A.3 Security Recommendations

A.3.1 Securing NetStorage Installed Files From Unauthorized Access

Problem: Using browser it is possible to see the content of some of the installed NetStorage files.

Solution: Modify the Apache configuration file for NetStorage so that it does not allow unauthorized access to those files. The .html files are not restricted from viewing since it is not a security vulnerability.

Please modify the apache configuration file of the server where NetStorage is running.

On OES: Edit the /etc/opt/novell/netstorage/netstorage.conf file.

On NetWare: Edit the SYS:/NetStorage/xsrv.conf file.

Please copy and paste the following lines at the end of file.

IMPORTANT:Replace 127.0.0.1 with the IP address of the server and localhost with the fully qualified DNS name that users use to access the server. Restart Apache.

SetEnvIf Referer "http://localhost" linked_local
SetEnvIf Referer "http://127.0.0.1" linked_local

<Location "/NetStorage/*.js*">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

<Location "/NetStorage/*.xml">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

<Location "/NetStorage/*.xsl">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

<Location "/NetStorage/*.cfg">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

<Location "/NetStorage/*.css">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

<Location "/NetStorage/*.cer">
    Order deny,allow
    Deny from all
    Allow from env=linked_local
</Location>

A.3.2 Registry Access Control

Access control to the registry is enforced by the operating system.

On Windows (any version), each branch of the registry can have its own ACL (access control list). Windows checks to see if the calling thread has permissions to read/write/modify the registry entry being accessed, and returns status appropriately.

On NetWare, local access to the registry is a trusted operation, and any NLM running on the server is allowed access.

On Linux, XTier has implemented its own registry based on XFLAIM, and access to this database is via UNIX domain sockets. Only XTier’s registry user (novlxregd) and group (novlxtier) have access to these domain sockets, and access control is enforced via file system permissions. For any process to access the registry, the user associated with the process must be a member of the novlxtier group. Adding a user to a group is a privileged operation, and can be done only by an administrator.

WARNING:Do not store security-sensitive information in the registry. Sensitive information such as passwords should not be stored in the registry unless it is protected by strong encryption.

A.3.3 Use NMAS

NMAS login is designed to be more secure than NDS4. You should enable NMAS login for eDirectory users and enable the corresponding setting in NetStorage.

A.3.4 Use SSL with Your Web Server

Without SSL, all traffic to the Web server from the client, browser, or WebDAV client is in the clear. This allows anyone to snoop the traffic and look at all the data, including the data for authentication. This applies when the Basic authentication scheme is used. Using SSL provides privacy for all data traffic between the workstation/client and the Web server.

To enable NetStorage to use SSL, follow the steps given below:

  1. Create a new file /etc/2/httpd.conf.local and include the following contents:

    BrowserMatch "MSIE" nokeepalive downgrade-1.0 force-response-1.0
    RedirectMatch permanent/.* https://Your-Clustered-volume’s-IP-Address/NetStorage
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/NetStorage https://%{SERVER_NAME}/NetStorage/$1
    RewriteRule ^/netstorage https://%{SERVER_NAME}/netstorage/$1 [L,R]
    
  2. Edit /etc/sysconfig/apache2 and add the following line to include /etc/apache2/httpd.conf.local:

    APACHE_CONF_INCLUDE_FILES="/etc/apache2/httpd.conf.local"
    
  3. Restart Apache by executing the following command:

    rcapache2 restart

  4. Login to NetStorage and verify if you are forced to use https.

NOTE:If the above procedure does not work, restart xtier by executing the following command:

rcnovell-xsrvd restart

A.3.5 Persistent and Session Cookies

Session cookies are valid only for the duration of the browser/client session. After the windows of the browser are closed, these cookies are discarded by the browser, and a new instance of the browser has no knowledge of previously set session cookies.

Persistent cookies have an expiration date/time, and are valid until then. Persistent cookies are stored in persistent storage (usually the file system), so that newer instances of the browser can pick them up.

For more information about cookies, see “Persistent Client State HTTP Cookies”.

A.3.6 Use Web Server Logs

You should check Web server logs frequently for security-related information.

A.3.7 Use XTLog

See “Enable Debug Logging in ZDM 6.5 and 7” for information on how and when to use XTLog.

Although the information refers to the ZENworks Middle Tier Server, it also applies to other XTier applications such as NetStorage.

A.3.8 Denial of Service Attacks

Application developers should be aware of the possibility of denial of service attacks. This is true for any Web-based application. For example, if a DoS attack can be mounted on Apache or IIS, any XTier-web application is affected, because XTier-web runs as a module (or extension) of Apache and IIS.

A.3.9 Trusted Roots in CAPI

For instructions on setting up trusted roots in CAPI, see “Trusted Root Certification Authority Policy”.

A.3.10 Certificate Validation Registry Setting

If you are using NetIdentity, do not use the registry setting that allows a connection without certificate validation. The NetIdentity client places a registry setting on the client workstation. For more information, see “Setting Up NetIdentity Authentication” in the Novell ZENworks 7 Desktop Management Installation Guide.