Putting Trust in Your Server with the SECURE.NCF File
Articles and Tips: tip
01 Sep 1996
NetWare 4.11 (formerly known as Green River) is designed to meet the U.S. Class C2 security criteria as well as the European Class F-C2/E2 security criteria. In conjunction with the NetWare 4.11 release, Novell is providing enhanced security options in a configuration file called SECURE.NCF. This file sets various server options that are required to run NetWare 4.11 servers in a secure or "trusted" configuration. This NetNote introduces the SECURE.NCF file and explains what the options are.
If you're not first in line to upgrade to NetWare 4.11, don't feel left out. This NCF file will also run with the currently distributed version of NetWare 4.1. Enhanced security is thus available to any NetWare 4.x customer interested in improving or consolidating security options at the server.
Setting the Security Options
To set up your server for these enhanced security options, follow the steps below:
Ensure that the SECURE.NCF file is appropriately edited and placed in the server's SYS:SYSTEM directory. NCF files are simply ASCII text files that contain a sequence of commands you want to run all at once, similar to a batch file in DOS. You can create or modify the SECURE.NCF file by using EDIT.NLM or any ASCII text editor.
Add the line "Enable SECURE.NCF=ON" in the server's AUTOEXEC.NCF file.
Execute the parameters in the script file by typing SECURE >Enter> at the server console prompt.
Note that each of the SET parameters in the SECURE.NCF file can be set individually from the NetWare console command line. With the exception of the Audit Passwords parameter (which you may want set to ON), all of the SET parameters in the SECURE.NCF file can be changed from the SERVMAN console utility (from the Server parameters/Miscellaneous menu), which will place the parameters in either the AUTOEXEC.NCF or the STARTUP.NCF file.
A sample SECURE.NCF file listing is given below: SET Allow Unencrypted Passwords = OFF * SET Allow Audit Passwords = OFF SET Automatically Repair Bad Volumes = ON SET Reject NCP Packets with bad lengths = ON SET Reject NCP Packets with bad components = ON # SET Check Equivalent to Me = ON # SET NCP Packet Signature Option = 3 # SECURE CONSOLE
The parameters that are commented out with a pound sign (#) are enhanced security options that are present in the SECURE.NCF file but are not required for the Trusted NetWare configuration (that is, they are not required by C2 and European Class F-C2/E2 standards).
We'll start by providing a brief description of the parameters that are required for the trusted configuration. The trusted configuration value is shown for each one, along with the default value. The NetWare 4.11 Utilities Reference manual provides more detailed information about each of these SET parameters.
SET Allow Unencrypted Passwords=OFF (Default=OFF)
This parameter was originally designed to allow older NetWare 2.x clients and print servers to be compatible with the utilities for NetWare 3.x and above. Setting this parameter to OFF requires the use of encrypted passwords for all access to the server.
SET Allow Audit Passwords = OFF (Default=OFF)
This parameter configures the server to disallow the use of passwords to identify auditors.
SET Automatically Repair Bad Volumes = ON (Default=ON)
This parameter configures the server to automatically run VREPAIR when a volume fails to mount.
SET Reject NCP Packets with bad lengths = ON (Default=OFF)
This parameter configures the server to reject NCP packets that fail boundary checking. Older client utilities may fail if this SET parameter is set to ON.
SET Reject NCP Packets with bad components = ON (Default=OFF)
This parameter configures the server to reject NCP packets that fail component checking. Again, older client utilities may fail if this set parameter is set to ON.
Again, the parameters discussed above are designed to meet the Class C2 criteria and the Class F-C2/E2 criteria and are required in order for your server to be in the trusted configuration. Of course, it may take some time after the delivery of NetWare 4.11 for NetWare administrators to transform their security to these levels. Still, it's important to note the changes and the administrative requirements that will be imposed on those systems which do require the increased security offered in the NetWare 4.11 release.
The following SECURE.NCF parameters also enhance the security of the server. However, they are not required to meet the Class C2 criteria and the Class F-C2/E2 criteria. These parameters are commented out in the supplied SECURE.NCF file, but you can enable them by removing the pound sign (# ) from the beginning of the line. Again, you can use EDIT.NLM or any ASCII text editor to edit this file.
SET Check Equivalent to Me = ON (Default=OFF)
This parameter configures NetWare Directory Services to enforce the checking of the "Equivalent to me" attribute during authentication.
SET NCP Packet Signature Option = 3 (Default=1)
This parameter configures the server to reject NCP packets that are not signed and to sign all reply packets. The default value of 1 instructs the server to sign NCP packets only if required by the client. Setting this parameter to 3 enhances security by not allowing workstations that are not set to require packet signatures to log in to the server until their client-side setting is changed. Setting packet signing to this level will result in a slightly higher percentage of server utilization (486 servers are impacted more than 586 servers).
This command secures the NetWare server console in the following ways:
Removes DOS paths from the search path
Allows only NLMs from the search path to be loaded
Disallows the setting of certain SET parameters
Prevents the server date and time from being changed
Prevents keyboard entry into the operating system debugger
Note that this command does not relieve the requirement that the server console itself be physically secured.
By default, the SECURE.NCF file does not invoke this command. If your site needs the extra security this provides, you can invoke this command anytime by typing SECURE CONSOLE >Enter> at the server console prompt. Alternatively, you could uncomment the command in the SECURE.NCF file.
There are other commands which you might include in a customized SECURE.NCF file, such as:
Display NCP Bad Component Warnings
Display NCP Bad Length Warnings
These commands are designed to alert you to abnormalities in NCP packets, which could indicate a break-in attempt. However, a routine check of the server error logs may prove more effective.
For additional information on any of these parameters, refer to the Utilities Reference manual that comes with NetWare 4.11.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.