NOVELL TECHNICAL INFORMATION DOCUMENT DISCLAIMER The origin of this information may be internal or external to Novell. Novell makes every effort within its means to verify this information. However, the information provided in this document is FOR YOUR INFORMATION only. Novell makes no explicit or implied claims to the validity of this information. TITLE: SECDOC.ZIP Documentation for 3.11 Security Enhancement DOCUMENT ID: TID002536 DOCUMENT REVISION: A REVISION DATE: 4-29-93 ALERT STATUS: Yellow NOVELL PRODUCT CATEGORY: NetWare OS NOVELL PRODUCT and VERSION: NetWare v3.11 NetWare v2.2 CLASSIFICATION: Security README FOR: SECDOC.EXE ABSTRACT: This file contains SECDOC.TXT which explains the seven security files: SECUT1.EXE, SECUT2.EXE, SECPRN.EXE, SECDOS.EXE, SECUT3.EXE, SECSYS.EXE, & SECOS2.EXE _______________________________________________________________________________ NCP Packet Signature for NetWare PATENT PENDING - Novell, Inc. --------------------------------------------------------------------- The software files enclosed in these "zip" files are fixes or patches to legally licensed Novell software and are protected by the copyright laws of the United States and international copyright treaties. This zip file contains software which is designed to replace Novell client software and software which run as NetWare Loadable Modules under the NetWare operating system. You may without charge, reproduce, distribute and use copies of the software for its intended purposes to replace legally obtained Novell software, provided you do not receive any direct payment, commercial benefit, or other consideration for the reproduction, distribution or use, or change or omit any proprietary rights notice appearing on or in the software. This is a personal right. You may not duplicate, distribute or authorize use outside of the legal entity you represent. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE AND FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT YOU USE SOFTWARE, YOU DO SO AT YOUR OWN RISK. IN NO EVENT WILL NOVELL BE LIABLE TO YOU FOR ANY DAMAGES ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE SOFTWARE. Security Enhancement -------------------- Novell has verified the existence of a threat to NetWare security. The mechanism for intrusion was discovered and documented by students and professors of Lieden University in the Netherlands. After responding to the initial threat with a NetWire release, Novell established an aggressive two-phase strategy to analyze, develop and verify solutions to the broader issues surrounding this threat. The following security enhancement for NetWare represents the first phase of Novell's aggressive strategy to analyze and develop solutions that enhance network security. This enhancement consists of NetWare loadable module's, new shell's and various utilities. This SECURITY.DOC file defines the capabilities of the enhancement, the configuration options, the installation of the server and client portions and provides other useful guidelines and tips. This enhancement contains seven self-extracting ZIP files: SECSYS.EXE On diskette SIGNATURE_1 SECDOS.EXE SECOS2.EXE SECUT1.EXE On diskette SIGNATURE_2 SECUT2.EXE SECUT3.EXE On diskette SIGNATURE_3 (Optional: *) SECPRN.EXE * The set of utilities found in SECUT3.EXE are not specifically required for the security enhancement, but contain various fixes and updates. Before installing this enhancement, customers should read through the SECURITY.DOC file to determine if installation of the security enhancement is needed. Particular attention should be given to the section on when to use NCP packet signature. Customers in need of additional support and service should contact their local reseller. The enhancement is being made available free of charge on NetWire and NetWare Express (minimal connection charges apply on NetWire and NetWare Express) or by calling 1 (800) NetWare. How NCP Packet Signature Works ------------------------------ NCP packet signature is an enhanced security feature that protects servers and clients using the NetWare Core Protocol by preventing packet forgery. Without the NCP packet signature installed, it is possible for a network client posing as a more privileged client to send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain SUPERVISOR rights and access to all network resources. NCP packet signature prevents packet forgery by requiring the server and the client to "sign" each NCP packet. The packet signature changes with every packet. NCP packets with incorrect signatures are discarded without breaking the client's connection with the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the server console. The alert message contains the LOGIN name and the station address of the affected client. A two-part process between the client and the NetWare server determines the NCP packet signature: * At LOGIN, the server and the client determine a shared, secret key known as the session key. * For each request or response packet, the server and the client calculate a signature based on the session key, a "fingerprint" algorithm, and the previous packet's signature. The unique signature is appended to the NCP packet. If NCP packet signature is installed correctly on the server and all of its clients, it is virtually impossible to forge a valid NCP packet. Packet Signature Options ------------------------ Because the packet signature process consumes CPU resources and slows performance, both for the client and the NetWare server, NCP packet signature is optional. Several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers have four settable signature levels, and network clients also have four signature levels. The signature options for servers and clients combine to determine the level of NCP packet signature on the network. NOTE: Some combinations of server and client packet signature levels may slow performance. However, low CPU-demand systems may not show any performance degradation. Network supervisors can choose the packet signature level that meets both their performance needs and their security requirements. Server Levels ------------- Server packet signature levels are assigned by a new SET parameter: SET NCP Packet Signature Option = [number] Replace [number] with 0, 1, 2, or 3. The default is 2. Number Explanation --------------------- 0 Server does not sign packets (regardless of the client level) 1 Server signs packets only if the client requests it (client level is 2 or higher) 2 Server signs packets if the client is capable of signing (client level is 1 or higher) 3 Server signs packets and requires all clients to sign packets (or logging in will fail) Client Levels ------------- Client signature levels are assigned by a new NET.CFG parameter: signature level = [number] Replace [number] with 0, 1, 2, or 3. The default is 1. Number Explanation --------------------- 0 Client does not sign packets 1 Client signs packets only if the server requests it (server option is 2 or higher) 2 Client signs packets if the server is capable of signing (server option is 1 or higher) 3 Client signs packets and requires the server to sign packets (or logging in will fail) Effective Packet Signature -------------------------- The packet signature levels for the server and the client interact to create the "effective" packet signature. Some combinations of server and client levels do not allow logging in. The table below shows the interactive relationship between the server packet signature levels and the client signature levels. Effective Packet Signature of Server and Client ----------------------------------------------- IF Server=0 Server=1 Server=2 Server=3 Client=0 No sign No sign No sign No login Client=1 No sign No sign Sign Sign Client=2 No sign Sign Sign Sign Client=3 No login Sign Sign Sign When to Use NCP Packet Signature -------------------------------- NCP packet signature is not required for every installation. Some network supervisors may choose not to use NCP packet signature because they can tolerate certain security risks. Security Risks -------------- The following situations are examples of tolerable risks that may not need NCP packet signature: * Only executable programs reside on the server. * All workstation users on the network are known and trusted by the supervisor. * Data on the NetWare server is not sensitive; loss or corruption of this data will not impact operations. NCP packet signature is recommended for security risks such as: * An untrustworthy user at a workstation on the network. * Easy physical access to the network cabling system. * An unattended, publicly accessible workstation. Signature Level Examples ------------------------ The default NCP packet signature level is 1 for clients and 2 for servers. In most installations, this setting provides the most flexibility while still offering protection from forged packets. Below are some examples of using different signature levels. All Information on the Server Is Sensitive ------------------------------------------ If an intruder gained access to any information on the NetWare server, it could damage the company. The network supervisor sets the server to level 3 and all clients to level 3 for maximum protection. Sensitive and Non-sensitive Information Reside on the Same Server ----------------------------------------------------------------- The NetWare server has a directory for executable programs and a separate directory for corporate finances (such as accounts receivable). The network supervisor sets the server to level 2, and the clients that need access to accounts receivable to level 3. All other clients remain at the default, level 1. Users Often Change Locations and Workstations --------------------------------------------- The network supervisor is uncertain which employees will be using which workstations, and the NetWare server contains some sensitive data. The network supervisor sets the server to level 3. Clients remain at the default, level 1. Workstation is Publicly Accessible ---------------------------------- An unattended workstation is set up for public access to non- sensitive information, but another server on the network contains sensitive information. The network supervisor sets the sensitive server to level 3 and the unattended client to level 0. Installing NCP Packet Signature on the v3.11 Server ---------------------------------------------------- NCP packet signature is installed at the server and at each workstation. This section describes the procedures for the server. To ensure secure connections, NCP packet signature should be installed on all servers on the network. Before installing any new software, make sure you have a complete backup of current SYS:SYSTEM, SYS:PUBLIC and SYS:LOGIN files. Perform these steps to all servers on your network. 1a. Flag *.NLM files in the SYS:SYSTEM directory Shareable, Read Write. 1b. Flag ?CONSOLE.* files in the SYS:SYSTEM directory Shareable, Read Write. 1c. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Write. 1d. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Write. 2. Copy the self-extracting ZIP files to the appropriate directory. File Copy to this directory ------------------------------------- SECSYS.EXE SYS:SYSTEM SECUT1.EXE SYS:PUBLIC SECUT2.EXE SYS:PUBLIC SECUT3.EXE SYS:PUBLIC SECPRN.EXE SYS:PUBLIC Note: SECUT3.EXE is optional, but recommended. 3. For each file listed above, change to the appropriate directory and execute the new files. For example, change to the SYSTEM directory and type SECSYS. This unZIPs the files into the current directory. 4. Copy LOGIN.EXE file from the SYS:PUBLIC directory to the SYS:LOGIN directory. 5a. Flag *.NLM files in the SYS:SYSTEM directory Shareable, Read Only. 5b. Flag ?CONSOLE.* files in the SYS:SYSTEM directory Shareable, Read Only. 5c. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Only. 5d. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Only. 6. You may want to delete the self-extracting ZIP files from SYS:SYSTEM and SYS:PUBLIC at this time. Load PBURST.NLM --------------- Use this procedure to load the PBURST NLM and add the new SET parameters to the NetWare v3.11 server. 1. At the server console, type LOAD PBURST 2. To automatically load PBURST.NLM the next time the server boots, insert the "LOAD PBURST" command at the beginning of the AUTOEXEC.NCF file. Assign the Server Packet Signature Option ----------------------------------------- Insert the following SET command in the AUTOEXEC.NCF file immediately below the "LOAD PBURST" command: SET NCP Packet Signature Option = [number] Replace [number] with 0, 1, 2, or 3. The default is 2. Installing NCP Packet Signature on a NetWare v2.2 or v2.15c Server -------------------------------------------------------- NCP packet signature is installed at the server and at each workstation. This section describes the procedure for installing NCP packet signature on a NetWare v2.2 or v2.15c server. Workstation installation procedures described later are identical for NetWare v3.11, v2.2 and v2.15c environments. 1. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Write. 2. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Write. 3. Copy the self-extracting ZIP files to the appropriate directory. File Copy to this directory ------------------------------------- SECSYS.EXE SYS:SYSTEM SECUT1.EXE SYS:PUBLIC SECUT2.EXE SYS:PUBLIC SECUT3.EXE SYS:PUBLIC SECPRN.EXE SYS:PUBLIC Note: SECUT3.EXE is optional, but recommended. 3. For each file listed above, change to the appropriate directory and execute the new files. For example, change to the SYSTEM directory and type SECSYS. This unZIPs the files into the current directory. 4. Copy LOGIN.EXE file from the SYS:PUBLIC directory to the SYS:LOGIN directory. 5. Delete the *.NLM files, RCONSOLE.*, and ACONSOLE.* files in the SYS:SYSTEM directory. (These files are not needed for NetWare v2.2 or v2.15c.) 6. Flag the SECUREFX.VAP file as Shareable, Read Only by typing FLAG SECUREFX.VAP SRO 7. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Only. 8. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Only. 9. You may want to delete the self-extracting ZIP files from SYS:SYSTEM and SYS:PUBLIC at this time. 10. Before completing step 11, you should make sure that you have loaded NCP packet signature on the workstations by following the installation procedures described later. Note: Workstation installation procedures described later are identical for NetWare v3.11, v2.2 and v2.15c environments. 11. Reboot the server. The following prompt appears: "Value added processes have been defined. Do you wish to load them?" 12. Type Y Assigning the Server Signature Level ------------------------------------ The default signature level for the server is 2. To change the level, use the following console command: SIGNATURE LEVEL = number Replace "number" with 1, 2, or 3. The default is 2. For signature level 0, either do not put the SECUREFX VAP in SYS:SYSTEM, or reboot the server and answer "no" to the value added processes prompt. NOTE: This last option will not load ANY VAPS. Utilizing SECUREFX VAP with other VAPs __________________________________________________ In NetWare v2.2 and v2.15c environments, all VAPs must be loaded on another server for NCP packet signature to work. Installing NCP Packet Signature on a Server running NNS ---------------------------------------------------- NCP packet signature is installed at the server and at each workstation. This section describes the procedures for the server. To ensure secure connections, NCP packet signature should be installed on all servers on the network. Before installing any new software, make sure you have a complete backup of current SYS:SYSTEM, SYS:PUBLIC and SYS:LOGIN files. Perform these steps to all servers on your network. 1a. Flag NSINSTALL.EXE file in the SYS:SYSTEM directory Shareable, Read Write. 1b. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Write. 1c. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Write. 2. Copy the self-extracting ZIP file SECNNS.EXE to the PUBLIC directory. 3. Change to the PUBLIC directory and execute the SECNNS. This unZIPs the files into the current directory. 4. Copy LOGIN.EXE file from the SYS:PUBLIC directory to the SYS:LOGIN directory. 5. Move NSINSTALL.EXE file from the SYS:PUBLIC directory to the SYS:SYSTEM directory. 6a. Flag NSINSTALL.EXE file in the SYS:SYSTEM directory Shareable, Read Only. 6b. Flag *.* files in the SYS:PUBLIC directory Shareable, Read Only. 5c. Flag LOGIN.EXE file in the SYS:LOGIN directory Shareable, Read Only. 6. You may want to delete the self-extracting ZIP file SECNNS.EXE from SYS:PUBLIC directory at this time.  Installing NCP Packet Signature on the DOS and WINDOWS workstations. -------------------------------------------------------------- The following procedures for DOS and Windows workstations can be used for NetWare v3.11, v2.2 and v2.15c environments. Copy the SECDOS.EXE self-extracting ZIP file to a work directory on the network or your hardrive. Go to the work directory and type SECDOS [:] This unZIPs the files. New drivers included: --------------------- Some updated ODI drivers have been included. They use Ethernet frame type 802.2 by default.These are: NE1000.COM NE2000.COM NE2.COM NE2_32.COM (NOTE: This driver name replaces the old NE2-32.COM ). To configure these drivers to run Ethernet frame type 802.3 , make the following changes to the NET.CFG file: Add the line FRAME ETHERNET_802.3 into the LINK DRIVER section. DOS Workstations ---------------- Copy the appropriate file to each workstation's boot disk from the work diskette. If the workstation uses Copy this file -------------------------------------------- Conventional memory NETX.EXE Expanded memory EMSNETX.EXE Extended memory XMSNETX.EXE Packet burst BNETX.EXE NOTE: If *NETX.COM files reside in the same directory as *NETX.EXE files, rename or remove the *.COM files to make the *.EXE files effective. Add the following parameter to the NET.CFG file of each workstation: signature level = [number] Replace [number] with 0, 1, 2, or 3. The default is 1. To automatically update the NETX.EXE file for all workstations, copy the NETX.EXE file to SYS:PUBLIC and add the following line to the system login script: #WSUPDATE SYS:PUBLIC\NETX.EXE ALL_LOCAL:NETX.EXE For more information on using WSUPDATE, see pages 515-519 in "NetWare Version 3.11 Utilities Reference." Windows Workstations -------------------- Copy the files listed below to the WINDOWS/SYSTEM directory of each workstation's boot disk: NETWARE.DRV VNETWARE.386 NWPOPUP.EXE VIPX.386 You can use WSUPDATE to automatically copy the new files to several workstations. For more information on using WSUPDATE, see pages 515-519 in "NetWare Version 3.11 Utilities Reference." Add the following parameter to the NET.CFG file of each workstation: signature level = [number] Replace [number] with 0, 1, 2, or 3. The default is 1. New Parameter for Windows on the Network ---------------------------------------- A new NET.CFG parameter for packet signing is available for workstations that load Windows from the network and run in enhanced (386) mode: sign 386 mode = [number] Replace [number] with 0, 1, or 2. The default is 1, which disables interrupts and preserves the 386 32-bit registers. Choose 0 to enable interrupts at this workstation. Choose 2 to force 16-bit signing at this workstation. NOTE: The new NETX shell can detect workstation type (16- or 32-bit) and automatically adjust to 16- or 32-bit code. Installing NCP Packet Signature on the OS/2 Workstations. -------------------------------------------------------------- The following procedures for OS/2 workstations can be used for NetWare v3.11, v2.2 and v2.15c environments. NCP packet signature requires OS/2 version 2.0. Copy the file SECOS2.EXE (self-extracting ZIP file) to a directory on the network or your local hard drive. Change to that drive and make the direct- ory containing SECOS2.EXE your current directory. Format a high-density 5-1/4" or 3-1/2" diskette and give it a volume name of REQUESTER by using LABEL (provided with the client operating system). Run SECOS2.EXE as follows (where X: is the drive letter of the formatted REQUESTER diskette). "SECOS2 -D X:" This procedure unZIPs the update files onto the floppy diskette in the correct directory structure. Run the INSTALL program from the REQUESTER diskette and follow the instructions. Add the following parameter to the NetWare Requester area of the NET.CFG file for each workstation: signature level [number] Replace [number] with 0, 1, 2, or 3. The default is 1. Enabling Packet Burst (optional) -------------------------------- The packet burst loadable module, PBURST.NLM, must be loaded on NetWare v3.11 servers in order for NCP packet signature to work. However, using the packet burst protocol to transfer data between servers and clients is optional. Packet burst is a protocol built on top of IPX that speeds the transfer of multiple-packet NCP reads and writes. The packet burst protocol eliminates the need to sequence and acknowledge each packet. With packet burst, the server or client sends a whole set (or burst) of packets before it requires an acknowledgment. By allowing multiple packets to be acknowledged, the packet burst protocol reduces network traffic. The packet burst protocol also monitors dropped packets and retransmits only the missing packets. The NetWare server requires the PBURST.NLM to be loaded in order to transfer data in packet bursts. For a workstation to send and receive packet burst data, it requires the BNETX.EXE file and a new parameter in its NET.CFG file. NOTE: The packet burst protocol is not supported by expanded memory or extended memory workstation shells, or by OS/2 workstations. Use this procedure to enable DOS workstations to send and receive packet burst data. 1. Replace the existing workstation shell with the BNETX.EXE file. 2. Edit the NET.CFG file to include the following parameter: PB BUFFERS=x Replace x with the number of packet burst buffers. The faster the CPU, the higher the number should be. The limits are 0 to 10. Novell recommends a setting of 2. The packet burst protocol adjusts the buffers automatically for optimum performance. To disable packet burst on a workstation, omit the PB Buffers parameter from its NET.CFG file, or set the PB Buffers to 0. Changing the Signature Level for CLIB NLMs ------------------------------------------ If you are running NLMs that require access to remote servers, you will need to concern yourself with the signature level for CLIB and/or specific NLMs. The signature level for NLMs, can be viewed in a similar light to the signature level in the DOS shell -- it deals with the client-side of the NCP connection. The NLM security level correlates to the "Client Level" in the tables shown earlier in this document. NLMs that use CLIB are assigned a default NCP packet signature level of 1. The NCP signature only applies to NLMs that make NCP requests to remote servers; NLMs that make NCP requests to the local server, the server the NLM was loaded on, are not affected. For example, if you load a Print Server on a server, and this print server services print jobs residing on queues on remote file servers, and the remote file servers require packet signing, you'll need to make sure your print server is loaded with the correct signature level set. See the section titled "Packet Signature for All CLIB NLMs" below to learn how to change the default signature level, and why you'd want to. Caveats in Using CLIB v3.11d ---------------------------- The version of CLIB.NLM that is included in this release is 3.11d. Do not use CLIB v3.11d on a server running Novell's global messaging software if the NGM is version 1.0a or 1.0b. Contact Novell for a later version of NGM. If you are using NetWare for NFS version 1.2 Rev A, install patch PTF-F113 before you load CLIB. This patch is available in the NOVLIB area on NetWire, library 8, and it is called NFS113.EXE. If this error message appears when you load the patch, the patch is unnecessary: Inverted file found, no update can be done If you are using DAL Server (DALSVR), install patch PTF-A-131 before you load CLIB. This patch is available in the NOVLIB area on NetWire, library 7, and it is called SQL30.EXE. PATCH311.NLM ------------ You no longer need to load PATCH311.NLM if you are using CLIB v3.11d. If you are using an NLM that autoloads PATCH311.NLM, we have included a dummy version of the file. You installed it into SYS:SYSTEM when the SECSYS.EXE file was extracted. Packet Signature for All CLIB NLMs ---------------------------------- To change the packet signature level for all NLMs that use CLIB, use the following command format when you load CLIB: LOAD CLIB /L Replace with 0, 1, 2, or 3. The default is 1. NOTE: To make sure CLIB uses the correct signature level when it is automatically loaded by other NLMs, put the above command in the AUTOEXEC.NCF file. Packet Signature for One NLM ---------------------------- To change the packet signature level for a single NLM, use the following command format when you load the NLM: LOAD loadable_module [optional module parameters] (CLIB_OPT)/L Replace with 0, 1, 2, or 3. The default is 1. For example, LOAD PSERVER MYPRINTSERVERNAME (CLIB_OPT)/L3 CLIB NLM Warning ---------------------------------- Warning: If you are using the API: NWSendNCPExtensionRequest() to send to a remote server and packet level security is being used, (ie., when the packet level is being signed) the server may ABEND. If you need to use this API in development, or if an application on your server uses this API you will need to obtain the next revision of CLIB which will eliminate this problem. Large Internet Packet parameters: ---------------------------------- The security release also includes a Large Internet Packet feature which allows the server and the client to negotiate for the largest packet size across a wide area network. This service may be turned off by adding the following parameter to the NET.CFG file at the workstation: LI PACKETS=OFF This service may also be turned off at the server by using the settable parameter: SET ALLOW LIP = OFF (the default is ON). NOTE: When using SNA links, LIP should be turned off both at the client and the server. Packet Signature Considerations for Job Servers ----------------------------------------------- Network supervisors should be aware that some job servers do not support NCP packet signature. A job server may produce unsigned sessions if: * It does not operate on top of DOS * It does not use standard NetWare shells * It is not an NLM * It uses its own implementation of the NCP engine (such as embedded print servers in printers). Minimizing Risks ---------------- To minimize security risks associated with job servers: * Install queues only on servers with signature level 3. * Do not allow privileged users to put jobs in queues on servers with signature levels below 3. * Make sure the job server's account is unprivileged. * Disable the job server's ability to change to client rights. Disabling Change to Client Rights --------------------------------- To prevent a job server from assuming the rights of a client, put the following new SET command in the server's AUTOEXEC.NCF file: SET Allow Change to Client Rights = OFF The default is ON, because certain job servers and third-party applications cannot function without changing to client rights. Troubleshooting Tips -------------------- This section describes some solutions to problems that may be associated with using NCP packet signatures. Clients Cannot Log In --------------------- Make sure the old *.COM shells are renamed or removed from the directory where the new *.EXE shells reside. Make sure the packet signature levels on the server and the client are correct. The following situations do not allow logging in: * Server packet signature = 3, client signature = 0 * Server packet signature = 0, client signature = 3 * Utilities are old and do not support packet signature * Shells or requesters are old and do not support packet signature "Error Receiving From the NetWork" Appears ------------------------------------------ The client is using an old utility, such as LOGIN.EXE file that does not include NCP packet signature. Make sure the new LOGIN.EXE and other new utilities are installed on all servers on the network. Third-party NLMs Do Not Work ---------------------------- If the SET parameter Allow Change to Client Rights is turned OFF, some third-party NLMs may not function. Turn this parameter ON. Unsecure Clients Log In to Secure Server ---------------------------------------- The clients are using an old LOGIN.EXE file that does not include NCP packet signature. Set the sever security level to 3 and make sure the new LOGIN.EXE and other new utilities are installed on all servers on the network. Add a preferred server statement to the NET.CFG file for all clients that have access to secure servers (level 3). Network Security Guidelines --------------------------- In addition to installing NCP packet signature, network supervisors can use other NetWare security features and protective measures to keep their network data secure. The following security guidelines are suggested: * Use only the most current versions of system software, client software, and patches. * Regularly check for viruses. * Use the SECURITY utility to detect vulnerable access points to the server. * Lock NetWare servers in a secure room. * Issue the SECURE CONSOLE command from the NetWare console. The system will only load NLMs from SYS:SYSTEM. * Select "Lock File Server Console" from the MONITOR main menu when the NetWare console is not in use. * Always use a password different from the SUPERVISOR password for RCONSOLE. * Limit the number of users with SUPERVISOR rights. * Log in as SUPERVISOR as little as possible. * Use access control features in NetWare to limit users to necessary applications and data. * Enable intruder detection and lockout. * Advise users to log out when their workstations are unattended. * Secure unattended workstations. * Require passwords of at least five characters on all accounts. * Force password changes at least every three months. * Require unique passwords. * Limit the number of grace logins. * Limit concurrent connections. * Enforce LOGIN time restrictions and station restrictions. * Train users and administrators on the use of NetWare security features. NCP Packet Signature for NetWare PATENT PENDING - Novell, Inc.