##########################################################
#
# Version: 1.01
# Date: May 14, 1997
#
# This NetWare script file, SECURE.NCF, is the enhanced
# security options configuration file. It chooses the
# options that are required to run NetWare in the trusted
# configuration, which is designed to meet the US Class
# C2 security criteria and the European Class F-C2/E2
# security criteria.
#
# Enhanced security options not required for the trusted
# configuration (not required by C2 and European Class
# F-C2/E2 standards) are also included in this file but are
# commented out. More information regarding enhanced
# security options may be found in the Enhanced Security
# Server Administration manual.
#
# The server may be configured to automatically execute
# this configuration file during server boot after the
# execution of AUTOEXEC.NCF. This can be done by setting
# the set parameter "Enable SECURE.NCF" to ON. This can
# be done from SERVMAN (Server parameters/Miscellaneous
# menu) or in either AUTOEXEC.NCF or STARTUP.NCF. This
# configuration file can also be executed from the NetWare
# Console command line.
#
# Each of the SET parameters in this file (SECURE.NCF) can
# be set individually from the NetWare console command line,
# from SERVMAN, or in AUTOEXEC.NCF.
#
# SECURE.NCF may be modified using EDIT.NLM or another
# ASCII editor. The file is stored in the SYS:/SYSTEM
# directory.
#
# The following commands are required for the trusted
# configuration. Refer to the Utilities Reference manual
# for more information about each of these commands.
#
# The following command configures the server to disallow
# the use of unencrypted passwords. The default value is
# OFF. The trusted configuration value is also OFF.
#
SET Allow Unencrypted Passwords = OFF
#
# The following command configures the server to disallow
# the use of passwords to identify auditors. The default
# value is OFF. The trusted configuration value is also
# OFF.
#
SET Allow Audit Passwords = OFF
#
# The following command configures the server to
# automatically run VREPAIR when a volume fails to mount.
# The default value is ON. The trusted configuration
# value is also ON.
#
SET Automatically Repair Bad Volumes = ON
#
# The following command configures the server to reject
# NCP packets that fail boundary checking. Older client
# utilities may fail if this SET parameter is set to ON.
# The default value is OFF. The trusted configuration
# value is ON.
#
SET Reject NCP Packets with bad lengths = ON
#
# The following command configures the server to disallow
# replication of NetBIOS broadcast packets. The default
# value is 2. The trusted configuration value is 0.
#
SET IPX NetBIOS Replication Option = 0
#
# The following command configures the server to reject
# NCP packets that fail component checking. Older client
# utilities may fail if this set parameter is set to ON.
# The default value is OFF. The trusted configuration
# value is ON.
#
SET Reject NCP Packets with bad components = ON
#
# The following command configures NetWare Directory
# Services to perform access control checks which are
# not backwards compatiable with previous versions of
# NetWare Directory Services. The default value is OFF.
# The trusted configuration value is ON.
#
SET Additional Security Checks = ON
#
# The above commands are required for your server to be
# in the trusted configuration, designed to meet the
# Class C2 criteria and the Class F-C2/E2 criteria.
#
#########################################################
#########################################################
#
# The following commands provide additional enhanced
# security options that are not required to meet the
# Class C2 criteria and the Class F-C2/E2 criteria.
# These have been commented out but may be enabled by
# removing the comment symbol (# ) from the beginning of
# the line. EDIT.NLM or another ASCII editor may be used
# to edit this file. For more information about each of
# these commands refer to the Utilities Reference manual.
#
# The following command configures NetWare Directory
# Services to enforce the checking of the Equivalent To
# Me attribute during authentication. DSREPAIR must be
# used to synchronize the Equivalence attribute and the
# Equivalent To Me attribute if the Check Equivalent to
# Me parameter is set to ON. Setting this parameter to
# ON will also adversely affect the authentication
# performance. The default value is OFF. For enhanced
# security the value may be set to ON.
#
# SET Check Equivalent to Me = ON
#
# The following command configures the server to reject
# NCP packets that are not signed and to sign all reply
# packets. Setting this parameter to 3 will adversely
# affect the communication performance of the server.
# The default value is 1, which signs NCP packets only if
# required by the client. For enhanced security the
# value may be set to 3.
#
# SET NCP Packet Signature Option = 3
#
# The following command secures the NetWare server
# console in the following ways: it removes DOS paths
# from the search path; it allows only NLMs from the
# search path to be loaded; it disallows the setting of
# certain SET parameters; it prevents the server date and
# time from being changed; and it prevents keyboard entry
# into the operating system debugger. This command does NOT
# remove the requirement that the server console be
# physically secured. By default, SECURE CONSOLE is not
# invoked. For enhanced security SECURE CONSOLE may be
# invoked.
#
# SECURE CONSOLE
#
# The above commands provide enhanced security options
# that are NOT required for your server to be in the
# trusted configuration -- to meet the Class C2
# criteria and the Class F-C2/E2 criteria.
#
###########################################################
