Chapter Four: Auditing NetWare 4 Security
Articles and Tips: article
01 Apr 1994
Auditing NetWare 4 Security
The NetWare 4 operating system offers the LAN administrator, security officer and auditor a platform with integrated control and security features. This provides the opportunity for enhanced auditing and real-time monitoring of the network. These include the ability to create a single sign-on/resource control environment and real-time auditing using the AUDITCON utility and NetWare's command language and Windows-based administration functions.
This chapter describes an overall strategy for performing various levels of audit and review. After discussing a typical audit approach for a NetWare network, it provides control concerns, audit procedures, and overview questions for planning an audit in several common control objective categories.
Our methodology stresses the use of disciplines such as engineering, system analysis, and good business practices, combined with standards promoted by the Institute of Internal Auditors (IIA) SAC report, the EDPAA's Control Guidelines, and industry-specific regulations.
It is also recommended that classic audit considerations for distributed data centers, telecommunications, and systems be applied to the network environment. These are the underpinnings of what will be discussed in this chapter.
Note: No single document can provide definitive answers to all problems that may be encountered. This report seeks to give the auditor and security administrator guidance and a logical approach that can be applied on a day-to-day basis. Thus it focuses on medium- to high-risk issues.
The use of networks and client/server technology has taken on a major emphasis in corporations of all sizes. Networks have been accepted as the platform of choice for mission-critical and sensitive systems. In fact, they have become the backbone of many organizations which rely on them on a day-to-day basis. In short, networks have come into their own as valued business assets.
Along with this acceptance comes the need to efficiently manage and control these "valued assets." Auditors must therefore carefully examine the setup, administration, control, and management of these systems, much as they have with UNIX and other operating systems. To ascertain auditing needs, it is also important to determine what types of systems are currently in use and what will be used in the future.
To perform a review of the NetWare 4 operating system, you will need a clear understanding of:
The corporation's organizational structure
The corporation's data flow
NetWare Directory Services
NetWare file/directory services
To provide security, control, and auditability, organizations must balance the features that are provided with the corporate architecture, policies, and the needs of the end-user. It is important to evaluate these elements based on access control demands, performance, efficiency, and information requirements. Controls need to be assessed and promulgated that assure the proper reliability and security performance of all components: desktop operating system, server operating system, and network operating system.
Consequently, one needs to focus on the following when determining the necessary auditing process:
What is the purpose of the security review or audit?
How does one set the scope of such an effort?
What are the objectives?
What platform(s) should be examined?
What are the corporate policies, procedures, and standards?
Is management directly involved with the process?
Is the physical security sufficient?
What is the status of the system security and controls?
Is critical and sensitive data protected and well managed?
Are system resources properly secured and auditable?
Are system operation and maintenance procedures in place?
Are appropriate techniques and procedures available to audit the entire system?
Does system design maximize the use of NetWare 4 control and security features?
Is business continuity a corporate prime objective and mandate?
Is there a tested business continuity plan?
Note: Give careful consideration to systems that overlap (share common interfaces), and to those that handle critical functions, large assets, or sensitive information.
Exposure and Risk
Today, information systems are accessed not only by users within the corporation, but also by others from the outside. These external users are quite often unknown or not under direct control of the organization. It is quite common for users to have no knowledge of where the systems they access are physically located. In light of such external access, the traditional methods of security involving physical, application, and operating systems must be updated to encompass this new environment.
With connectivity, internetworking, user friendliness, and open systems being goals for supporting companies through the use of networks, one must be aware of the possibility of "outsiders" or "hackers" trying to access asset valuable systems. Every PC with a direct connection or modem is a potential "listening" node or tool for misuse on the network and a threat to applications and data stored in a company's systems.
As organizations evolve, the distinction between data processing and data communications becomes less precise. Client/server application systems are heavily dependent on properly designed networks. Most data communications equipment is no longer dedicated to an application, but serves as an exchange path for many applications to interoperate. This requires an integrated approach to security and auditing.
For example, from a Network Control Center (NCC) the network allows virtually any user location to be logically connected to any computer application. This is critical to such businesses as international banking, where the customer base is geographically dispersed, constantly moving, and globally connected. The authorization and review process should support, not hinder, this real-time user need for flexibility.
Therefore, auditing in the network computing environment must provide one with the ability to monitor, collect, and review user activities, system-wide options, and defaults of NetWare Directory Services (NDS) and individual servers and the resources that they provide.
The audit methodology presented in this chapter is derived from established mainframe/minicomputer and microcomputer practices, as well as those strictly oriented to the network environment. Careful attention has been taken to include the latest proposed audit considerations being looked at by various governing bodies.
These auditing considerations are but a small microcosm of what one finds in the larger world of telecommunications departments. To insure proper coverage, it is important that all areas be considered - especially those that involve unchecked and undocumented growth potential, such as networks. Audit efforts must therefore be redirected and refocused to closely scrutinize telecommunications and its assets.
The Auditing Department must gain insight into these areas by:
Participating actively in the initial planning and strategy meetings
Reviewing internal and external plans and technical material
Bringing the knowledge of control and security to bear on the various projects
Active involvement in these areas is the key factor.
A Typical Network Audit Methodology
Many methods can be used to analyze the security of a network environment. To bring mainframe technology skills to bear on this audit, a Host Out/Workstation In (HOWI) method was developed. The HOWI method capitalizes on the fact that the discrete components that make up the network can be directly mapped to mainframe/minicomputer functions then analyzed, reviewed, and audited along classic pragmatic lines. For example, the auditor or security administrator can deal with servers and workstation structures as highly compartmentalized processing, storage, or communications units.
The HOWI approach provides a simplified analysis of the LAN framework. To understand network computing, you first need to review the components that make up the network system(s). Begin the examination with the server ("host") computer and work your way through the various components to the end-user workstation. During this examination, you should formulate answers to the following questions on a component-by-component basis:
What is the component's function?
What are the security/control functions it provides?
What are the performance requirements imposed on this unit?
How does this unit interface with the previous and next unit inline?
Is this unit critical to the operation of the network?
This set of questions is the starting point for the auditor to see what network computing is about. From here, you should follow standard system analysis principles, applying what you have already learned and experienced to network technology.
The following sections detail a range of considerations for networks. Our examination of the individual components (hosts, servers, workstations, specialized services, and interconnections) focuses on their individual contribution to processing, storing, and moving data. We also consider their ability to work in combination with each other. Significant in this approach is that security/control will first be reviewed on a platform or device basis, as well as with the interlocking relationships (the security interface).
To begin, it is important to clearly define the principal components of a network computing environment. These components are:
The transmission system and media components
The operating system software (NetWare, DOS, OS/2, UNIX, and soon)
This delineation shows each component consists of hardware and software which can contribute to the control and security of data both locally and remotely.
Given the presence of microprocessors in almost every piece of electronic equipment, you must realize that microprocessors can also be programmed to add or circumvent controls that may be in place in other parts of the system. An example is a communications server that can be programmed to either allow or not allow a user to communicate with the outside world, or that restricts outside sources from accessing the network.
The network computing environment, therefore, permits many of the present host-bound security functions to reside on equipment not locally attached or even geographically present. The network becomes both the transportation agent and the control agent in one bundle. Using the method of following the data flow and access control mechanisms from the host (server) out to the workstation gives you a complete picture of the in place controls and those that are needed.
The increased use and dependence on decentralized, networked computing systems dictates the need for active audit involvement.
The Purpose of an Audit
Businesses perform audits for many reasons. Internal auditors perform audits to comply with regulatory requirements, to identify process improvement opportunities, or to measure compliance with internal standards. External auditors perform information systems audits to support their opinion on a company's financial statements or their evaluation of a company's internal controls. The exact approach and procedures an auditor employs depends upon the objective of the audit.
Another purpose of an audit is to detect activities that may compromise the security of the system. When unauthorized access is attempted (whether successful or not), or when activities occur that violate system security or controls, an audit is essential. The following activities are candidates for inclusion in a security audit:
Accessing the system
Changing the configuration of the system
Circumventing the audit trails
Initializing the system
Transferring information into or out of the system
Once established at the desired level, security tends to deteriorate over time. Reasons for this lie in the dynamics of the computer use and the complexity of the environment. Typical factors are:
New files created by users
New users granted access to the system
File ownership changes, but trustee rights are not changed
User responsibility changes, requiring changes to user/group trustee rights
Temporary access granted, but not revoked on a timely basis
New applications or releases installed
Security auditing encompasses two different activities:
Day-to-day security monitoring tasks. This monitoring should be part of the security administrator's responsibility. Full-time security administrators should perform these tasks every day, while part-time administrators may elect to do the monitoring on a less frequent basis.
Periodic security audits. Periodic reviews and audits may be performed by internal or external auditors. Periodic reviews may be performed annually or less frequently, depending on the size and security needs of an organization.
In this chapter, we are describing "periodic" audits and security reviews that take place in companies on a predetermined basis by internal or external auditors or security administrators. To perform their duties, these individuals must determine the status of the control and security posture of the operating environment.
To do this, auditors must use the command language, utilities, and audit facilities to capture and analyze information that describes the features of the area being examined at any given moment, as well as over a designated period of time. The examiners can use this information to document changes to NetWare 4 or identify unauthorized use of resources in the NetWare 4 environment on a day-to-day basis and at specified times.
The auditor typically would not be responsible for reviewing daily or weekly audit trail information, other than exception reports to identify unauthorized activities. We do encourage auditors to develop templates that mirror the company's security architecture and policies, and which can be used to determine the compliance of the platform that is being looked at. This validates the need for having the network audit function turned on and having it acquire the right amount of information continuously.
Setting the Scope of the Audit
The size and complexity of today's global network environments require an audit approach as detailed as that applied to data processing. This section lays the groundwork for the dissection of this business entity. An initial step in the audit of a network is to determine the scope of the audit. Depending on the system and its business purpose/function, stage of development, and communications/processing environment, you can choose different review perspectives:
Applications layered on networks introduce risks into the network computing system in which they operate. Further, user requirements based on these applications affect performance requirements and, therefore, the access demands and security risks of the network. Depending on the type of audit conducted, the auditor should determine if the network is properly designed, if its performance is adequate, and if it adheres to the security practices defined as acceptable.
For example, an audit should determine the effects a malfunction of a network component (for instance, a communications server) might have on the system, the user, the application, and - most importantly - on the business itself. Controls to ensure proper security performance and reliability of all network components must be assessed.
Accordingly, the following considerations should be addressed during a network audit:
Is the network cost-effective? Is its operation and design consistent with the project system development life cycle?
Is physical security sufficient to safeguard equipment and information, as well as the personnel operating or using the system?
Is critical data protected from loss or damage?
Is sensitive data protected from unauthorized exposure?
Is management providing the appropriate direction, policies, and standards for effective network computing service?
Is compliance with established policies and standards regularly monitored?
Are appropriate hardware and software techniques being used to ensure network reliability?
Are controls sufficient to ensure that access to the network islimited to authorized users?
Are network utilities and management programs properly controlled?
Is the system meeting user requirements?
Are facilities available to measure performance?
Is there a methodology in place to ensure sufficient resources (capacity planning)?
Are there any operational procedures to ensure that system-critical functions are available?
Does the network design afford sufficient flexibility and resilience to limit disruption?
Does backup exist in case of media failure?
Is there a business-related contingency backup plan, or is the network included in a larger plan?
Is there any methodology for enforcing policy guidelines?
A review of the installed and planned telecommunications facilities indicates that the audit universe can be formidable. The diversity of equipment and the systems used to service domestic and international operations of companies goes beyond just voice and data communications. It also includes data/audio combinations, videotext, satellite, and fiber optic specialty circuits, which may or may not be owned and operated by the company.
Individuals - sometimes numbering in the hundreds or thousands - and departments are involved on a daily basis with running these systems. Business has become a global issue. Some firms today are operating internal telecommunications networks that rival those of some of the common carriers in complexity and size. Furthermore, there may not be one central network management structure that controls this resource in all countries and all business lines.
Therefore, to audit this entity one must:
Understand the organizational entities providing telecommunications services
Determine the resources and services that are provided
Determine the telecommunications assets of the organization
Establish an audit methodology for each service and its components which delineates the controls that are needed to eliminate orminimize the risks and exposures
Types of Audits
Before we discuss control concerns and audit procedures for NetWare 4 environments, we need to establish a framework for categorizing these concerns and procedures. We have classified the different information system audits into three categories:
The following descriptions of these categories include a few examples of the types of concerns and procedures relevant to them.
Security Review. The security review determines the security posture of the area. It seeks to determine the compliance to baseline security and control standards that have been specified by corporate policy and legal/regulatory mandate. It is a snapshot of the current conditions.
Auditors may perform a security review as part of a regulatory audit or an external audit. During a security review, the auditor establishes that the NetWare control environment and administrative practices meet a predetermined and "commercially acceptable" level of compliance.
The auditor evaluates the security review results independent of the layered business functions and applications. The auditor is concerned with the platform setup and control/security needs as it pertains to the technology. Procedures primarily include inquiry and observation. The scope typically includes:
Physical security and environment
Backup, recovery, and contingency planning
System Audit. A system audit is more comprehensive than a security review and typically includes testing procedures to support inquiries and observations. Process improvement studies or compliance audits usually include the detail and scope of a system review.
A system review usually assesses these categories:
Policies, procedures, and standards
Physical security and environment
Backup, recovery, and contingency planning
System operations, maintenance, and troubleshooting
Software development, acquisition, and maintenance
Prior to evaluating the results of a system audit, the auditor must understand the business functions supported by the NetWare environment. The auditor's understanding of the business function's significance allows him or her to evaluate identified weaknesses and risks.
Applications Audit. The applications audit is a highly focused audit that highlights the control and security concerns and issues indicative to the application. These control and security issues can significantly change the baseline security strategy. At this audit level, a cost analysis for application security is also necessary.
Auditors perform an application audit primarily to assess the integrity, availability, and/or confidentiality controls and practices supporting a specified application. First, the auditor identifies specific application controls. Next, the auditor determines how NetWare controls and practices impact those application controls. The extent of the NetWare audit procedures is closely tied to the specific application's controls and practices. The auditor evaluates the NetWare system audit results in conjunction with the application audit results.
Once the particular type of audit or review activity has been decided upon, one can focus upon the environmental situation and expand the audit steps as appropriate.
Strategic planning, developmental, andimplementation project participation and review.
Network's operating and maintenance environment
Network's adherence to company standards, peer utilization, contingency planning, and good business practices.
Thus, an auditor approaches the complex telecommunications arena from several different directions, optimizing the approach and reorienting the focus to fit the particular circumstance. This is then matrixed with the responsible organizations or individuals.
The Typical Audit Approach
The various types of NetWare audits can follow standard audit methodologies. The auditor can partition large tree structures to audit or review only that portion of the tree that corresponds to the auditee's working environment. The steps that have been tested over the past several years are:
Determine the audit objectives and conduct
Perform preliminary analysis and audit planning
Gather detailed information
Analyze and assess the network environment
Prepare the audit report or action plan
These steps are described in general terms below.
Audit Objectives and Conduct
However, before embarking on an audit or security review, it is important to set objectives and direction. Audit and security reviews need to be individually tailored. Some network computing components will receive more or less attention, depending on the type of review and the complexity of the overall environment. For example, in a development audit, the auditor may recommend security provisions and performance parameters be incorporated during the network's development. By contrast, in an operational audit the reviewer will determine whether the installed network complies with the original design and current requirements.
Every network should meet a set of functional requirements based on these factors:
Corporate standards, policies, and procedures (including federal,state, and local governmental requirements)
The network's computing component specifications
An organization's policies, organizational structure, and needs have an impact on the audit. Identifying these elements helps the auditor further define audit objectives:
Corporate policies and standards - Review the corporate policies and standards that apply to decentralized computing, networks, and network services.
Network management - Review the management structure of the network and department and corporate network service organization. Does the management structure provide effective service? Is there a methodology in place to determine the efficiency of management?
Network functionality/requirements - Review the network system's functionality in terms of applications, types of data, and importanceto the company.
User requirements - What are the user requirements for existing and future services? If these are not defined clearly, or if they are based on estimates of current usage patterns (not projected growth), strategic planning for the future cannot be done effectively. If these are monitored improperly, network failure can result.
The auditor must identify individuals responsible for the network, the interconnecting network, and related elements. Areas of responsibility include:
Operations and maintenance
Interface with users, MIS, and telecommunications staff
These individuals should receive a copy of the audit report at the conclusion of the audit.
Determination of who receives these reports may differ from company to company, but the information provided here should be used for a basis in determining audit report distribution.
Another audit objective is to determine whether the network functions as it was designed and meets the design and usage requirements. This requires that the auditor:
Catalog all components and examine their performance levels
Evaluate all security provisions (detection, prevention, correction, and recovery)
Assess threats to the network and the controls in place to reduce risks
To accomplish these objectives, the auditor must gather data and documentation regarding the network computing environment and its components. This is done by communicating with the individuals responsible for system and network platform.
Preliminary Analysis and Audit Planning
Through observation and inquiry, the auditor gathers information to establish an overview of how NetWare supports the auditee's business functions. Audit planning includes a preliminary risk assessment and establishment of the audit's scope. At this point, the auditor will gather information to understand the network environment, including:
Corporate standards and organization
Hardware - servers, routers, wiring, network interface cards, and so forth
Software - workstation operating systems, gateways, e-mail, applications, and so forth
Communications - wide area, remote dial-in, and multi-platform
People - users and support community
Historically, an auditor defined the scope of a NetWare audit in terms of a server or a departmental network with several servers. In the NetWare 4 environment, the auditor will want to define the scope of a NetWare audit by defining the objects that support the auditee's business. If the company has properly designed their NDS tree, the auditor can restrict the review to objects within a particular organization or organizational unit.
In the NetWare 4 environment, the auditor's basic planning objective becomes finding the answer to this question:
What controls and administrative procedures support the availability, integrity, and confidentiality of objects (in the defined Organizational Unit) which support the auditee's business functions?
However, you cannot ignore objects outside of the auditee's organizational unit, since administrators could grant them access to objects that are included within the scope of the audit. For example, suppose you are conducting an audit of the general ledger system residing on a NetWare server's volume FIN. The financial server and volume FIN reside under the Accounting organizational unit in the NDS tree. Your review would primarily focus on controls over resources (objects) within the Accounting Organizational Unit (OU). Mary resides in the information systems unit and has access to the FIN volume to support accounting. As part of the review, you will want to look at the integrity of Mary's login ID.
Detailed Information Gathering
Data gathering can be the most difficult task in the audit review process. Documentation and records are not normally a part of the operating scenario. If they do exist, they may not be properly maintained or are dispersed throughout the organization, making them hard to find.
Well-planned interviews of responsible individuals should be conducted to supplement documentation. Ideally, the auditor should collect and review:
The original network requirements definition, based on the feasibility study, the proposed design and alternatives, the trade-off study, and final decisions
Design standard, criteria, approach, and documentation
Development and implementation plans
Network operations and maintenance plans and procedures
Testing criteria, plans, procedures, and results
The original and current configurations and configuration change controls
Performance standards, reports, history, trends, and the applied measurement techniques
Identification of critical or vulnerable network elements and controls to lower risk
Audit trails and analysis tools for the network
Contingency and disaster recovery plans
Inventory of applications and network users
Analysis of security requirements for current and proposed applications
Inventory and analysis of current and proposed circuits
Network personnel training program
To gather and document how the auditee has installed and configured NetWare 4, the auditor will use the following tools:
NetWare 4 commands and utilities
The NetWare 4 AUDITCON utility and templates
Third-party reporting tools
After analyzing the reports generated with these tools and any additional information that is available, the auditor interviews NetWare administrative personnel to obtain a thorough understanding of NetWare administration procedures and controls. The audit procedures and control questions in the next section will help the auditor gather information.
We have prepared a list of NetWare 4 commands to facilitate information gathering (see Chapter 6). In addition, Appendix B lists some third-party reporting products that you might want to use to facilitate gathering information.
Analysis and Assessment
A thorough understanding of the corporation's data processing and network environment is invaluable to the auditor. This includes an understanding of the system's life cycle and any completed or planned changes, integrations, consolidations, or expansions. For example, if a current mainframe application is to be moved to a decentralized network facility, the auditor would perform a development audit of the new system, rather than an operational audit of the existing operation. This would save time and allow redirection of efforts to critical issues at the earliest possible time of development.
While time-consuming, the analysis phase can be the key to a successful audit. The auditor should ensure that the design meets all computing and communications requirements, as well as complies with any applicable regulations. The development and implementation plans should stress control and security, performance, and reliability as primary aspects to be monitored.
The network's hardware, software, and network configuration must be accurate, current, and readily available to the authorized operations and maintenance personnel. No changes should be permitted without first ensuring that they will not affect current capabilities or security levels and structure. Provisions for reverting to the prior configuration should be available in case it is needed.
Next, the auditor analyzes this information to identify risks and opportunities for improvements. The control concerns in the next section will help the auditor evaluate the findings. However, Novell has designed NetWare 4 as a flexible network operating system capable of meeting the needs of many organizations. The auditor should evaluate compensating controls and the company's unique environment before concluding that a finding is a weakness or before providing a recommendation to the auditee. As always, auditing requires a proper balance of professional skepticism and judgment.
Audit Report or Action Plan
As a minimum, the audit report should highlight significant weaknesses and provide recommendations customized to the particular situation. Novell has positioned NetWare to support communication between end-users. NetWare has become an important building block in end-user computing environments. Experience indicates that end-user environments continue to evolve. Proper training and sharing of experiences improves end-user productivity through better controls and administrative practices.
As an auditor, you can play an important role in this evolution by communicating your observations and conveying solutions you have observed in other departments. Timely feedback is of greater importance since end-user environments change quickly. The auditor can usually issue an informal action plan more quickly than a formal audit report.
Once a network is operational, a set of standards is needed against which performance can be measured and reported. These standards must be understandable and upgradable. They must be strict enough to ensure user satisfaction, but not so rigid that they damage morale or incur excessive costs. Performance standards can satisfy users and corporate management, but still not provide for ease of use, auditability, security, or versatility of the network computing system. A network can perform effectively and efficiently, yet be extremely vulnerable to security breaches.
Analysis of Weaknesses
The design review is likely to raise questions about suspected weaknesses. If data gathering was inadequate or key points were missed during review, it is critical to conduct other interviews to see if there are additional data sources that can be accessed. As usual, risks should be matched against controls to see if controls are inadequate or missing.
Backups and Workarounds
In addition to controls, networks need backup and workaround features. It is vital that the backup system you use for your network be compatible with NetWare 4 (preferably Novell certified). Without a proper and functioning NetWare interface, numerous weaknesses are introduced and systems become vulnerable.
Furthermore, workaround measures to aid users in performing their work need to be implemented, documented, and tested. These measures should be assessed to determine:
Whether they have been tested recently
Whether they can be implemented quickly
Whether they provide full or partial backup
How long they might serve the need
What other service(s) might be affected, and how severely, if the backup is implemented
For some components, the auditor should look within the network to reduce risks. For example, if the mean time to restore service after interruption is long, the auditor may want to consider the adequacy of maintenance contracts and procedures. Also, since companies rely increasingly on networks for processing and communications, it is imperative to have contingency and disaster recovery plans which are tested and maintained under the jurisdiction of qualified professionals.
Documenting the Findings
The audit report should fully document all findings. The report should describe the audit and identify:
The target network, or portions thereof
The responsible parties, specifying those interviewed
The purpose, scope, and objectives of the review
The approach taken
The documentation reviewed
Good areas of control/security that might be useful to other networks
Efficiencies and cost savings
Weaknesses and recommendations
The analysis and documentation should then be reviewed with the responsible individuals - preferably prior to release to management. A cover letter attached to the audit report should schedule when management should respond. To maintain the constructive momentum, this review period should be limited to no more than 10 working days.
Audit Procedures and Overview
An audit program should collect and maintain information which can be analyzed to detect potential and actual violations of a system security policy. For auditing to be meaningful, every installation should have system security policies and procedures in place. These guidelines set the baseline by which you audit the network environment. You can then define a security violation as any change to the security of the system or any attempted or actual violation of the system's access control or resource use for accountability.
The detailed audit procedures outlined in this chapter are divided into numerous strategic areas:
NetWare operating system
System operations, maintenance, and troubleshooting
Backup, recovery, and contingency planning
These NetWare 4 audit procedures provide a detailed, question-based look at networks. They are not intended to be static, but rather to provide a flexible instrument for stimulating new areas of investigation. The following sections detail the audit issues to be considered when reviewing network computing environments.
The initial phase requires that you gather information that clearly defines the platform (hardware, software, Directory Services layout, and communications) that is being used or will be used by the system. To accomplish this, we provide the following sets of questions and references, grouped according to the platform.
The objective here is to gather and analyze information pertinent to defining the hardware platform, as well as identifying any inherent exposures or risks.
Request a wiring diagram of the complete network.
List the manufacturer, type, and quantity of servers, workstations, and other microcomputers in use.
List the purpose of each computer (development, production, or specialized server).
List peripheral connections (shared disks, printers, and so on).
Does the corporation have a defined standard for acceptable hardware platforms?
Does the platform meet the set standards of the corporation?
How many users are in the department being audited?
Is the current hardware adequate to meet the information processing needs of the users?
Is hardware shared between departments? If so, which servers and workstations are shared and with which departments?
Is there a mechanism in place to monitor resource utilization? Have minimum-maximum criteria been provided for resource utilization?
Should expansion occur, would the current hardware be sufficient? If not, is it easily upgradable?
Is there adequate supervision regarding the use of equipment (who is authorized to use it, who is responsible for repairs, upgrade, and so forth)?
Are there any known problems (repetitive or significant) with any vendor's equipment?
Are equipment trouble calls being recorded and reviewed?
Are maintenance service agreements adequate to support the department's anticipated level of business continuity?
Are the hardware and peripherals readily available from suppliers?
Is the hardware documentation complete and easy to understand?
Do users receive adequate training in the proper use of the hardware?
The objective here is to gather and analyze information pertaining to the operating system, utilities, and application-specific software in use. Risk and exposure assessment associated with individual applications will be applied against the base operating environment.
Determine the server operating system and version level being used (for instance, Novell NetWare 4.01, 3.12, 2.2, or any combinations).
Determine the workstation operating systems and version levels being used (MS-DOS 6.2, Novell DOS 7.0, OS/2 2.1, UnixWare1.1, and so on).
List the security packages currently in place, along with any security controls developed in-house.
Identify the application software installed on the server(s)- spreadsheets, databases, word processors, programming languages and compilers, utilities, debuggers, tools, internally-developed programs, and so on.
Review the software being used on the network to determine compliance to existing standards and copyright laws.
Determine and validate software licensing agreements and inventories.
Determine if there are any corporate policies regarding the monitoring of software usage/creation on the network. Verify that this monitoring is performed on a regular basis to ensure license agreements arenot being violated.
Is a wide range of software available for the hardware selected?
Will current software packages and applications run on new hardware selected?
Is the addition of software controlled?
Are automated procedures in place to maintain program change control?
Do users develop their own software? If so, are there requirements for approval, testing, and documentation?
Have any of the workstation operating systems been modified?
How knowledgeable are users in the use of the software available? Is adequate training provided?
Is software documentation kept up to date?
Does an active virus checking program exist and is it being used?
Is newly-purchased software tested before it is implemented?
Are new software revisions tested before being put into production?
Does the software meet all of the users' expectations and requirements?
Is the software user-friendly?
Is the software readily available and reliable?
Does the software allow for the easy exchange of data with other application software?
Is the software well documented and easy to understand and maintain?
Does the software provide audit trails or logs?
Is software source code available or encrypted?
The network communication facilities provide for the timely transfer of information. Controls and security must be in place to assure that integrity, privacy, and message authentication is in existence and is operating properly. In today's open environments, it is especially important to maintain a secure communication scenario when external access is unidentifiable or undefined.
The objective here is to ensure that adequate controls exist over information transmitted to and from the microcomputer workstation. Sensitive data should be protected from being changed or intercepted.
Define the network topology (bus, token ring, star, hubbed, and so on).
Document the connection media for the network. Include network and data flow diagrams and organizational charts as a minimum.
Identify the servers and attached client workstations.
Identify all communication links (that is, types of telecommunication lines) and their destinations.
Identify the telecommunications being provided, and attempt to determine the quality and reliability of local loop facilities.
Determine if communications closets, patch cords, locks, modems, and so forth are secured from unauthorized access.
Define any gateways, asynchronous communications servers, and gateways which allow remote communications.
Determine the level of verification performed to identify and authenticate a remote access. This could include user IDs and passwords, callback, or biometrics.
Evaluate the risk of line tapping or electromagnetic signal emanations.
Consider gaining control of the resources; test remote access by dialing in to the system.
Determine that internal controls are adequate to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, and message duplication.
How are nodes interconnected?
Which users have access and to what type of information?
What type of information is being accessed by the user or department being audited?
How much data is shared or accessed?
Are logins and passwords required to gain access to the network?
Is password encryption turned on?
Who is responsible for network management?
Are network logs maintained for problem tracking? Are these reviewed by management on a regular basis?
Is the use of external modems for dial-out connections by microcomputers - those directly connected to internal backbone networks - limited?
Are any microcomputers/workstations capable of downloading data from and uploading data to a host? If so, is management approval required to perform these functions?
Are bulletin boards or electronic mail used? If so, list them.
Are Internet connections allowed? If so, are they properly fire-walled (preventing unauthorized access from outside sources) using widely accepted practices?
Are gateway machines used? If so, for what purpose (for instance,to isolate machines from intruders)?
Do gateways have audit, control, and security functions?
For data used by other departments, are proper reconciliations in place to ascertain the integrity of the data?
How is the accuracy and completeness of a data transmission assured?
What is the procedure for authenticating messages?
Is access to the server restricted to only those persons assigned to its maintenance and operation?
Is packet signature being used?
The objective here is to identify the members of the workgroup that uses the network.
Identify all users that are allowed to login to the network. Determine if they are legitimate users.
Identify the Directory Services tree structure.
Determine if the network under review is accessible by other networks.
Compare the users to other workgroups within the organization to determine if there is any redundancy.
The objective here is to verify that management is exercising proper use of existing controls to meet the baseline security architecture over the installation, maintenance, and use of applications. Poor controls can result in bad data, erroneous software logic, improper assumptions or models, decisions based on incorrect information, and incomplete audit trails.
Identify all applications developed in-house.
Identify all applications purchased from external vendors.
Determine the tasks performed by the applications.
Define user responsibilities within applications.
Determine if any application-based security exists.
Review the procedure for testing new applications and the most appropriate NetWare settings for those applications prior to their implementation.
Are users writing their own programs in high-level languages?
How well are the developed applications meeting user needs?
How much planning is done prior to development?
Are plans for development of an application documented, reviewed, and approved by management?
Are all users of the applications involved in the planning, developing,and testing of an application?
Are adequate audit trails and controls developed for the applications?
Are these audit trails controllable by the users?
Is testing performed on all applications? At what stages of development?
Is documentation provided for users? What is included in documentation?
Does documentation outline security and control procedures?
How are changes or enhancements to applications initiated?
Are changes or enhancements documented, reviewed, and approved?
How extensive is testing performed on changes or enhancements?
Who is making changes to applications?
How often and why are changes being made?
Are changes made in the production environment?
If there is a development environment, how is the production environment updated?
Which users have access to the development, testing, and production environments? What rights are granted to programmers and administrators in each environment?
Corporate Policies, Procedures, and Standards
It is critical to determine that adequate policies, procedures, and standards exist to serve as a basis for establishing accountability and responsibility for network information systems.
The objective here is to establish guidelines for a corporate security policy and architecture. This will ensure that management is providing adequate administrative control and supervision over the information processing environment.
Obtain and review the corporate standards and procedures governing the use of networks.
Obtain and review the corporate security policy.
Obtain an organizational chart and job descriptions.
Investigate the possibility of a user being defined more than once on the network, but belonging to different organizations or organizational units.
Determine whether the procedure for authorizing and defining users to the network (as well as deleting them) is appropriate.
Has a copy of the organization's network policies, procedures, and standards been issued to all users?
Have information systems policies, procedures, and standards been developed for the network environment?
Have the network policies, procedures, and standards been approved by management?
Have the network policies, procedures, and standards been distributed to all departments and personnel affected by them?
Are there guidelines for hardware, software and communications acquisitions?
How is purchasing done (such as through a central department)?
How are new systems justified?
Are there guidelines for program and system documentation?
Are there guidelines for computer operations?
Are there guidelines for software development?
Are there guidelines for compatibility of data communications, data sharing, and transferring data?
Are there policies and procedures establishing responsibility and accountability for data ownership, support, system integrity, and monitoring?
Does a business continuity plan exist? Is it tested?
Were the users part of the business continuity planning effort?
Are the backup procedures and contingency plans current and communicated to users? Are responsibilities assigned for system recovery?
What are the guidelines for security, confidentiality, and privacy of data?
What information is allowed for access and how is it communicated between systems?
Is there a formal user training program?
What are the audit and management trails required with respect to applications and data communications?
Both physical and operational security of workstations are important. Intruders can gain access to a system from a workstation which a user has left logged on, or through any PC that has an automatic login sequence. To protect the system from intruders, the following technology aspects should be considered.
The objective is to assure physical access to the server and network components is properly restricted.
Determine if users are automatically logged off when the workstation is not in use after a period of time?
Determine if timeout features are available on the workstations and if they are used consistently?
Determine if a security package is used to restrict unauthorized users from accessing the system?
Determine if encryption software is available and being used?
Obtain and review all batch files and sign-on sequences.
Who is the security administrator?
Are utilities available to the common user?
What are the guidelines and characteristics of passwords usedon the system?
Unauthorized physical access to the server and network components could result in the destruction of computer equipment and disruption of network availability. Physical security and environmental controls ensure that information systems services are protected from unauthorized access and are provided a safe environment. These controls verify that systems and work areas are equipped with appropriate detection and suppression systems to prevent unauthorized changes to software or hardware, or deliberate attempts to damage computer software or hardware components. They also protect against the effects of a natural disaster.
Restrict access to the server to personnel responsible for maintenance and administration of the network system. Critical network hardware such as the server, database server, gateway server, network bridges, and routers should be in a secured location.
Protect the server and other critical network hardware from environmental hazards such as fire, flood, and other natural or malicious threats. Locating this hardware in a secure environment will help minimize the effects of these hazards and threats. Consider a location that has systems or facilities in place to prevent, detect, and suppress the potential effects from these exposures.
Properly securing the wiring panels will reduce the risk of an unauthorized individual accessing the network and the information that is moving through the network.
Determine what physical security is in place over the microcomputer/workstation environment.
Evaluate the physical security over the network equipment (server and network equipment), including door locks, badge readers, special enclosures, or other forms of physical access controls.
Review the use of locks, cables, anchor pads, alarms and other access controls which, if used, would limit access to the computer equipment, internal circuit boards, software, printers, and soon.
Determine if adequate fire, smoke, and water detection devices are used, together with the necessary means of extinguishing fires and removing smoke and water.
Have reasonable precautions been taken to adequately secure the server and other network components?
Is access to the server restricted to only those persons assigned to its maintenance and operation?
Are power surge protectors used?
Is a UPS (Uninterruptible Power Supply) system being used?
Is the server keyboard being locked?
Does the installation use SFT (System Fault Tolerance) technology to prevent system outages?
Are procedures in place to switch to a backup server if the primary should fail?
Is the physical site relatively safe from environmental threats?
Is encryption used to secure links carrying sensitive information?
Who is responsible for the security of the server and other critical network hardware?
Is access to the server or other critical network hardware restricted to personnel responsible for maintenance and administration of the network?
What physical security is in place over the microcomputer or workstation environment?
Is the server and other critical network hardware (for example, gateways, bridges, and routers) located in a secured area such as a locked room?
Is the room that contains the server and other critical network hardware equipped with adequate systems and facilities to provide reasonable protection from threats such as fire, floods, and malicious acts? Determine if adequate fire, smoke, and water detection devices are used, together with the necessary means of extinguishing fires and removing smoke and water.
Is the room that contains the wiring panels secured?
Is encryption used to secure links carrying sensitive information?
Workstation Operating Systems
The following are considerations for determining how secure the workstation operating system environment is.
Is a security package installed to prevent unauthorized access by intruders?
Is the security software developed in-house or is it application based?
Are batch files (such as DOS workstation AUTOEXEC.BAT files) reviewed?
Is there a security administrator for the workstation systems?
Are logs maintained to provide audit trails or to track problems which may occur? What types of logs are used?
NetWare Operating System
This section contains procedures and questions the auditor can use to review a site's installation and use of Novell's NetWare operating system.
The key objective here is to get a complete picture of each system's working environment by determining the total makeup of the key processing units and the users of the system.
Obtain a login ID and password for an account with Administrator equivalence. If this request is denied, you may need to have the network administrator assist you in obtaining the appropriate reports or listings.
Obtain a list of all login IDs (users), groups, and trustee assignments.
Have the administrator execute the CONFIG command at the server console to display the configuration of the network boards installed in the server.
Obtain the AUTOEXEC.SYS or AUTOEXEC.NCF file and identify the commands that are executed when the server is booted. This will also identify the printer mappings.
Obtain a list of network server statistics such as Cache Misses, Cache Hits, and Thrashing Count.
Obtain a list of users who logged in and out of the server.
Compile a list of the current directory structure.
Compile a list of file attribute assignments.
Obtain a list of security conflicts residing in NDS that can be potentially compromising to system security.
Obtain a copy of the server error log.
Obtain a listing of the "Default Account Balance/Restrictions" for the server.
Obtain a listing of user login scripts.
Obtain a listing of the system login script.
Obtain a listing of the default login scripts.
Obtain the network architecture and administration procedure manual.
Identify the current NetWare version being used.
NetWare 4 Options and Defaults
The options and defaults selected during NetWare 4 installation can affect the effectiveness and integrity of the network. It is important to know how these options and defaults affect daily use of the network.
Review the company's and department's procedures for initiating and approving changes to the NetWare options/defaults.
Examine the procedures for periodically reviewing the NetWare options/defaults. Through observation and inquiry, determine that the NetWare options/defaults are being regularly reviewed by appropriate personnel.
Review procedures used to implement changes to system-wide options and defaults.
Determine if the above procedures ensure that changes are tested, reviewed, documented and authorized by the network administrator prior to being used in production.
Determine if multiple servers are used. If so, verify that the above procedures are in place for each server on the network.
What NetWare options/defaults have been selected by the installation?
Who is responsible for deciding what NetWare options to implementor modify?
Has the Intruder Detection option been turned on?
Has disk space allotted to each user been limited?
Who, besides the network administrator, can execute the NetWare administrative utilities to implement and modify NetWare's system-wide options?
Who is responsible for reviewing changes to system-wide options for accuracy, completeness, and propriety?
Does anyone regularly review the system-wide options/defaults in effect?
Who is responsible for system auditing?
Is AUDITCON turned on?
What are the basic AUDITCON templates that have been implemented?
Controlling system access is the best way to provide security for the network environment. The following sections provide information on auditing the system to keep your system access as secure as possible.
Control of Administrator Access
It should be stressed that the NetWare operating system is only as secure as the system or security administrator makes it - and maintains it. The auditor needs to obtain a list of "privileged" users and determine their working needs and relationships.
Obtain a list of users that have Admin rights: either being security equivalent to Admin, having the Supervisor object right to [Root],or having the Supervisor object right to the O or OU under review. (Appendix C on NetWare 4 commands provides information on how to accomplish this.)
Review password and connection settings of all Admin equivalent User objects to ensure that these objects are appropriately secure.
Determine the installation's procedures for assigning Admin equivalence to users, and determine if the proper level of approval is obtained.
Determine if an adequate audit trail of activities is maintained for actions performed in the SYS:SYSTEM directory.
Who is the security administrator (Admin)?
Is there more than one security administrator/Admin equivalent user?
How often is the password for Admin (or Admin equivalent) changed?
Are different passwords used on different servers? Do servers have different security administrators?
Are emergency passwords available?
Do administrators (including the security administrator) have a login ID and a password different from that of the Admin account?
Are the activities of administrative users monitored by an appropriate individual separate from the system group?
Deleting the Admin Object
Upon installation of the first server in a tree, NetWare 4 automatically creates a login ID (User object) named "Admin". By default, Admin is initially granted the Supervisor object right to the [Root]. This effectively gives Admin all rights to every object and property in the Directory tree. Logging in as Admin enables the installer to create the rest of the Directory tree. Once the necessary organizational structures are in place, container administrators can be created to control specific portions of the tree. Once these "local" administrators are set up, the original Admin object can be deleted. As a safety precaution, however, first create a backup global administrator User object and grant it all object rights to the [Root] (do not use security equivalence). There should be at least one administrator for each container in the tree (including [Root]).
In NetWare 4, an Inherited Rights Filter (IRF) can restrict Admin's access to objects added to the tree subsequent to installation. However, explicit NDS rights assignments in a container cannot be filtered out by an IRF. For each new Organizational Unit created in the tree, the container administrator User object should be explicitly assigned all object rights to the OU. Failure to create a backup administrator User object can lead to a scenario where no one can control access to all or part of the tree.
Audit Procedures and Questions:
List users that have Supervisor object rights and/or all object rights to [Root] and to the Organizational Unit being audited.
Has the network administrator created backup administrator login IDs?
Before establishing IRFs, are precautions taken to assure that the proper User object has Supervisor object rights for that container?
Is establishment of IRFs limited to restricted personnel (such as properly trained administrators)?
The NetWare Directory Services database contains access control information about user logins/password security, trustee security, Directory Services security, and file attributes security. This database is distributed on servers across the network. Unauthorized access to this database, as well as to other system files, could compromise security.
Normal user access to the system is provided by through the login process. A login is associated with a valid user ID and password. The administration of these logins, user IDs, and passwords ensures that only authorized users can access the system.
Review the information obtained from the AUDITCON utility forevery known volume. Be careful of hidden volumes.
Evaluate the appropriateness of the password length, change frequency, concurrent connections and number of users with supervisory privileges.
Evaluate the effectiveness of passwords selected.
Review the users for unused logins.
What are the department's procedures for defining new users, for modifying user Account Restrictions or deleting users from the system? Determine that appropriate approvals are obtained.
Are user access request forms used to obtain approval from management for access to the system?
What users have the ability to enter the system without providing a password?
Are users using easy to guess or ineffective passwords?
Are passwords required for all users?
Is password aging used?
Are users restricted as to the times they can use the system?
Are users restricted as to the stations they can access the system from?
Has NetWare's Accounting feature been installed?
Are system access security violations monitored? How often, and by whom, is the review performed?
User Account and Password Policies
User accounts and passwords are one step toward ensuring network resources are secured. The policies and procedures pertaining to the administration of user accounts and passwords play an important part in providing confidentiality, integrity and availability of the data and resources contained on the network.
Assigning private passwords to users will authenticate the user to the network and provide user accountability. As a general rule, users of data and resources should be uniquely identified. Group login IDs and passwords do not allow specific identification of users.
Audit Procedures and Questions:
Ascertain what the department's procedures are for defining new users, for modifying user account restrictions, and for deleting users from the network.
Determine whether user account policies address the following:
- Generation and assignment of password to new users - Appropriateness of selecting passwords - Sharing or disclosure of passwords - Timeliness of removing or disabling users - Temporary user accounts
Are user access request forms used to obtain approval from management for obtaining access to the network? Determine that appropriate approvals are obtained.
Who is responsible for determining which NetWare options to implement or modify?
Is the AUDITCON utility configured to record security violations?
Are system access security violations monitored?
How often and by whom are security violation reviews performed?
User Templates for Account and Password Defaults
NetWare 4 allows the use of User Templates as the form used to enter default user information. A user template can be set up within an Organization or Organizational Unit. Each time a new user is created, the administrator will be asked if the User Template should be applied to the new User objects. The User Template contains many user properties, such as password settings, account settings and departmental information.
Audit Procedures and Questions:
Determine if User Templates are used. If not, determine what default settings are used for new users added to NDS.
Evaluate the appropriateness of the default settings in the User Template (or of the settings used for new users if a User Template is not used). Each setting should be evaluated against baseline parameters appropriate for the organization:
- Minimum password length - Periodic password changes - Password change frequency - Grace logins allowed - Unique password required setting - Password required setting
- Account enabled/disabled - Account expiration date - Login time restrictions - Station restrictions - Concurrent connections
Review the organization's procedures for initiating and approving changes to the NetWare user account and password defaults.
Review the organization's procedures for periodically reviewing the NetWare user account and password defaults.
Determine whether the NetWare user account and password defaults are being reviewed by on a periodic basis and by the appropriate personnel.
Determine who can access the NETADMIN utility to change user account and password defaults.
User Account and Password Analysis
Although NetWare contains many user account and password level features, it is very important that these features be implemented to support a secure environment. Correctly implementing NetWare security features will help to ensure the following:
Only authorized users can gain access to the network.
Unauthorized users will not gain access by guessing an authorized user's password.
Authorized users can access the network only at certain times of the day (as authorized).
Temporary login IDs will be disabled on a timely basis.
Audit Procedures and Questions:
Determine the following regarding each User object in the organization under review. Evaluate each question to determine if the security setting is appropriate based on the functions or responsibilities performed by the user.
Are passwords required?
Are users using passwords that are easy to guess or ineffective?
What is the minimum password length?
Are passwords required to be changed on a periodic basis?
Are unique passwords required?
Are users restricted as to the times they can use the network?
Are users restricted as to the stations they can use?
Are users allowed grace logins? If so, how many grace logins are allowed?
Are temporary accounts assigned an account expiration date?
Are any users able to enter the network without providing a password?
By default, passwords are encrypted when transmitted over the wire. However, setting the "SET Allow Unencrypted Passwords" command to ON allows use of unencrypted passwords. Typically, there will be an entry in the AUTOEXEC.NCF file setting this parameter to ON.
The following are the recommended settings:
If any NetWare servers on an internetwork are running NetWare 3.1x, use OFF.
If the internetwork has NetWare servers running NetWare 2.12 and above, the NetWare 3.1x utilities can be copied to these servers and this parameter set to OFF.
If the NetWare 3.1x utilities are not copied to the NetWare 2.x servers, set this parameter ON. (If NetWare servers on the internetwork are running versions of NetWare below NetWare v3.0 and you leave the default to OFF, users may have problems logging in.)
Obtain a listing of the AUTOEXEC.NCF file.
Determine if the "SET Allow Unencrypted Passwords" command is contained in the AUTOEXEC.NCF file.
Evaluate the use of the SET Allow Unencrypted Passwords command based on the versions of NetWare in use on the internetwork under review.
NetWare provides various options that, when activated, help to detect unsuccessful login attempts. The intruder detection/lockout feature can be set to detect when an unauthorized user may be trying to gain access. Based on how this feature is implemented, the User object could be locked out from the system. The User object could only be used again to access the network after it is enabled by an administrator. This feature is administered at the Organization and Organizational Unit level.
Audit Procedures and Questions:
Determine if the intruder detection/lockout feature has been implemented in each Organization and Organizational Unit under review.
At each O or OU level, evaluate the following to determine if the parameter settings are appropriate based on the organization under review:
- Are intruders being detected? - What is the Incorrect Login Attempts setting? - What is the Bad Login Count Retention Time setting? - What is the Length of Account lockout setting?
Is AUDITCON configured to record intruder detection lockouts?
Are procedures in place to ensure that AUDITCON reports are reviewed to determine if User objects are locked out by the intruder detection feature?
Do the same User objects consistently get locked out by the intruder detection feature?
Is there a reporting mechanism in place to track User objects that are consistently locked out by the intruder detection feature?
Server Console Security
The server console is most secure when the server is located in a protected location where no one can reboot it. The SECURE CONSOLE command adds an additional level of security. This console command allows authorized operators to use the console while preventing the following from occurring:
NLMs loading from any directory other than SYS:SYSTEM. This prevents someone from loading an invasive NLM from a server's floppy drive.
Keyboard entry into the operating system debugger. This restricts the ability to directly access data on the server.
Anyone other than the console operator from changing the date and time. Some security and accounting features depend on date and time stamps for their enforcement.
Another feature to secure the server console is to use the "Lock Server Console" option in the MONITOR utility. When used, this command prevents keyboard entry to the server console until the Admin password is entered.
Audit Procedures and Questions:
Obtain a listing of the AUTOEXEC.NCF file.
Determine if the SECURE CONSOLE command is contained in the AUTOEXEC.NCF file.
Evaluate the use of the SECURE CONSOLE command based on the environment under review.
Determine if the "Lock Server Console" option is used within the MONITOR utility.
Remote Access to Server Console
NetWare allows administrators to manage a server remotely, either from a workstation on the network or from a PC using a modem. The following tasks can be performed using a remote console:
Invoke console commands as you would at the server console.
Scan directories and edit text files in both NetWare and DOS partitions on a server.
Transfer files to a server.
Bring down or reboot the server.
Install or upgrade NetWare on a remote server.
A remote console can provide greater server security, because the server keyboards and monitors can be removed and the server locked in a secure location. However, security can also be compromised if appropriate controls are not in place to ensure that only appropriate individuals can gain access to a remote console.
Audit Procedures and Questions:
Determine whether the LOAD REMOTE command is included to the AUTOEXEC.NCF file.
Is the "-E" option included in the LOAD REMOTE command and an encrypted key used in the AUTOEXEC.NCF file in place of the plain text password?
If remote console sessions are available from a PC with a modem, determine if the call-back parameter is used when loading the asynchronous connection NLM (RS-232).
Access to Critical System Files
The file system directory structure contains the "locks" to the information in files; trustee rights are the "keys." Trustee rights flow down within the directory structure. To have an effective right to information, the directory must allow that right and the trustee must also have the right. Too many rights for users can result in an uncontrollable environment.
Determine which file system directories contain sensitive andmission critical files, applications, or data.
Review users with excessive rights in critical system directories such as SYS, SYS:SYSTEM, SYS:PUBLIC, and SYS:LOGIN.
Locate the NET$ACCT.DAT file and ensure that it is protected from unauthorized access.
Examine Directory Rights Masks using the NETADMIN utility and determine if the maximum rights are set appropriately.
Examine group and trustee assignments specified within each critical or sensitive file system directory. Discuss any discrepancies with the system administrator.
Investigate users that have greater access than R,F to files indirectories other than their own home directory.
Check to ensure that users in a container have only R,F rights in the servers' public directories.
Are all critical files that could cause system disruptions stored in the SYS:SYSTEM directory?
Are all trustee rights assignments removed from the SYS:LOGIN directory for all users?
Is the protection scheme for the directory and files adequate to restrict use of critical/sensitive files?
Do any users have excessive rights in critical directories?
Secure Access to Files and Directories
An insecure network contains inappropriate or insufficient trustee assignments to files, subdirectories, programs, and so on. Lack of adequate restrictions allows unauthorized users to modify files, replace programs, and rename directories. It also allows for unintentional damage from mistakes made by authorized users. In general, the most restrictive permissions should be placed on all files and directories.
Obtain and review a listing of all file system directories and their contents.
Using the above listing, find and investigate duplicate commands.
Review the installation's procedures for testing assignment of trustee rights to directories and files. Determine who is in charge of reviewing the logic prior to adding them into production.
Review users' path statements to ensure that system directories are checked before local directories.
Use the FILER command to review directories for *.EXE and *.COM programs to determine that the organization is not at risk of any copyright violations. Also consider reviewing *.BAT files for rename commands.
How are trustee rights assigned to a user tested?
Are changes to trustee rights monitored and reviewed? Who is performing this review and how often?
What are the installation's procedures for maintaining and defining trustee rights?
Who has the ability to assign, modify, or delete trustee rights? Ensure that appropriate approvals are obtained.
NetWare Directory Services Rights
In addition to securing access to directories and files, it is important that security over NDS be administered appropriately. In previous versions of NetWare, trustee assignments to files and directories could only be made to users or groups. In NetWare 4, both NDS and file system rights are granted to trustees, and trustees can be any NDS object, not just users or groups. To have a secure network environment, the assignments of object and property rights must be effectively managed.
Audit Procedures and Questions:
For each object class, determine which objects are critical to the operation of the network or sensitive in nature.
For each critical or sensitive object, determine the object rights assigned to all trustees.
Are the object rights to critical or sensitive objects assigned to trustees appropriate based on the job function or purpose trustee?
For all objects, list the trustees that have supervisor rights. Are these assignments appropriate?
Determine which trustees have Write rights to the Server objects contained in the current context.
For each critical or sensitive object, determine the property rights assigned to each trustee. Is the assignment of property rights appropriate?
Are the object property rights Write, Add or Delete Self, and Supervisor assigned to object properties appropriate?
Access Control Lists (ACLs)
All NDS objects have a property known as the Access Control List (ACL). The ACL property warrants special examination because it controls access to both the object and its properties. For both the objects and its properties, it lists who has rights (trustees) and what those rights are (rights assignments). The ACL lists who has access to the particular object or properties; it does not list what the object might have rights to.
Audit Procedures and Questions:
For sensitive or critical objects, determine if any trustees have the Write right to the ACL of the object.
System Operations, Maintenance and Troubleshooting
Good system operation, maintenance and troubleshooting controls ensure that appropriate standards, procedures, and practices are followed to control the implementation of a new or changed network operating system. They ensure the authorized use of the software. They also monitor changes to system software parameters so that the information processing environment continues to support information confidentiality, integrity, and availability.
Network Documentation and Schematics
Administrators should maintain documentation and schematics describing how the network was designed and implemented. Documentation facilitates timely, effective maintenance and troubleshooting. The network documentation should be easily accessible and should include:
Server settings (INSTALL and SET selections; use installation worksheet)
Server startup file (AUTOEXEC.NCF and STARTUP.NCF) listings
Server name, network address, NetWare version and serial number
Login/profile script listings
Workstation configurations (NET.CFG file listings)
Drivers installed at the server and workstations
Hardware models, including computers and peripherals
NDS Directory tree listings
NDS partitions and their locations
In addition, a list of significant applications supported by each server and their server volume location should be included in the documentation.
Audit Procedures and Questions:
Is network documentation (including schematics) maintained?
Is the network documentation reviewed periodically and kept up-to-date?
Startup File Usage and Documentation
When the server is booted, SERVER.EXE runs two files:
STARTUP.NCF loads the server's disk drivers and some SET parameters. This file is usually located on the disk from which the NetWare operating system is loaded. For example, if you load NetWare fromthe C:\NETWARE.40 directory, the STARTUP.NCF file will be found there.
AUTOEXEC.NCF stores the server name and internal IPX network number, loads the network drivers and settings for the network boards, binds the protocol to the installed drivers, and loads other NLMs. It also loads time synchronization elements unless a separate TIMESYNC.CFG file has been created. The AUTOEXEC.NCF file is found in the servername_SYS:\SYSTEM directory.
Administrators should use the startup files to select server settings and to install drivers and NLMs. They should avoid performing these functions at the console command line. Including setup commands in the startup files improves consistency between server loads. Server settings (SET command) not set during startup or at the command line will assume their default values.
Discuss or observe the server load process with administrators.
Verify that administrators do not manually set options or install programs at the command line.
Workstation Configuration and Documentation (NET.CFG)
The NET.CFG file is used to configure workstation drivers, select VLMs to load, and establish a preferred server/tree connection. If the DOS Requester installation program is used, the NET.CFG file resides in the C:\NWCLIENT directory at the workstation.
The NET.CFG file contains a number of headers where specific configuration information is stored. These headers include:
Link Driver drivername Contains configuration settings for the network interface board.
Link Support Includes non-default settings for the LSL.COM file (only necessary when running TCP/IP or NetWare/IP protocols).
Protocol TCPIP (or NWIP) Only used when running TCP/IP or NetWare/IP protocols.
NetWare DOS Requester Should include preferences such as the preferred NDS tree and preferred context to simplify user login.
WSUPDATE.EXE updates files on multiple drives and subdirectories from files on the server. Using this program assures that NetWare workstation programs are properly updated when multiple copies exist. This program can be run from the command line or from the login script. WSUPDATE compares date and time stamps of the source and destination files. If the destination files are older than the source files, WSUPDATE will update the destination files. You can also create a log file to verify that changes are made.
WSUPGRD.EXE is a program used to upgrade dedicated-IPX LAN drivers to corresponding ODI drivers. This program can be run from the command line or from the login script.
Determine that administrators establish user preferences in the NET.CFG file.
Determine whether administrators use WSUPDATE or a similar utility to update workstation software.
Login/Profile Script Organization, Documentation, and Use
Login scripts automatically set up a user's workstation environment whenever the user logs in to the network. NetWare 4 offers three types of login scripts. The system login script is executed first. It applies to all users in the container in which it resides. The profile script, executed next, can be shared by users across containers. User login scripts, executed last, are unique to the user.
With NetWare 4, network drive mappings can be set up at the Organization or Organizational Unit level, at the Profile object level, at the Group object level, or at the personal login script level. The level depends on how global the mappings are for applications and common directories. Directory Map objects can make applications easier to access and require fewer changes when applications are moved to another server, volume, or subdirectory.
The INCLUDE login script command executes a subscript as part of the login script that is being processed. The subscript can be a separate text file that contains valid login script commands, or it can be a login script that belongs to a different object. Use INCLUDE sparingly to simplify problem resolution.
Maintaining many individual user login scripts can be time consuming. Therefore, include as much customizing information as possible in the system login scripts, which are fewer in number and easier to maintain. To facilitate maintenance, avoid using user login scripts. To prevent unauthorized modification of login scripts, only administrators should have rights to the Login Script property.
Documentation within a login script makes problem resolution easier and reduces maintenance time. Use comment statements to provide explanatory notes in the login script.
Review system, profile, and user login scripts with the administrator.
Verify that login script design promotes the use of system and profile scripts to facilitate maintenance and troubleshooting.
Verify that only administrators have property rights to maintain login scripts.
Determine whether the user login script is well documented.
By default, the NetWare 4 installation program generates random network addresses for new servers and verifies they are unique within your network. However, in a large network, it will be easier to manage if there is a system for assigning network addresses. Divisions or departments within the organization can be assigned ranges of addresses, so network administrators do not have to contact a corporate IS Department every time they have to bring up a new server.
Determine whether network addresses are pre-allocated for large networks.
Use of NetWare Help Facilities
NetWare 4 supports several types of on-line help facilities:
Type HELP [consolecommand]
Context sensitivehelp via <F1< key
Command line help; for example, RIGHTS /?
General help,plus ElectroText utility for viewing on-line documentation
Administrators and users should be familiar with the help facilities and encouraged to use help facilities.
Audit Procedures and Questions:
Verify that help facilities are properly installed by attempting to use them.
Discuss the use of help facilities with administrators and selected users.
File System Organization
Administrators should design and implement the file system to facilitate security maintenance, troubleshooting, and file backups. The NetWare 4 server installation automatically creates three subdirectories under the servername_SYS volume: LOGIN, PUBLIC, and SYSTEM.
The installation process also makes language subdirectories (such as NLS\ENGLISH) under these directories. The NLS directory contains all the UNICODE tables used for languages. The actual subdirectory created under NLS depends on which language you have installed. These language subdirectories are important for NetWare utility access, because they contain the help and message files for the utilities.
Since all users have access to the SYS:LOGIN directory, it should contain only programs used for logging into the network. We recommend removing any programs from the LOGIN directory that are not used for logging in.
All users also have access to the SYS:PUBLIC directory. It should contain only programs for general use. Remove any programs from the PUBLIC directory that are not NetWare utilities intended for use by general network users.
Audit Procedures and Questions:
List the file system directory structure for volumes being audited.
Determine that the directory structure properly segregates files:
- programs and data - operating system and user application programs - static programs and customizable tables/programs
Determine that files requiring similar trustee access are generally grouped together.
If files have different data migration or backup frequencies, verify that they are grouped together.
Does the LOGIN directory contain any programs other than what is necessary for logging into the network?
Does the NetWare PUBLIC directory contain any programs other than NetWare utilities and programs used by general network users?
Data Migration and Archiving
Available disk space should be monitored regularly and a log kept to track disk usage over time. Available space on a NetWare volume can be viewed using the FILER, NETADMIN, and NWAdmin utilities. This information helps when deciding how to best use various disk space management options, such as adding a new hard disk, compressing files, and migrating data to an off-line archival system.
NetWare 4's data migration feature enables servers to automatically transfer infrequently-used data to an off-line storage device such as an optical disk or tape drive. After the data is migrated, it still appears to users to reside on the volume from which it was migrated. Administrators can initially set up the percentage of disk space they want to always have free on the server. When this capacity threshold is reached, data is moved to the storage device on a file-by-file basis using a Least Recently Used (LRU) algorithm. Migrated files can be retrieved if needed.
One implementation of data migration is the High Capacity Storage System (HCSS). HCSS allows you to place an optical disk library into the NetWare file system so that files are automatically moved when the capacity threshold is reached.
Audit Procedures and Questions:
List statistics for selected volumes. Are volumes over- or under-utilized? Do administrators track this information daily or weekly to determine usage trends?
Determine whether the site uses data migration to archive files. If so, for which volumes? What are the thresholds?
List volumes supported by High Capacity Storage Systems (HCSS).
List HCSS thresholds and determine their reasonableness.
Remote Console Management
A remote console allows administrators to manage servers from a workstation on the network or from a standalone PC that has a modem. Administrators can thus perform critical and sensitive functions on the server without physically being in the same location as the server. This allows for timely response for troubleshooting or maintenance.
In a secure environment, all servers should keep their consoles locked to avoid unauthorized access either remotely or directly.
Audit Procedures and Questions:
List server NLMs. Is REMOTE.NLM loaded?
Do administrators use RCONSOLE to maintain the server from a network workstation or from a standalone computer via a modem?
Are the server consoles locked at all times?
Assigning users to a Group object allows them to share trustee assignments of the Group object, regardless of where those users exist in the Directory tree. Administrators should use groups to simplify security maintenance when users exist in separate containers but require similar trustee assignments.
Review the membership list of each group to determine if it is appropriate.
Review trustee assignments for objects in the audit scope. Be alert for situations where trustee assignments could be consolidated using the Group object.
Multiple NDS Trees
In most cases, a company should have only one NDS tree rather than several separate trees. Since each NDS tree has its own database of objects that is not visible from any other tree, NDS data cannot be shared across trees. Multiple trees may also require redundancies (such as defining the same user on each tree) that complicate maintenance activities.
Audit Procedures and Questions:
Determine whether the company uses multiple NDS trees.
Does the company need to share data (resources) across trees?
Have administrators of different NDS trees coordinated their tree structure to facilitate potential future consolidation?
NDS Tree Design
When designing NDS trees, each level added to the tree can increase the length of a user's context. The shorter the users' contexts are, the fewer problems users will have remembering them. Five or fewer levels should be sufficient for most trees.
Administrators should design an NDS tree that will not change frequently. This will reduce administrative tasks on the tree.
Having duplicate User objects for the same person will cause problems with network administration, rights, and contexts. An Alias object can be used to represent a resource that most users in the tree need to access. By placing an Alias for the object at the top of the tree, the Alias can provide a short name that is easy for all the users to remember.
Naming objects and their properties in a standard, consistent manner will make browsing and searching in NDS easier and more precise.
Audit Procedures and Questions:
Determine the number of levels in the NDS tree.
Has the tree been designed to be fairly static?
Do users have User objects defined in more than one location?
Do administrators assign Aliases to simplify object naming?
Do objects and properties follow a standardized naming convention?
Object Property Completeness
NDS objects have properties that contain information about that object. For example, for a User object this information may include the user's telephone number and physical address. For a printer, it could include the physical location of the printer adn the fonts it supports. The NDS schema defines mandatory properties for each object class. Administrators should maintain property information to support troubleshooting and maintenance activities.
Review significant object properties and determine if the information is up to date.
Review significant object properties that have no values.
Directory Services Change Logs
In addition to file modifications, trustee modifications, and requests to manipulate queues, the AUDITCON utility will record modifications to Directory Services objects. Since network problems often relate to recent changes in the system, administrators - in conjunction with the auditor - can use these change records to facilitate problem resolution.
Audit Procedures and Questions:
Determine that AUDITCON's audit tracking capability is turned on and recording events necessary for troubleshooting.
Verify that administrators have read access to audit data and audit history files.
Discuss how administrators use audit records to support problem resolution activities.
Network Availability, Response Time, and Problem Reporting
Measuring network availability and response time allows administrators to more easily identify problem areas. Following are some of the standard network statistics available at the server console via the MONITOR utility:
CPU Utilization. Utilization above 80% for a single process is excessive.
Cache Utilization. If the percentage of cache "hits" falls below 90% over a long term, add more RAM to the server.
Network Driver statistics. Statistics regarding the number of packets received/sent, the number of packets discarded, and so on can be useful in network analysis and troubleshooting. Refer to the network driver statistics section in the NetWare4 Utilities Reference for more information.
Administrators should track statistics such as these daily or weekly to help them predict the need for additional resources before performance degradation occurs or the server becomes unavailable. Tracking network performance statistics is a distinguishing aspect of successful network maintenance.
Inspecting network hardware components and performing maintenance procedures on a periodic basis will help ensure that information services are not interrupted.
Network administrators should keep a log of network problems and how they are resolved. These logs should be reviewed periodically to assure that problems are properly resolved. Problem tracking allows administrators to share experiences and identify problem trends that may indicate a larger root cause.
Defining a process whereby users can contact a central point to report all network problems can decrease the time for problem resolution and minimize lost productivity. This process should include positive feedback upon resolution.
Audit Procedures and Questions:
Is the network unavailable on a regular basis?
Are administrators analyzing and reporting network availability and response time?
Are performance statistics maintained and reviewed? Do these statistics meet the corporate "percentage of availability" standards or guidelines?
Are all information services problems logged, assigned to specific persons, and tracked to resolution?
Do administrators review problem logs periodically?
Review of Server Logs and Disk Errors
NetWare's system message logs are contained in DOS text files stored in the server's SYS_servername:SYSTEM directory:
The SYS$LOG.ERR file records security violations, system messages,and alerts that appear on the server console.
The VOL$LOG.ERR file records volume errors.
The TTS$LOG.ERR file stores data backed out by TTS.
These files should be reviewed periodically to identify and resolve problems on a timely basis. The default log file state setting of "1" causes the log files to be deleted when they reach the overflow size limit (default is 4 MB). Changing the state setting to "2" will rename the log files rather than deleting them. Error logs should be archived and cleared on a periodic basis.
Another area to monitor closely is disk errors. When a media error or disk channel hardware problem prevents NetWare from reliably writing a block of data to the disk, the Hot Fix feature marks the block "bad" and rewrites the data to the Hot Fix Redirection Area. If the number of "Redirected blocks" is increasing over time, or if the number of "Redirected blocks" is more than half of the number of "Redirection blocks" available, it can indicate potential disk drive problems. These and any other disk errors should be investigated immediately, since such errors can lead to a failed file system and loss of data. By checking regularly for disk errors, administrators can replace a disk before it causes data loss.
Audit Procedures and Questions:
Review the current error logs with the administrator.
Discuss the extent and timeliness of the error log review with the administrator. Assess the administrator's ability to understand and respond to error messages.
Review server, volume, and TTS log file state settings. Are they set to "2" so that log files will be renamed rather than deleted when they reach the overflow size limit? Review the log file overflow size for reasonableness.
Verify that error logs are archived and cleared on a periodic basis.
Review the number of "Redirection Blocks" available and the number of "Redirected Blocks." Is the number of Redirected Blocks increasing over time? Is the number of Redirected Blocks more than half of the number of Redirection Blocks?
Does the administrator periodically perform disk drive surfacetests, or at least perform the test prior to installing NetWare volumes?
Displaying Alert Messages
A number of NetWare SET parameters control the display of alert messages on the server console. Below are the server console SET commands and their defaults:
Display Spurious Interrupt Alerts = ON. These alerts indicate that a network board or disk controller is not communicating correctly with the operating system. However, this usually does not mean the system will not work.
Display Lost Interrupt Alert = ON. These alerts indicate that the system board has detected a lost hardware interrupt.
Display Disk Device Alerts = OFF. These alerts display information such as when a disk device is added, deleted, mounted, activated, and so on.
Display Relinquish Control Alerts = OFF. These alerts indicate NLM processes that are not relinquishing control frequently enough.
Display Old API Names = OFF. These alerts display the names of outdated API routines that an NLM is using (displayed as the NLMis loading).
All of the SET commands described above can be placed in the STARTUP.NCF file or set through the SERVMAN utility at the server console.
A number of other SET commands can be set through the SERVMAN utility. These include:
Minimum File Cache Buffer Report Threshold = 20. Shows how few cache buffers the server needs before issuing a warning that they are low (setable between 0 and 1000).
Volume Low Warn All Users = ON. Sends a warning to all users when volume space is low.
Volume Low Warning Threshold = 256. Sets the number of available disk blocks before the volume triggers a low disk space warning (setable between 0 and 1000).
Volume Low Warning Reset Threshold = 256. Sets the number of disk blocks available before the volume's warning trigger is reset (setable between 0 and 1000).
Review the message alert settings. Determine whether the following recommended settings are in place:
Display Spurious Interrupt Alerts = ON
Display Lost Interrupt Alert = ON
Display Disk Device Alerts = ON
Display Relinquish Control Alerts = ON
Display Old API Names = ON
Minimum File Cache Buffer Report Threshold = 100
Volume Low Warning Threshold = 512
Volume Low Warning Reset Threshold = 512
Administrators should inform users of scheduled and unscheduled maintenance in a timely fashion. Downing the server while users are logged in will disrupt those users' work and can cause them to lose data.
Determine whether administrators notify users via memos, voicemail, E-mail, or NetWare BROADCAST messages when scheduled or unscheduled maintenance is to be performed.
Assess the timeliness of these notifications.
Clearing Workstation Connections
Clearing a workstation connection while the user is active on the network can disrupt the user's work and can cause the user to lose data. Users should be encouraged to log out when they leave the office.
Determine whether administrators obtain user authorization prior to clearing workstation connections.
Determine whether administrators automatically clear logins extending overnight.
Note: This can be a dangerous practice. For example, clearing the Chief Financial Officer's connection at midnight as he or she finalizes the merger plan may not be wise.
Resource utilization ensures that procedures and practices are followed to control and monitor the efficiency, effectiveness, and utilization of network services.
For many people, performance is not the most important aspect of a network service. When forced to prioritize the different functions of a network server, most of Novell's customers will rank reliability and security as the two most important, with performance coming in a close third. Of course, each of these areas is important, and no one likes to prioritize them or wants to exclude one for the other. But it's important that tuning for the sake of performance not be allowed to compromise reliability and security.
Server Memory Capacity
The more RAM available for disk caching in a NetWare server, the faster the response time. RAM access is many times faster than even the fastest hard disks, so the more data buffered in the RAM cache, the faster each workstation will receive data.
We recommend having at least 16 megabytes of RAM on each server. If you have 1 gigabyte of hard disk space, or 25 or more workstations, consider installing up to 32 megabytes of RAM.
Name Space support for non-DOS volumes (OS/2 HPFS, Macintosh, or UNIX/NFS) requires additional RAM according to the following formula:lnbrk; .032 H volume size (in MB) / block size
Upgrading the server to a 486 or above will increase network speed. When upgrading, also consider configuring the server with at least 16 megabytes of RAM, an EISA bus architecture, and a SCSI hard disk controller.
Audit Procedures and Questions:
Determine how much RAM is installed in each server. Review the memory needs of the installation.
Identify any servers with 386 or less powerful processors. Discuss the feasibility of upgrading these servers to a 486 or above.
NetWare 4's file compression feature can help extend the amount of disk space available on a volume. It allows NetWare to compress files as they are saved to the hard disk or after inactivity for a preset period of time. NetWare automatically decompresses the files when they are retrieved. Enabling file compression reduces disk space usage by compressing rarely-used files (up to one-third of their original size). Frequently-used files should not be compressed since compressing files has a slight impact on file access speed.
NetWare 4's disk compression algorithm is set up to compress data as a low-priority background process. This occurs when the server is not busy performing anything else, or at the time of day specified by the administrator. Thus, compression speed is not critical, but compression integrity and decompression speed are high factors.
The SET parameters dealing with disk compression (along with their defaults) are as follows:
Compression Daily Check Starting Hour = 0. Shows what time during the day the disk compression algorithm begins its search for any files that match the number of days set in the Days UntouchedBefore Compression parameter.
Compression Daily Check Stop Hour = 6. Shows what time during the day the disk compression algorithm ends its search for anyfiles that match the number of days set in the Days UntouchedBefore Compression parameter.
Minimum Compression Percentage Gain = 2. Defaults to 5%, but can be set up to 50%.
Enable File Compression = ON. Enables compression. The server will need 32 KB of cache memory available to be used as overhead for the actual file compression process. When set to OFF, this volume will not compress the files and any files marked to be compressed will be queued until compression is turned back on again.
Maximum Concurrent Compressions = 2. If the server has multiple volumes, this command allow them to compress at the same time (this can affect performance, however).
Convert Compressed To Uncompressed Option = 1. Allows control over compressed/uncompressed files on the server (0=compressed only, 1=leaves compressed if accessed once during the "untouched" phase, and 2=always leaves files uncompressed).
Decompress Percent Disk Space Free To Allow Commit = 10. Allows you to set how much disk space needs to be free in order to change compressed files to a decompressed state (defaults to 10%). If the percentage exceeds this number, new files marked for compression will not be compressed.
Decompress Free Space Warning Interval = 31 min 18.5 sec. Shows how long between alerts warnings will be given.
Deleted Files Compression Option = 1. Allows you to set how files will be compressed (0=do not compress files, 1=compress files on the next day, and 2=compress files immediately).
Days Untouched Before Compression = 7. Allows you to set how many days you want files to wait before compressing them.
Audit Procedures and Questions:
Review server compression settings for reasonableness. Verify whether compression is enabled at server level (default is ON).
List volume information. Has the administrator enabled file compressionfor the appropriate volumes?
Are file and directories appropriately flagged for compression?
Display file compression results sorted by file size and also by date last accessed.
Are files grouped to allow compression options to be maintained at the directory level?
Note: It is not necessary to separate application files from data files for compression, because the "SET Days Untouched Before Compression" parameter eliminates the compression of regularly-used applications or data.
Block Suballocation has been implemented in NetWare 4 to prevent wasted disk space due to setting a large disk block size and having parts of the last allocated block remaining unused. Block suballocation allows small files, or that part of a file which exceeds the volume's default block size, to share a disk block with other files. Thus, NetWare can store more files in a smaller space on a NetWare volume. The installation process enables block suballocation by default.
Suballocation allows multiple file endings to share a disk block. The unit of allocation within a suballocated block is a single sector (512 bytes), which means that up to 128 files can share a single 64KB block. By using suballocation, the maximum loss of data space per file is 511 bytes, which would only occur when a file had one more byte than could be allocated to a full 512-byte sector. Suballocation nearly eliminates the penalty of using larger disk allocation units and allows much larger disk channel transactions. This helps optimize the disk channel and cache around the 64KB disk allocation unit.
From a performance standpoint, suballocation enhances the performance of write operations within the operating system by allowing the ends of multiple files to be consolidated within a single write operation. But this minor improvement is counterbalanced by the overhead of managing the suballocation process.
Audit Procedures and Questions:
List volume information. Has the administrator enabled block suballocation for the appropriate volumes?
NetWare saves deleted files on the volume until they are purged. Users can salvage their own unpurged, deleted files. Purging can occur two ways:
When a user uses a utility to force purging of files.
If the disk runs out of free space, NetWare automatically purges the files that were deleted first.
The second method is preferred because it provides extended access to accidently deleted files. However, if the user requiring free space has no delete rights to the deleted files occupying free space, NetWare will not allow them to use the space and they will receive a volume full message even though free space exists.
The SERVMAN utility can be used to set the file delete wait time to a time exceeding the tape backup interval. This assures that deleted files will be backed up before purging and automatic purging will occur regularly to free space.
Audit Procedures and Questions:
Review the server console settings. Determine that the following purge/salvage settings are in place:
SET Immediate Purge Of Deleted Files=ON
SET File Delete Wait Time=backup interval
Improving Disk Performance
Overall disk performance depends on the type of hard disk drives and controllers being used. SCSI hard disk controllers are much faster than the IDE controllers and drivers used on many servers. Adding a SCSI controller can significantly decrease data access times.
A number of NetWare parameters can affect disk performance. However, proper tuning of these parameters should be done only by knowledgable administrators or network technicians. More information can be found in the Novell Application Notes' ongoing series of articles on NetWare 4server tuning and optimization.
Audit Procedures and Questions:
Does the server use SCSI hard disk controllers?
Review file cache and read/write settings. Are the settings reasonable based upon NetWare server usage?
Dismounting Rarely-Used Volumes
Each volume that is mounted takes up memory and reduces the memory available to file caching. Consider leaving test volumes or rarely used volumes dismounted to reduce server overhead.
Audit Procedures and Questions:
Are there any test volumes or other volumes that are rarely used?
Do administrators dismount rarely used volumes during periods of non-use?
NDS Partition Placement
Administrators can replicate NDS partitions (distinct portions of the Directory tree) on different servers across the network. If users currently use a WAN link to access particular NDS information, access time and WAN traffic can be decreased by placing a replica containing the needed information on a server that users can access locally. Distributing replicas among servers on the network allows quick and reliable access, as information will be retrieved from the nearest available server containing the specified information.
Compare the network configuration to partition location.
Determine that portions of the NDS users often access are located on a NDS partition on a local server.
Time Synchronization Issues
By default, non-Secondary time servers use NetWare's Service Advertising Protocol (SAP) to announce their presence on the network. The SAP method allows for quick installation and changes to time servers without regard to the network layout. The SAP method also generates additional network traffic. The larger the network, the more network traffic is generated by the time server SAP broadcasts.
Alternatively, the administrator can assign specific time source servers that a particular server should contact for time information or polling. This custom configuration method eliminates nonessential network SAP traffic, as well as errors associated with accidental reconfiguration.
Additionally, when using the SAP method, accidently setting a new time source server's time to a future time can disrupt network time. You should set new time source servers a minute or two behind the network synchronized time. If a new time source server is set to a time in the future, no NDS updates will be accepted.
Gross changes to time will also create an audit record. When you boot the server, TIMESYNC may set the time and then place in the audit record an indication that the time is set.
Audit Procedures and Questions:
Review the organization and placement of time servers. Have timeservers been organized to minimize network time synchronization traffic?
Is this a large network where servers come and go? If so and timeservers are using the SAP method, discuss the benefits of using the custom configuration method for configuring time servers.
If using the SAP method, do change control procedures require new time source servers to be set several minutes behind the network synchronized time?
Packet Burst and LIP
Support for Novell's Packet Burst protocol is built in to the VLM client software and to the NetWare 4 operating system. Use of Packet Burst improves transfer of messages over an internetwork by converting packets to multipacket messages.
The Large Internet Packet (LIP) feature allows increased throughput over network bridges or routers by increasing packet size when Ethernet or Token R.ring architectures allow larger packets to be sent over the network. Increasing packet size can increase server performance. If the network boards in your server can transmit more than 512 bytes of data per packet, you can increase the Maximum Physical Receive Packet Size to the largest packet size supported by your network board.
Determine whether the workstation NET.CFG files are configured to enable the Packet Burst protocol.
If Packet Burst is not enabled and users communicate across wide area networks or slow, long-distance links, verify that administrators have considered using the Packet Burst protocol.
If users communicate across intermediate routers, verify that administrators have considered using LIP.
Network Interface Cards
The network interface card (NIC) settings for a workstation must match the settings you place under the Link Driver heading in the NET.CFG file. For servers, the NIC settings are placed in the AUTOEXEC.NCF file.
The type of NIC used can affect the overall performance of a network. Network board considerations include the type of network board (8-, 16-, or 32-bit), as well as the board driver. 8-bit NICs were designed for XT-class computers, but will still function in newer 386 and 486 workstations. 386 or higher workstations are so fast that they will wait for data from slower 8-bit NICs. This is particularly noticeable if you are using data-intensive network applications.
Changing from 8-bit to 16-bit NICs in 386 or higher workstations will result in speed improvements and could enhance user productivity. EISA (Extended Industry Standard Architecture) based servers can accommodate 32-bit network cards and disk controllers, as opposed to ISA (Industry Standard Architecture) based servers, which can accommodate 16-bit cards. Adding an EISA server with 32-bit NICs and disk controllers will increase network speed by 10 to 25 percent. We recommend considering an EISA-based server.
Audit Procedures and Questions:
Do any 386 or 486 workstations connected to the network use 8-bitn etwork interface cards (NICs)?
Determine the type of servers installed and discuss their appropriateness for handling the network workload.
One of the biggest items of concern when dealing with networks is the physical layer, which includes cabling. Considerations regarding cabling include attenuation, bandwidth, impedance, and crosstalk. The major cabling types in use today include unshielded twisted pair (UTP), shielded twisted pair (STP), coax, and fiber optic.
Depending on the type of cabling currently in use, installing new cabling can provide more bandwidth for transferring data. For example, upgrading to 10Base-T from older 2 Mbps Arcnet cable provides 10 Mbps of bandwidth. The speed increase will be very noticeable to the users.
Determine whether the network wired with older cabling. Discuss the feasibility of upgrading to newer cable.
Backup, Recovery and Contingency Planning
The objective here is to ensure that adequate plans exist for backing up critical network resources and for the timely and logical recovery of information services after unanticipated interruptions. The following items should be considered for proper backup and recovery of microcomputer environments.
Obtain and review a copy of the backup and recovery procedures and/or the contingency plan.
Evaluate the procedures used to back up the network to ensure the proper information is being backed up as needed.
Consider whether backups are performed when data is changed, such as every work day.
Review retention of backups.
Review evidence of successful recovery testing.
Review the installation's procedures for recovering a lost disk on the server.
Determine the network availability/criticality needs if there is an uninterruptible power supply (UPS) attached. Consider brownouts and power fluctuations.
Identify and evaluate the propriety of information being sent to an off-site location.
Determine if networks are included in the master disaster recovery plan and if the plan is periodically and successfully tested.
Evaluate the provisions for restoring operations after a disaster. Consider restoration of equipment and service, including files.
Who is responsible for backup and recovery of network system files, application programs, and data files?
Are business applications and sensitive or mission-critical data (memos, spreadsheets, and so on) stored on the network?
How often is the data stored on the network backed up?
If users accidentally delete a file from the network, would the administrators know how to recover that file using the SALVAGE command?
Has any of the data stored on the network ever been lost, not recovered on a timely basis, or not recovered at all?
Would users be inconvenienced or unable to respond to customers if the company's data was lost since the last backup?
Is regular and systematic backup of files required of sensitive and/or crucial applications and data?
Who determines the methods and frequency of backups of critical information stored?
What type of media is being used for backups?
Are backup tapes and software stored in an area physically apart from the server?
Is off-site storage used to maintain backups of critical information required for processing operations to continue?
Does the company's backup software allow one to back up the bindery(NetWare 2 and 3) and/or Directory Services (NetWare 4)?
Does the frequency of backups provide the ability to restore data that is sufficiently current for your business needs?
Does the network administrator maintain multiple generations of backup files?
Are copies of important application programs, data files, and supporting documentation stored at a remote location?
Are backup logs maintained that track backup media, the files backed up on the media, the date and time of the backups, and where the backup media is stored?
Are backup media properly labeled?
Are copies of backup logs sent off-site with the backup media?
Are important business applications such as accounting systems processed on the network?
Is there a reporting or regulatory requirement to maintain copies of important business application data files at specific points during the year such as quarter end and year end?
Are the data files for important business applications backed up at specific times during the year such as quarter end and year end?
Are periodic partial restores from back-up media performed?
Does the company or department have written, organization-specific, procedures that document the process of restoring data files?
Are critical database application files processed on the server? If so, have these files been flagged as transactional (T) to invoke NetWare's TTS?
Is the server and critical network hardware connected to an uninterruptible power supply (UPS)?
Is the uninterruptible power supply (UPS) inspected on a regular basis to help ensure that it is functioning properly?
Is the server and uninterruptible power supply (UPS) configured to automatically power down the network in a reasonable time period after power is lost?
In the event of equipment failure, are sufficient resources available for continued operations, either on- or off-site?
Are user needs prioritized so that hardware can be redistributed when units are out for repair?
Is there sufficient documentation, describing files and recovery method, to perform a recovery in case of disaster or loss of software, data, or key personnel?
Who is responsible for developing, maintaining, or reviewing the contingency plan for this network?
Has a network contingency plan been developed?
Is the network contingency plan reviewed and tested periodically to ensure that it reflects the current environment?
Has the network contingency plan been communicated to all users involved in the plan and all users who use the network?
Other Audit Considerations
As described in earlier chapters, certain security features within the NetWare operating system afford the system administrator a means of building a trusted network system. This includes effectively recording system-wide activities. System administrators can select and adjust these features to secure and control the network, as well as monitor and analyze critical aspects. Also, the condition of these features can be readily checked during the data gathering phase of the audit.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.