Last-modified: Sat Jul 22 1995
Version: 0.3 DRAFT
Frequently Asked Questions
This is a draft FAQ list for the comp.os.netware.security newsgroup.
It's intent is to provide answers to questions asked by those who are
merely interested in Novell NetWare, and also to provide help for
those who are concerned about security of their network.
I am not affiliated with Novell in any way, and I have taken it upon
myself to produce this FAQ. My experience with Novell NetWare is that
of a programmer and administrator, with a keen interest in computer
security. I don't hold any Novell qualifications.
At the moment, this FAQ is oriented towards Novell NetWare 2/3.
Please send any comments, contributions, or notification of errors to
Thanks to the following people for improvements or additions:
Fons Botman <firstname.lastname@example.org>
Bob Janacek <email@example.com>
Brian Flynn <BFLYNN.UNCSON@mhs.unc.edu>
Subject: TABLE OF CONTENTS
Section 1: Basic Information
1.01 - Where are passwords stored?
1.02 - Is the execute-only flag secure?
1.03 - Can a packet-sniffer capture passwords?
1.04 - Can the server be infected with a computer virus?
1.05 - What auditing functions does Accounting provide?
1.06 - What are trustees and trustee rights?
1.07 - What are groups?
Section 2: Software
2.01 - What is HACK.EXE?
2.02 - What is NOVELBFH.EXE?
2.03 - How do I use SECURITY?
2.04 - Vendor security addons
Section 3: Help
3.01 - How do I secure the server?
3.02 - I've lost the Supervisor password.
3.03 - I've deleted the user Admin.
3.04 - I've revoked my own rights from this subdirectory.
3.05 - Supervisor has been locked out.
Subject: Section 1: Basic Information
This section gives information on how Novell NetWare operates,
and explains some basic security concepts.
Subject: 1.01 - Where are passwords stored?
Passwords are stored in encrypted form in the NET$VAL.SYS bindery
file. It is not possible to decrypt passwords although brute force
crackers have been written which operate on the bindery.
The bindery files are stored in the SYS:SYSTEM directory, and
should not be accessible by any non-Supervisor user. The SECURITY
utility will detect excessive rights in SYS:SYSTEM.
Subject: 1.02 - Is the execute-only flag secure?
No. It is sufficient to prevent casual copying of executables, but
software exists which will allow any user to copy X flagged files.
The X flag cannot be removed from files, so it is is a good measure
against computer viruses. However, virus scanners cannot read X
flagged files, so infected X flagged files will be difficult to
Wolfgang Schreiber wrote a utility called X-AWAY, available from
ftp.novell.de, which enables a Supervisor equivalent user to copy
X flagged files. X-AWAY is deliberately crippled to prevent
non-Supervisor users from copying programs.
Subject: 1.03 - Can a packet-sniffer capture passwords?
Since Novell NetWare 3, passwords are sent to the server encrypted
using a hashing function. The three password functions (Login,
Change password, Verify password) have a pretty secure protocol,
such that the information gathered by packet sniffers cannot be
used to reconstruct the event or determine the password.
Some very old software use the NetWare 2 unencrypted password calls.
These can be captured and used, since these passwords are sent in
Packet sniffers can capture just about all other information that
is transmitted on the LAN. This includes telnet/ftp passwords, etc.
Subject: 1.04 - Can the server be infected with a computer virus?
Since the server does not run DOS, it is immune from file viruses.
They are vunerable to boot viruses, however, and these can be
avoided by not booting the server from floppy disks.
The server can be used to spread viruses, since workstations may
execute infected software from the server and thus infect local
hard disks, floppy disks, and so on.
If possible, do not allow users to have write access to the
executables on the server.
A number of anti-virus utilities exist for Novell NetWare, including
Dr Solomon's Anti Virus Toolkit, McAfee Associates's NETSCAN, and
Data Fellows Ltd's F-PROT Professional.
Subject: 1.05 - What auditing functions does Accounting provide?
Accounting is used to track logins and can be used to track (and
put limits on) use of server resources.
By default, accounting is not active. The supervisor must switch
it on using the SYSCON utility.
Subject: 1.06 - What are trustees and trustee rights?
A trustee is any user or group that has been granted access rights
in a directory.
The access rights in Novell NetWare 2 are slightly different from
the ones in NetWare 3.
The following is a summary of access rights for NetWare 3.
S - Supervisory. Any user with supervisory rights in a directory
will automatically inherit all other rights, regardless of
whether they have been explicitly granted or not. Supervisor
equivalent accounts will hold this access right in every
R - Read. Enables users to read files.
C - Create. Enables users to create files and directories. Unless
they also have write access, they will not be able to edit
files which have been created.
W - Write. Enables users to make changes to files. Unless they also
have create access, they may not be able to edit files, since
the write operation can only be used to extend files (not
truncate them, which file editors need to do).
E - Erase. Enable users to erase files and remove directories.
M - Modify. Enable users to modify file attributes.
F - File scan. Enables users to see file and directory information.
If a user does not have file scan rights, they will not see any
evidence of such files existing.
A - Access control. Enable user to change trustee rights. They
will be able to add other users as trustees, remove trustees,
and grant/revoke specific rights from users. The only caveat
of access control is that it is possible for users to remove
themselves (as trustees) from directories, thus losing all
In addition to trustees and access rights, there is a concept of
inherited rights which means that users inherit rights from parent
directories. For example, if user ALICE has rights [CWEM] in a
directory, and she has [RF] rights in the parent directory then
she will have [RCWEMF] rights as a result of the inherited rights.
This will only work if one of the rights that ALICE has in the two
directories is granted to a group; if both are granted to her, she
will lose the rights of the parent.
Subject: 1.07 - What are groups?
Groups are a object type which allows users to be grouped together
for various purposes. The main interest in this is to maintain
security, by granting access rights to groups instead of individual
By default, all users are in a group called EVERYONE. If you grant
[RF] to group EVERYONE in a directory, then every user in that group
will hold those rights in that directory.
Some software also makes use of groups (for example, Pegasus Mail
does not run if the user is in group NOMAIL).
Subject: Section 2: Software
This section describes the purpose and use of some software.
Subject: 2.01 - What is HACK.EXE?
HACK is a program, written at Leiden University in the Netherlands,
which exploits the lack of packet authentication in early versions
of NetWare 3. It enabled a user to pose as a more privileged client
by sending requests to the server with fake source addresses.
If SUPERVISOR is logged on, it attempts to send a single packet to
the server requesting it to add Supervisor-equivalency to the
account it is being run from.
Novell released updated versions of the server and client software
which would add packet authentication (using a feature called NCP
packet signatures). The software is available from ftp.novell.com.
NetWare 3.12 includes the updated software, but the administrator
still has to set the correct packet signature level on both server
With NCP packet signatures active, any attempt to forge packets
to the server will result in a message on the server console, in
the error log, and sent to the affected client.
Subject: 2.02 - What is NOVELBFH.EXE?
NOVELBFH, Novell Brute Force Hacker, is a program written by
DGE Alofs in Holland. It is a menu driven program that attempts
to crack accounts by using the verify password function and
trying various guesses for password.
The password checking is done using the unencrypted password call,
so this program can be rendered useless on NetWare 3 by disabling
the unencrypted password call at the server (this is the default).
Subject: 2.03 - How do I use SECURITY?
SECURITY is the standard security auditing utility, supplied with
NetWare. It is found in the SYS:SYSTEM directory, and needs to be
run by a Supervisor-equivalent user.
Subject: 2.04 - Vendor security addons
Administrators may be interested in products which are available
to improve network security. This section will eventually be a
list of such products. Please submit your product descriptions to
the FAQ maintainer.
STOPLIGHT LAN - StopLight LAN integrates with Netware to provide
network and workstation security enhancements. It provides
workstation access control, keyboard lock, trustee assignments
for local and network drives, file encryption, local drive
disable during network use, floppy drive disable, software
piracy prevention, central installation and management from
the network, Windows administration. 13K memory overhead
required. Download from http://www.safe.net/safety or
Subject: Section 3: Help
This section gives solutions to common problems.
Subject: 3.01 - How do I secure the server?
The most important rule is to lock the server console.
At least one method has been posted a couple of times which
explains how to switch off password verification using the
server internal debugger.
Anyone with console access can obtain supervisor access.
Place any useful NLMs in SYS:SYSTEM and then add the following
line to AUTOEXEC.NCF:
Disable use of unencrypted passwords. Either type the following,
or add it to the AUTOEXEC.NCF:
SET ALLOW UNENCRYPTED PASSWORDS OFF
If you have NCP packet signatures installed, add the following
line to AUTOEXEC.NCF:
SET NCP PACKET SIGNATURE OPTION = 3
Use a password different from the Supervisor password for RCONSOLE.
Load the MONITOR NLM and lock the console.
Remember that access to the backups is just as bad as access
to the server. Keep the backups secure too.
Some other suggestions:
Limit number of Supervisor accounts (not too many, but keep at
least one, unless using the SUPER utility described below).
Enable intruder detection and lockout.
Require unique passwords on all accounts.
Login as Supervisor as little as possible.
Use the SUPER.EXE program, written by Wolfgang Schreiber, which
will toggle instant supervisor-equivalency to a user. This isn't
a loophole, since some preparation has to be done on the accounts
which should be able to gain supervisor-equivalency, and those
accounts will be reported by the SECURITY utility.
SUPER is available from netwire (Look on ftp.novell.de or
Subject: 3.02 - I've lost the supervisor password.
The following method is used to obtain the supervisor account on
NetWare 2. It will work on NetWare 3, but there is an easier way
The following is fairly complicated, and is not recommended for
1. Reboot the server and load DOS.
2. Use a disk editor to examine the Novell partition and locate
the directory entries for the bindery files (NET$BIND.SYS and
3. Check for backup copies of the bindery with extension OLD (ie,
NET$BIND.OLD and NET$BVAL.OLD). If you find them, change their
extension to XXZ.
4. Change the SYS extension to OLD.
5. Restart the server. It will create a new bindery with SUPERVISOR
and GUEST accounts; both without passwords.
6. Login as SUPERVISOR and run BINDREST to restore the old bindery.
7. Change the SUPERVISOR password.
On NetWare 3, there are a number of NLMs which will reset the
supervisor password (SETPWD and SETSPASS) or create supervisor
equivalent accounts (BURGLAR). SETPWD is available by anonymous
ftp from netlab2.usu.edu.
In general, you should have at least one supervisor equivalent
account (see section 3.01).
Subject: 3.03 - I've deleted the user Admin.
This answer was provided by Mattman (firstname.lastname@example.org) in an
article posted on comp.os.netware.security.
If you don't have a backup, you can do two things:
1. Reinstall Directory Services. I would recommend this option only
if you don't have a lot of NDS objects and rights set up.
2. If you have another user with Admin or equivalent rights, it's
easy to recreate the Admin user object and give him the rights
he had before. Those rights would be:
Make him a trustee of [Root] and give him supervisory object and
Subject: 3.04 - I've revoked my own rights from this subdirectory.
A common mistake is to revoke your own access control rights in a
directory. If you have access control rights in a parent directory,
you can regain the access rights that you lost.
Example: If user ALICE has [RCWEMFA] in USR:ALICE/ but accidentally
revoked access control in the subdirectory PROJECTS (let's just
say she now has [RF] in USR:ALICE/PROJECTS/), she would not be
able to simply use grant to get the rights back because she has
To recover access control:
1. Check which groups you are in (or equivalent to).
2. Pick a group and grant access rights to that group in the parent.
GRANT A TO EVERYONE FOR USR:ALICE
3. You should now have access control in the subdirectory.
4. Remove the trustee which caused the problem.
REMOVE ALICE FROM USR:ALICE/PROJECTS
5. Remove the rights of the group from the parent directory.
REMOVE EVERYONE FROM USR:ALICE
Subject: 3.05 - Supervisor has been locked out.
If the Supervisor account cannot login due to intruder detection,
you can restore login status by entering ENABLE LOGIN at the server
console. This will only work for the SUPERVISOR account.
(end of FAQ)
Fauzan Mirza Dept of Computer Science DOS/NetWare/Linux
F.U.Mirza@shef.ac.uk University of Sheffield Programming/Security
[ Usenet FAQs | Web FAQs | Documents | RFC Index ]
Send corrections/additions to the FAQ Maintainer:
F.U.Mirza@sheffield.ac.uk (Fauzan Mirza)
Last Update March 27 2014 @ 02:11 PM