Auditing NDS Objects with AuditWare for NDS
Articles and Tips: article
Network Technical Services
01 Apr 1996
This AppNote discusses Preferred Systems' AuditWare for NDS tool version 1.0 and describes how to use it to analyze and report on NetWare Directory Services (NDS) objects. AuditWare performs these tasks offline, using a database that mirrors the "live" network. AuditWare for NDS is unique in that it performs object comparisons, determines the flow of effective rights, and generates lists of objects that fulfill user-defined criteria.
RELATED APPNOTES Feb 96 "Using DS Standard to Migrate Networks to NetWare 4.1"
Preferred Systems' AuditWare for NDS version 1.0 is an advanced, Windows-based object reporting utility with an emphasis on security analysis. It is designed to work in conjunction with DS Standard, Preferred Systems' NDS management tool, but will also function as a standalone product. (We introduced DS Standard in the February 1996 issue of AppNotes.)
Like DS Standard, AuditWare obtains its NDS object information by performing what's called a "discover." AuditWare will take a snapshot of your current NDS tree, store the information in its database, then allow you to analyze that data. Both products also benefit from a licensing agreement with Novell to use the same icons and naming conventions as the NetWare utilities.
Licensing of AuditWare is per server. This means that you can only discover each NDS object's properties pertaining to a licensed server. For example, although you can discover all user objects in the tree, you will only be able to view and analyze rights to a volume on the server with an AuditWare license.
The difference between DS Standard and AuditWare is that AuditWare generates reports but does not allow you to manipulate objects--change properties, add or delete objects, and so on. DS Standard, on the other hand, cannot list which objects have no required password, for example, but can do a search and replace to give objects a default password.
Ideally you would have both products so that after determining needed security enhancements with AuditWare, you can then implement them using DS Standard. However, as mentioned earlier, you can run either product without the other.
AuditWare also differs from DS Standard in that it can discover much more information from NDS and NetWare. This includes the NLMs, *.DSK and *.LAN drivers that are loaded on NetWare 4 servers, as well as full details of every object's Access Control List (ACL). Such information broadens AuditWare's ability to detect any possible security hole.
Note that AuditWare for NDS cannot discover information from NetWare 3 servers. (It doesn't have the capability to translate bindery objects into NDS ones.) For administrators with a mixed NetWare 3 and 4 environment, you can use Preferred Systems' AuditWare for Binderies which handles NetWare 2.x and 3.x servers. Or you can perform a discover of NetWare 3.x servers using DS Standard to translate 3.x objects to 4.x ones. You can then export the information to AuditWare to perform analysis on those objects.
Note too that AuditWare performs its discovers based on the rights of the user object running the application. That is, its database reflects the perspective of the user account that populated that database by doing the discover. For example, if you are an administrator for a particular container or context but without rights to the ROOT, your view of the NDS tree will only include objects to which you have rights in that container or context below the ROOT.
AuditWare's key functions include:
Detect "stealth" objects (those with the Browse privilege filtered using the ACL inherited rights filter)
Compare one or more objects to a known secure object to determine any variations in properties or rights
Analyze who has rights to a particular object and determine how those rights came about
Compare how particular objects have changed over time both in rights and in properties
Generate lists of objects meeting any property criteria
Generate lists of objects which present potential security risks
Export object information in DBF format for use with other products such as report writers, database managers, etc.
It can also do a census of your tree to show the number of each type of object in the tree and in what container they appear. This allows you to analyze object distribution amongst containers.
Offline versus Online.
Preferred Systems purposely chose to have AuditWare populate its database online, and then go offline to perform its reporting tasks. While real-time analysis does provide the most timely information, offline analysis does offer some advantages:
The load added to the network for each report generated "live" might discourage administrators from fully analyzing their tree.
Once discovered, the information in the AuditWare database provides a snapshot of the entire NDS structure at a particular moment. In this way, a report generated regarding access rights, for example, need not suffer from latency problems which might occur with reports run on a "live" network.
The AuditWare data can be sent offsite for analysis or stored for backup purposes.
The AuditWare view can also provide you with an audit trail for your NDS tree so you can examine how the tree and objects in the tree changes over time.
We should note that the discover process may take a substantial amount of time in its own right (approximately 70 seconds per 100 objects on a 486/66 computer). The speed depends on the level of complexity of your objects' relationships and whether there's a WAN link involved to transfer data across. Once completed, however, you can then generate any number of reports from that information. Also, you can choose to only discover portions of the NDS tree by defining the context you want.
While reports themselves vary in the amount of time to run, from seconds to tens of minutes, you can queue these to run and have AuditWare store these as files for later review.
NetWare's Utilities Compared
Consider some common questions often asked while managing NDS:
Who has rights to this container?
Do any NDS objects have excessive rights?
Which user objects fail to have long enough passwords?
How many objects of each type do I have in my tree?
The task of answering these questions is a tough one if you are limited to NetWare's native utilities. These utilities--principally NWADMIN and AUDITCON--have extremely limited reporting capabilities regarding the nature of objects. NWADMIN has a focus on individual objects. It works well to create or modify a single object at a time. While you can determine all properties for objects using NWADMIN, it becomes extremely difficult the more objects you have in your tree.
AUDITCON provides NDS event tracking and reporting to tell you, for example, what users are doing. AUDITCON's reports primarily cover specific activities, including:
File events such as reads, writes, deletions or creations.
QMS events such as creation or deletion of print queues.
Server events such as mounting or dismounting volumes.
User events such as logins, logouts, and trustee assignment changes.
AUDITCON does allow you to filter this information by date, time, or user. However, you cannot perform comparisons between objects or event activities unless you import AUDITCON's report into a third-party database program.
AuditWare's filters allow you to view or select any subset of your NDS objects. You can base these filters on object type and/or condition of one or more properties. At that point, you can then generate a report on that subset.
You can also do an object property comparison using what Preferred Systems calls "The Enforcer." In essence, you can choose any object to serve as a kind of model or standard to compare with one or several other objects of the same type. For example, you can define one user (the "Enforcer") with the appropriate security restrictions that you want. You can then run an Object Compare report to see how the properties of a selected set of users compares with those of the "Enforcer." Any differences get noted in the report. You can then use the report to modify those users using DS Standard to comply with the standard.
Determining what rights a particular object has or what objects have rights to some other is a difficult task. AuditWare provides an Object Rights Expert to analyze these rights for either type of search. This expert generates reports on:
how these rights flow to the object
The Expert includes predefined criteria for examining objects for excessive object rights (Supervisor, Browse, Create, Delete, Rename) and excessive all-property rights (Supervisor, Compare, Read, Write, Add Self). You can customize a report for any combination of rights whether they have been granted or restricted.
If you cannot "see" an object in the tree, you obviously can't monitor it as you would other objects. AuditWare includes a Stealth Object Analysis report which will detect any objects in the tree for which you do not have Browse rights. This includes not just User objects, but any objects. Unauthorized users cannot then simply create and hide objects from the administrator by removing this Browse right.
AuditWare's reporting capability includes several hundred pre-generated forms as well as the option to create customized versions. For example, it can generate lists of objects for a container such as:
volume disk space usage per user
each user's effective login script
Note that AuditWare also has a number of calculated fields that it can report on. For example, it can list users who have no login script.
To run AuditWare for NDS, you need a networked workstation with the following requirements:
386 or faster processor
Windows 3.1 or later
It also needs 26 to 27MB of free disk space for the application itself. In addition, plan on approximately 1MB for each 100 objects in your tree. (This amount will vary based on how complex the relationships are between objects. The more complex the ACL, for example, the larger the database.) Finally, each report you save takes about 150KB.
AuditWare also includes a License Manager program to certify each server you want to analyze. (DS Standard's License Manager can also do this. We discussed the licensing process in our previous AppNote.)
In the previous AppNote on DS Standard, we outlined how Preferred Systems' software handles a discovery. The process is similar in AuditWare for NDS. The results of your discovery will be a view of your NDS tree similar to the one shown in Figure 1.
Figure 1: Once AuditWare performs a discovery of your NDS tree, you can log out of the network and analyze it offline.
Stealth User Analysis
While you are still online, you can perform a stealth user analysis. This option appears in the File menu as Live Stealth Object Analysis. Choose this option, and AuditWare will generate a report similar to that shown in Figure 2.
Figure 2: AuditWare can detect and report any objects in your NDS tree that have the Browse right turned off.
In the report, AuditWare points out the name of the stealth object in the first column. In the second, it gives you the name of another object which has a reference to the stealth one. In the third, it points out which property of that other object references the stealth one. Using this reference, you can then use NWADMIN to locate and verify the existence of this stealth object.
Dangerous User Analysis
One function of AuditWare is to report on objects which are potential security problems (similar to the NetWare 3 SECURITY.EXE utility which provided some of the same kind of information). This report is of a Pass/Fail variety and includes:
Account restrictions (concurrent logins, station limits)
Login time restrictions (Hour, day)
Password restrictions (required, length, unique)
Object security (can change other object's properties)
Excessive object rights (Supervisor right to a container)
Excessive all property rights (Supervisor object rights to ROOT)
Excessive volume rights (Supervisor rights)
Although AuditWare ships with a default configuration for a "dangerous" user, you can modify any of the restrictions to pinpoint the ones you need to monitor.
Using View Filters
At this point you may well want to limit what appears onscreen in your view. For example, you might only want to look at User, Group, or Print Server objects in the tree. AuditWare has user-defined filters to narrow what objects appear onscreen.
Note: Defining and using a filter does not remove the objectsfrom the database. A filter is simply a mask to temporarilyhide the other objects from appearing onscreen.
To set the view's filter:
Choose the View menu.
Select Set View Filter. AuditWare asks you to define the filter(see Figure 3).
Figure 3: The View Filter dialog allows you to precisely define which objects you want to appear in your view.
The View Filter dialog offers you three choices:
Object type(s) you want
Property condition formula
Save this filterfor later reuse
Object types include all those defined by NetWare (However,it does not include third-party objects such as those created by backup utilities.) You can choose one, several, or all the types.
The property condition formula allows you to define which instances of the type or types you chose that will appear onscreen. For example, if you chose GROUP as the object type, you can now select from a list of the Group properties to narrow the focus (see Figure 4).
Figure 4: You can define one or more properties to narrow the number of objects displayed in the view.
You can choose the Number of Members property (shown as # of Members in the figure) to have AuditWare display only those groups that currently have no members.
If you choose more than one type of object, AuditWare will combine those properties into a logical AND type of statement. You can, therefore, have unique queries for each object type you want to include in the filter. For example, you can have a AuditWare filter for "Show me all users who do not require passwords" AND "All groups with no user members" at the same time.
Note too that the property condition is a formula. You can ask AuditWare to show you all users whose accounts have unlimited connections and that also have no limit to their grace logins. You could make the condition "unlimited connections or unlimited grace logins" as well.
Your formula can be arbitrarily large. AuditWare includes a Check function to ensure that a complex formula is written correctly before you execute it (see Figure 5).
Figure 5: AuditWare allows you to define a formula for narrowing the view even further.
If you do create a complex formula for your filter, you have the option of saving that filter for later reuse.
Choose OK to activate the filter on the view.
Note: Once you display the view using a particular filter, that filter stays in place even if you close the view and reopen it. AuditWare tells youif the view has a filter in place in two ways:
All filtered views have the suffix [Filtered]appearing in the view dialog'sheader.
If you filtered the view using a filter that you saved, then you can alsosee that filter's name using the View menu's ViewInfo option. The dialog that appears shows you the name of the filter you applied to this view. Note that this only works for filters that you definedand saved with a filter name.
You can now run any of the View reports. However, if you filtered your view and then select a report for objects which do not appear in that view, AuditWare will alert you with a dialog.
Using Select Filters
What if you don't want to limit the view? What if you want to simply select certain objects in the tree to report on? That's where the View menu's Set Select Filter option comes in. The option pulls up a dialog identical to the View Filter's; only this time when you activate, it simply highlights the appropriate objects in the NDS tree.
You then use the Object Reports menu to generate information about the selected objects. As you might imagine, you can perform many of the same reports as you could by filtering the view. In addition, using a Select Filter gives you three unique capabilities:
Object Comparisons. You can compare objects in two ways: you can compare an object to a specified "Enforcer" object (as mentioned earlier), or you can compare a single object to itself in two different views.
To use the Enforcer comparison:
Select one or more objects in your view. You can manually select them doing a point-and-click, or you can use a SelectFilter.
Note: You can only choose one type of object to doan Enforcer comparison.
Choose the Object Reports menu.
Select the Object Compare option.
Choose the Enforcer option.
AuditWare now shows you a dialog in which you can specify which object will serve as the Enforcer (see Figure 6).
Figure 6: You can perform an object comparison between several objects and a known standard "Enforcer" object.
Note that this Enforcer object need not be in your current view. It can appear in another view you have discovered. This gives you flexibility, since that other view can be of a different context in your tree or from another NDS tree entirely.
You can specify which properties of the Enforcer object you want to compare. For example, you can ask AuditWare to compare the Enforcer object's Inherited Rights Mask with those of the selected objects. The resulting report will show you how the masks differ, if they do.
You can also perform a "Fully Distinguished Name" (FDN) comparison. This requires that you have two views containing the same object (as shown by its FDN). In this way you can do regular discovers of your NDS tree, then make periodic comparisons to see if anything has changed over time to this object.
AuditWare does a detailed comparison between the two views, down to the attribute level of each object. In one pass, it will alert you to all added, modified, or deleted attributes from one view to the other.
Object Profiles. An object profile is essentially a list of all of a selected type of object in a tree. The list also shows the condition of the properties pertaining to that object. What type of object is profiled depends on what you have highlighted in the view. You can profile more than one type of object at a time.
You can do a similar operation by filtering your view to show only those objects you want, then run an Object Profile report from the View Reports Catalog.
If you want a quick summary listing the quantity of each type of object in your tree, you can use the View Reports menu option View Profile (see Figure 7).
Figure 7: AuditWare can also generate a summary of the objects in your NDS tree.
Object profiles can help you track where growth is occurring in your tree, how objects are distributed amongst the various containers, and the quantity of specific objects in each context.
The Object Rights Expert. A main feature of AuditWare is the Object Rights Expert. This Expert is a series of dialogs in which you specify the type of report you want regarding object rights (naturally). These dialogs cover:
What type of report you want
Which direction do you want to run the report
Which objects you want to examine
Which rights you want to report on
Which components of the effective rights formula to include
Figure 8 shows the various kinds of reports that you can generate using the Expert.
Figure 8: You can select any of five kinds of rights summary reports to generate.
The next step is to select in which direction you want to run the report (see Figure 9).
Figure 9: AuditWare will report on rights to a given object or from that object.
Selecting direction is particularly useful when you want to have a list of all those objects which have rights to a specific container, volume, or other restricted resource. It is also useful for finding out if a user object has acquired rights it shouldn't have(such as might be gained inadvertently through inherited rights).
Next, you can choose to report on one, several, or all the objects in your view (see Figure 10).
Figure 10: You can have AuditWare report on rights for one or more objects in your tree.
After you choose which objects to include, you get to the heart of the matter: which rights are you going to examine (see Figure 11).
Figure 11: AuditWare simplifies the task of specifying what rights you want to examine.
The upper half of the dialog allows you to choose one of four predefined reports. If you choose the fifth option, Custom Rights Query, the bottom half of the dialog becomes active. You can then ask AuditWare to report if a particular right is active or not active. (The Star icon tells AuditWare to ignore the right.)
Finally, you can ask AuditWare to include all or part of the formula used to calculate effective rights (see Figure 12).
Figure 12: AuditWare can also display the various components to effective rights.
By default AuditWare will display the effective rights for the object you've selected.
At this point you can run your report. Depending on the complexity of the rights structure in your tree and the number of objects you requested AuditWare to report on, this could take some time. By comparison, however, consider how long it would take you to calculate these rights using NWADMIN.
AuditWare will allow you to generate any of the reports to a file, so you don't have to be present during the entire run. Instead, you can make requests for the various reports then leave the workstation to create the reports.
Once generated, you can always refer back to a saved report for future reference. Also, you can distribute reports electronically to key executives (AuditWare can also include a cover page with each report which explains the contents of that report).
With both the view and the reports for a given instance of your tree, you are able to document and track your network. These can serve as baselines for later study and comparison.
In addition, you can export object information in DBF format for processing by a third-party database.
An automated tool such as AuditWare can significantly reduce the time needed to analyze NDS objects. For several tasks, such as object comparisons, AuditWare is unique among NetWare tools. This reporting capability becomes even more essential as the number of objects increases. In addition, AuditWare's ability to store and share views of an NDS tree allows offsite administrators to generate any number of reports or to track tree development over time.
For further information on AuditWare for NDS, contact:
Preferred Systems, Inc. 250 Captain Thomas Boulevard West Haven, CT 06516
203-937-3000 or 800-222-7638 (U.S. only)
GO NVENB then select Preferred Systems
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.