Novell FAQ -- Section D -- D. NOVELL Security, passwords, etc.

Novell Security, passwords, etc.

The first rule of security is to physically secure the file server. Without physical security, there is no security - no OS in the world will fix this.
Another important principle is to keep up to date on patches/service packs for your server, client OS, and NW client s/w. Often these patches contain important security fixes.
RCONSOLE sends all information, including passwords, in clear text. Don't use RCONSOLE over the network, you're at the mercy of anyone with a packet sniffer.
Many would recommend that all passwords be written down, sealed in an envelope, and put in a safety deposit box or vault, etc. for emergencies. This provides insurance against you forgetting a password, and also protects your employer in the case that you suddenly aren't available. (i.e. win the lotto, get run over by a cement truck, etc etc.) Obviously this is only useful if the passwords are kept up to date.
In a similar vein, every NDS tree should have a backup admin account. Create a new account with a strong password, and give it full rights to the [ROOT] of the tree. Don't just make this account security equivalent to admin - if admin is deleted, then your backup account would lose it's rights.
Simple Nomad maintains an excellent NetWare Hack FAQ at http://www.nmrc.org. His step by step instructions on breaking into a NW server provide the administrator with a convenient checklist of holes to plug. This same page also includes information about "Pandora", an NDS reverse engineering effort. Very educational, for the admin as well as the cracker.

D.2 What to do if you've lost your SUPERVISOR password. (NW 2.x & 3.x)

Panic. :-) In fact there are several options you can try.

SETSPASS.NLM, available via anonymous ftp from netlab2.usu.edu in misc or:

ftp://ftp.zennet.com/pub/netware/

[Thx S.R.#2]

allows you to change the SUPERVISOR password from the server console, as long as you know the serial number of your copy of Netware.

SETPWD.NLM, which doesn't require that you have the serial number, is located in the same directory.

LASTHOPE.NLM renames the 3 files NET$*.OLD to NET$*.TMP, and it renames the live bindery files NET$*.SYS to NET$*.OLD.

	ftp://netlab2.usu.edu/sys/anonftp/apps/lasthope.zip

This effectively deletes the bindery, so you can log on to the server next time as SUPERVISOR with no password. This is truly a LAST HOPE if the bindery is irredeemable, as the bindery will have to be rebuilt manually, unless something can be done with the .OLD or .TMP files, or a backup.

[Thx Michael Salem]

If you have some unallocated disk space on the server you could create a new SYS: volume on that. This will create a new bindery as well as LOGIN, SYSTEM, PUBLIC and MAIL directories. However it is a bit drastic.

Alternatively, *FOR NETWARE 2.X SERVERS ONLY*, you can try the following:

  1.  Bring the server down.
  2.  With some disk sector editing software (Norton Disk Edit for
      example) find the directory tables.
  3.  Change the name of files NET$VAL.SYS, NET$PROP.SYS, NET$OBJ.SYS
      to something else (preferably NET$VAL.OLD etc.)
      After that all user definitions will be deleted.
  4.  Bring the file server back up.
  5.  Login as supervisor (at that time you will need no password)
  6.  Find changed files in SYSTEM directory (they have attributes
      hidden, system), change their attributes to normal and
      be sure that they have extension ".OLD"
  7.  Run BINDREST program to get your original user definitions back.
      Now, you will have all your users including supervisor with
      their old definitions and passwords, but you are already in as
      supervisor and so you can change your password to anything you like.

Note: It appears that in NetWare 2.x there are only two bindery files. For more information on this see the Hacking Netware FAQ at:

http://www.nmrc.org/faqs/netware/index.html

[Thx S.M.D. and Simple Nomad]

You can also try to use your sector editor to edit the names used for the bindery files in SERVER.EXE. Unlike the previous NETWARE 2.X ONLY method, this has the advantage of not damaging the directory tables if things go wrong. Try the following steps:

  1.  Bring the server down.
  2.  Make a backup copy of SERVER.EXE.
  3.  With some disk sector editing software (Norton Disk Edit for
      example) change the name of files NET$VAL.SYS, NET$PROP.SYS,
      NET$OBJ.SYS where they occur in SERVER.EXE to something else
      (preferably TMP$VAL.SYS etc.)
  4.  Bring the file server back up.
  5.  Login as supervisor (at that time you will need no password)
  6.  Find changed files in SYSTEM directory (they have attributes
      hidden, system), change their attributes to normal and
      be sure that they have extension ".OLD"
  7.  Bring the server down again.
  8.  Restore your backed-up SERVER.EXE and reboot.
  9.  Run BINDREST program to get your original user definitions back.
      Now, you will have all your users including supervisor with
      their old definitions and passwords, but you are already in as
      supervisor and so you can change your password to anything you like.

There is a program called BURGLAR that is designed to break passwords at:

ftp://ftp.rhij.nl/cyco/burglar.nlm

Note: BURGLAR creates a tempory user that is incomplete. Log in under this users name (and remove the account after use). BURGLAR was written by Bart Mellink from Cyco.

http://www.cyco.nl

There is additional information in the Hacking Netware FAQ at:

http://www.nmrc.org/faqs/netware/index.html

[Thx S.M.D. and Simple Nomad]

D.3 What to do if you've deleted your ADMIN account. (NW 4.x & 5.x)

As far as I know you have 4 choices...

You can just live with it. Probably not a good choice, but it IS cheap.
You can recreate the server from the last backup. A bad choice since data changed since the last backup will be lost. And it will cost a lot of downtime, or overtime, or both.
You can call Novell, and for $200 they will help you create a new Admin account. What they help you do will work once, right then. If your admin does it again, you're out another $200.
You can surf over to http://www.dreamlan.com and look for their makesu utility. It will let you create a new admin account, or elevate an existing account to admin status. It costs $100, you will have to prove you have the right to do work on the LAN in question, and it will only work in the tree you tell them you are working on. Moreover, the NLM will only run from a floppy. But... it will work again and again. A cool utility.

[Thx Mike Avery]

D.4 What to do if you've locked yourself out of the console (NW 3.x & 4.x)

For NetWare 3.x, you can use the SUPERVISOR password to unlock the screen saver.

If you're running NW4.x the hidden SUPERVISOR account's password will unlock the screen saver. The SUPERVISOR password will be whatever password was originally given to NDS when the server was installed into the tree.

If (like most of use) you don't know this password, get yourself a copy of SYSCON, and use it to reset the SUPERVISOR password on the server, and then use that password to disable the screen saver.