Re: NMRC Advisory - Default NDS Rights

From: Randy Richardson (randy@INTER-CORPORATE.COM)
Date: Sun Sep 20 1998 - 02:26:23 PDT

Next message: Jimmy Lee Alderson: "Vulnerability in Lyris Listserver"

Previous message: David J. Meltzer: "Locate overflow / Promiscuous mode / Posting tips"
Maybe in reply to: Simple Nomad: "NMRC Advisory - Default NDS Rights"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> First of all, simply displaying login ID's or their context is not
> necessarily a security risk (millions disagree, I know, but it's not the
> real risk), provided all other aspects of the security system are in tact.
> What IS a risk is faulty passwords (ie blank, easily guessed, never expire,
> etc).  In this case, the real risk is the carelessness of the administrator,
> not a flaw with the system.

        Using the "Intruder Lockout" functionality will reveal when someone tries to
hack into an account.

> What you're suggesting here is not really a fix, rather it is a removal of
> necessary functionality needed by "trusted" users of a Novell network.  In
> fact, Novell has said that it is widely known that, if the presence if CX or
> NLIST poses some paranoia in your environment, you should delete these
> utilities from SYS:LOGIN, not modify the rights structure of the NDS tree.
> (I happened to learn this in training but others will more than likely
> concur).  A non-logged in connection NEEDS read access to containers in
> order to set their starting context as well as walk the tree if the default
> context is not correct.  By virtue of READ being on the container, all
> objects in that container can be displayed.  It's a judgement call whether
> or not this poses any *real* threat.

        Anybody can easily get a copy of CX and NLIST, so removing the Browse right in
the NDS tree is a more effective solution.  Removing CX and NLIST is only going
to stop novice hackers who will probably try the brute force method of attack
(guessing passwords) anyway (which "Intruder Lockout" will handle very
effectively).

> Besides, just to get access to the SYS:LOGIN directory itself is quite a
> touch trick.  Unless *all* routers along a given path are running IPX or the
> site is running Netware IP, it would take some pretty nifty talent to even
> get to the LOGIN directory.  Of course, you can never prevent the internal
> threat.

        If a network administrator logs into FTP or uses some other internet service
that utilizes clear-text passwords, someone viewing packets in between will
have instant access to SYS:LOGIN if an FTP server NLM (NetWare Loadable Module)
is running on the server, and that same user is authorized to use FTP.

> -- dcc --
> --------------
> [NDS for NT Project Manager at Novell]: "We've got some good new and some
> bad news for you:  The good news is, we don't mess with NT security.  The
> bad new is....We don't mess with NT security..."
[Snip]

Randy Richardson - randy@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
http://www.inter-corporate.com/

Attend the Pacific Coast Computer Fair - http://www.pccfa.org/

Next message: Jimmy Lee Alderson: "Vulnerability in Lyris Listserver"
Previous message: David J. Meltzer: "Locate overflow / Promiscuous mode / Posting tips"
Maybe in reply to: Simple Nomad: "NMRC Advisory - Default NDS Rights"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:08 PDT