Securing Your NDS Tree from Hackers
Articles and Tips: tip
Novell, Inc.
15 Nov 2000
To ensure that your NDS tree is secure from hackers, follow these steps:
Remove the ability for anyone to read the NDS tree (check the rights for [Root], they shouldn't be public).
Isolate servers on one Ethernet segment, put the network administrators on one segment and end users on another segment, or go to switched Ethernet.
Use Packet Signature at the highest settings on servers and workstations at all times.
The SET PACKET SIGNATURE line should be in the STARTUP.NCF file, not in the AUTOEXEC.NCF file.
Use the latest patches on servers and workstations. Novell is continually releasing security fixes in maintenance patches, so keep up on the patches.
Create an NDS account named SUPERVISOR, give it no rights, and then disable it.
Give the bindery Supervisor account a huge password that no one could ever guess.
Make sure the Server object is not in the same container as the Admin account.
Turn on Intruder Detection in every container.
Minimum password length should be 8 characters for most users; administrators should have even longer passwords.
Never use RConsole. Walk to the server, or use an out-of-band method for access if it is truly in a remote location.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.