Bugtraq mailing list archives

Re: NMRC Advisory - Default NDS Rights

From: randy () INTER-CORPORATE COM (Randy Richardson)
Date: Sun, 20 Sep 1998 01:26:23 -0800

First of all, simply displaying login ID's or their context is not
necessarily a security risk (millions disagree, I know, but it's not the
real risk), provided all other aspects of the security system are in tact.
What IS a risk is faulty passwords (ie blank, easily guessed, never expire,
etc).  In this case, the real risk is the carelessness of the administrator,
not a flaw with the system.


        Using the "Intruder Lockout" functionality will reveal when someone tries to
hack into an account.

What you're suggesting here is not really a fix, rather it is a removal of
necessary functionality needed by "trusted" users of a Novell network.  In
fact, Novell has said that it is widely known that, if the presence if CX or
NLIST poses some paranoia in your environment, you should delete these
utilities from SYS:LOGIN, not modify the rights structure of the NDS tree.
(I happened to learn this in training but others will more than likely
concur).  A non-logged in connection NEEDS read access to containers in
order to set their starting context as well as walk the tree if the default
context is not correct.  By virtue of READ being on the container, all
objects in that container can be displayed.  It's a judgement call whether
or not this poses any *real* threat.


        Anybody can easily get a copy of CX and NLIST, so removing the Browse right in
the NDS tree is a more effective solution.  Removing CX and NLIST is only going
to stop novice hackers who will probably try the brute force method of attack
(guessing passwords) anyway (which "Intruder Lockout" will handle very
effectively).

Besides, just to get access to the SYS:LOGIN directory itself is quite a
touch trick.  Unless *all* routers along a given path are running IPX or the
site is running Netware IP, it would take some pretty nifty talent to even
get to the LOGIN directory.  Of course, you can never prevent the internal
threat.


        If a network administrator logs into FTP or uses some other internet service
that utilizes clear-text passwords, someone viewing packets in between will
have instant access to SYS:LOGIN if an FTP server NLM (NetWare Loadable Module)
is running on the server, and that same user is authorized to use FTP.

-- dcc --
--------------
[NDS for NT Project Manager at Novell]: "We've got some good new and some
bad news for you:  The good news is, we don't mess with NT security.  The
bad new is....We don't mess with NT security..."

[Snip]

Randy Richardson - randy () inter-corporate com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
http://www.inter-corporate.com/

Attend the Pacific Coast Computer Fair - http://www.pccfa.org/

Current thread:

Re: NMRC Advisory - Default NDS Rights costello, don (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Simple Nomad (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Bernd Eckenfels (Sep 19)
- Vulnerability in Lyris Listserver Jimmy Lee Alderson (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Randy Richardson (Sep 20)
- <Possible follow-ups>
- Re: NMRC Advisory - Default NDS Rights M. Baker (Sep 19)