The following subsections provide a summary of security-related recommendations for NetStorage:
Access control to the registry is enforced by the operating system.
On Windows (any version), each branch of the registry can have its own ACL (access control list). Windows checks to see if the calling thread has permissions to read/write/modify the registry entry being accessed, and returns status appropriately.
On NetWare, local access to the registry is a trusted operation, and any NLM™ running on the server is allowed access.
On Linux, XTier has implemented its own registry based on XFLAIM, and access to this database is via UNIX domain sockets. Only XTier's registry user (novlxregd) and group (novlxtier) have access to these domain sockets, and access control is enforced via file system permissions. For any process to access the registry, the user associated with the process must be a member of the novlxtier group. Adding a user to a group is a privileged operation, and can be done only by an administrator.
WARNING:Do not store security-sensitive information in the registry. Sensitive information such as passwords should not be stored in the registry unless it is protected by strong encryption.
NMAS™ login is designed to be more secure than NDS4. You should enable NMAS login for eDirectory users and enable the corresponding setting in NetStorage.
Without SSL, all traffic to the Web server from the client, browser, or WebDAV client is in the clear. This allows anyone to snoop the traffic and look at all the data, including the data for authentication. This applies when the Basic authentication scheme is used. Using SSL provides privacy for all data traffic between the workstation/client and the Web server.
Session cookies are valid only for the duration of the browser/client session. After the windows of the browser are closed, these cookies are discarded by the browser, and a new instance of the browser has no knowledge of previously set session cookies.
Persistent cookies have an expiration date/time, and are valid until then. Persistent cookies are stored in persistent storage (usually the file system), so that newer instances of the browser can pick them up.
For more information about cookies, see Persistent Client State HTTP Cookies.
You should check Web server logs frequently for security-related information.
See Enable Debug Logging in IDM 6.5 and 7 for information on how and when to use XTLog.
Although the information refers to the ZENworks® Middle Tier Server, it also applies to other XTier applications such as NetStorage.
Application developers should be aware of the possibility of denial of service attacks. This is true for any Web-based application. For example, if a DoS attack can be mounted on Apache or IIS, any XTier-web application is affected, because XTier-web runs as a module (or extension) of Apache and IIS.
For instructions on setting up trusted roots in CAPI, see Trusted Root Certification Authority Policy.
If you are using NetIdentity, do not use the registry setting that allows a connection without certificate validation. The NetIdentity client places a registry setting on the client workstation. For more information see Setting Up NetIdentity Authentication in the Novell ZENworks 7 Desktop Management Installation Guide.