
only HTTP connections.
Assign risk factors.
Knowing you need a security policy is one
you (and your employees) need to understand what the
risks are if the policy is
For example, if the antivirus policy is not followed, the risk
could be to disable corporate email.
Define acceptable activities.
This part of the policy addresses not only what activities are acceptable but also what activities are not acceptable.
For example, an acceptable activity is to make sure antivirus
software is installed on the workstations. An unacceptable
activity is to open attachments from unknown sources.
- Provide security awareness training.
Writing policies is important, but you also need to train employees on the policies.
The training should include what the policies are, where they are
located, and why following the policies is important.
- Determine the administrator of the policy.
One of the tasks of
a policy administrator is to update and revise the policy.
But more importantly, someone needs to enforce the policy. Like
highway speeding laws without a highway patrol, without
adequate enforcement, you might as well not have a security
|2. The Basic Methods for Internally Securing a Network
Back to Top|
Although the security risks to your network from external sources
(such as email viruses) are highly publicized, the majority of
security risks faced by network administrators come from internal
Many of these internal security problems happen because of
ineffective security policies, mismanaged access rights, and
employees who do not follow security procedures.
Other internal security problems happen because of unauthorized
individuals (such as employees and contractors) who have the
means, motive, and opportunity to cause significant damage to your
network resources and data.
Although you cannot control the means and motives of these
individuals, you can significantly reduce or eliminate the
opportunities for them to cause damage by implementing the
I. Physically Secure Servers
- Physically Secure Servers
- Secure the Server Console
- Protect Severs and Workstations Against Viruses
- Secure the Server File System
- Restrict Network Access Through eDirectory User Objects
The first place to start when securing your network is to protect
your server from unauthorized access.
If an unauthorized person has access to a server, he or she can load
files from a diskette, switch the
server into debug mode, remove restrictions from the server,
shutdown the server, or even remove the server's hard drive.
You can limit physical access to servers using one or more of the
- Lock the server in the room and only allow access to authorized
- Remove input devices (such as the keyboard and mouse) so that
unauthorized individuals are not able to enter server commands
or use configuration utilities.
- Remove output devices such as monitors
II. Secure the Server Console
In addition to physically securing the server, you can improve
security by doing the following to prevent the use of the server
Use the screensaver.
The screensaver provides
protection because it requires a password to unlock it.
Logout when you are not at the servers console
Never leave the server unattended! Make sure you always log out, even if you leave the console only for a minute.
III. Protect Servers and Workstations Against Viruses
To protect your network from the spread of viruses introduced by
internal (and external) intruders, do the following:
- Install virus scanning software.
Install virus scanning software on each workstation.
Create an emergency boot diskette when you install the
software, and write-protect the diskette before you use it. (This
prevents files on the diskette from becoming infected.)
You can use the emergency boot diskette to start the computer if
your virus software is infected or to make sure your computer is
clean before you install other software.
NOTE: Two popular virus scanning software packages are McAfee Virus Scan
and Norton AntiVirus.
- Configure the virus scanning software to meet your security
To make sure that your virus scanning software
is highly-effective in combatting virus attacks, make sure you
configure the software to do the following:
- Scan both incoming and outgoing files at the server.
- Scan all types of files (including EXE, DLL, and ZIP files).
- Scan all incoming and outgoing email and attachments.
- Immediately send virus notifications to the network
administrator and the user.
- Prevent users from canceling the virus check or virus
- Enable virus expiration warnings.
Enable the virus expiration warning to alert you when signature files are outdated.
Each virus has a specific pattern it leaves when it infects a file.
The information in a signature file is used by the virus scanning
software to determine the type of virus that has infected the
computer and its files.
With viruses being created almost daily, you need the latest
signature files to protect against new viruses. These files are
freely provided by the antivirus software vendor.
Make sure you update your emergency boot diskette when new
signature files are received.
- Quarantine files.
Use a software package that allows files to be
quarantained. This prevents users from accessing infected files
and spreading a virus.
- Filter junk mail.
Configure your email servers to filter and
eliminate unsolicited junk email that could contain a virus or
- Include virus protection procedures in your security policy.
Make sure that your security policy include items such as
discouraging employees from downloading non-work-related
email attachments, and encouraging them to install antivirus
software on their home computers.
IV. Secure the Server File System
The following are some basic guidelines for securing the server file
- Disable unused services.
Services like FTP, Telnet etc can be a security risk or limit the number of users allowed to use them.
If available setup and configure Secure Shell (SSH) for access.
- Limit file and directory rights.
Assign users the fewest rights possible to access files and folders.
Don't give users rights to the root directory of any drive
because the rights flow down and are inherited.
- Assign file attributes.
You can assign file attributes to override
granted or inherited rights. Unlike trustee rights that apply only
to assigned users, file attributes apply to all users accessing that
- Use trustee assignments.
A trustee is an object that has been
placed on the access control list (ACL) of a directory or file.
You must be defined as a trustee before access rights to a
directory or file can be granted to you.
File system security is easier to implement and manage when
you grant trustee assignments to eDirectory objects, such as
group and container objects, that pass their rights to multiple
If users have more rights than they need, check their trustee
assignments and make changes.
- Use a folder other than the system drive for home directories.
Organize your file system so that user's home directories are on a drive and/or partition other than your operation system (OS).
The OS (Operating System) drive/partition should be reserved for the OS system files.
By creating home directories on the OS drive/partition, you allow
users to store files that might contain viruses that can corrupt or
cause damage to critical system files.
- Test file system security.
The easiest way to test file system
security is to log in as a user with default rights and browse the
You can check for possible security risks by answering the
- Can you see system folders like SYS:SYSTEM or SYS:ETC (Novell Netware) or C:\Windows, C:\Winnt (Microsoft)?
- Can you see the directories from which administrative
utilities such as NetWare Administrator/ConsoleOne (Novell Netware) or Regedit/Regedt32 (Microsoft) are run?
- Can you browse the entire eDirectory (Novell Netware) or Active Directory (Microsoft) tree?
When a user can see more than what has been described above,
check the rights for that user. The user has probably been
assigned more rights than the default rights
|3. Restrict Administrative Access to the Network Back to Top|
Securing eDirectory user objects is critical to maintaining internal
security to your network. You can restrict network access through
user objects by doing the following:
- Follow Login Security Guidelines
- Effectively Assign Rights to Users
- Set Password Properties for User Objects
- Configure Intruder Lockout Options
I. Follow Login Security Guidelines
Use the following guidelines to help implement login security:
II. Effectively Assign Rights to Users
- Disable unused user accounts.
Disable user accounts that have
not been used for several months.
Before you disable an account, verify that the account is no
longer needed. Sometimes a remote user might not connect to a
network for an extended period of time.
- Assign an expiration date for temporary employees.
For temporary employees, use the expiration date property to
restrict their access to the contracted time limit.
- Restrict logins based on time.
- Limit the number of user connections.
Set connection limits for users to restrict the number of computers they can log in from.
Two connections are usually sufficient for most users (other than network administrators).
- Limit rights for specifying login restrictions.
This is useful when granting a subset of rights
to a Help desk or junior administrator for specifying login
restrictions. Some of those rights (if available on your operating system) are listed below:
- Account disabled
- Account has expiration date
- Expiration date and time
- Limit concurrent connections
- Maximum connections
- Last Login
When you create a user, the user object is assigned a default set of
rights that enable the user to access required network resources.
Security problems occur when the default rights are excessive, or
when you start assigning specific rights to a user without
understanding the implications.
The following guidelines can help you establish a secure internal
network through the effective assignment of user rights:
- Start with the default assignments.
The default assignments are sufficient for most users on most networks.
- Avoid assigning rights through the All Properties option.
The Object Trustees Access Control List (ACL) property is the
main reason for not granting additional rights with the All
Assigning property rights through the All Properties option
might seem easier but you might assign property rights to other
users in the ACL that do not need those rights.
Be especially careful when assigning the Write right to the
Access Control List (ACL) property. This right enables a user to
configure additional rights to the object. The user can then
assign other rights to an object.
- Use Selected Properties to assign property rights.
By using Selected Properties, you can control what rights users are
assigned, and assign only those rights that are absolutely
III. Set Password Properties for User Objects
User passwords are especially important to your internal security
plans. Novell has provided a simple method for implementing
passwords in a consistent manner through the use of a user
template, which you can use to create user objects.
This is especially helpful if you are creating many users who need
the same property values, and require specific password properties.
The following are password properties you can set when creating a
user object or template:
IV. Configure Intruder Lockout Options
- Allow user to change password.
Allow users to change their
Require a Password.
Specify that the user should enter a
password to access the network.
- Minimum password length.
Set a minimum password length;
many organizations require at least 8 characters. (Passwords can be from 1 to 128 characters.)
- Force periodic password changes.
Require users to change their password regularly.
- Days between forced changes.
Specify a fairly frequent
interval between password changes, such as 30 days (you can
specify up to 365 days).
The value is stored in seconds, not days. (86,400 seconds equals
- Date password expires.
Assign a date and time on which a
user's current login password will expire.
Many administrators use this setting (instead of "Days between
forced changes") for temporary or contract employees with a
specific termination date.
Require unique passwords.
Require the use of unique
passwords, rather than allowing the user to reuse an old
NetWare keeps a record of the last 8 passwords for a user and
prevents the user from reusing any of those passwords.
- Grace logins allowed.
Set this option to allow a user to log in
set number of times with an expired password.
Consider setting this number to only a few times; many
organizations limit grace logins to 3. You can enter a value
between 1 and 200.
- Remaining grace logins allowed.
This number reflects the
remaining, unused grace logins, and is updated by eDirectory.
If you want to increase the number of grace logins still
available for a user, increase this number.
For example, if the number of remaining grace logins is "0" and
a user needs one more to access his or her account to change the
password, replace the "0" with "1."
- Change password.
Use this option to change a user's password
or set one if the user does not have one. The changes are
immediate and cannot be undone.
You can use this option when a user has forgotten his or her
password and needs to enter a new one. Enter a new password,
then securely inform the user of the new password.
In addition to setting password properties, you can provide
additional login security by implementing intruder lockout options.
Intruder lockout prevents an individual from trying to log in to a
user account after a set number of attempts, and is a primary
defense against password hackers.
On Novell NetWare the default number of incorrect login attempts allowed is 7.
However, if you have experienced previous hacking attempts, or
your enterprise requires tight security, consider setting this value to
When someone attempts to log in to an account and the attempts
exceed the intruder detection limit, NetWare logs the event and the
server beeps and displays a time-stamped message showing the
account that is locked and the Media Access Control (MAC) address
of the node.