XVII
Security Policies
Chapter 84, “Securing GroupWise Data,” on page 1205
Chapter 85, “Securing GroupWise Agents,” on page 1207
Chapter 86, “Securing GroupWise System Access,” on page 1211
Chapter 87, “Secure Migrations,” on page 1213
Chapter 88, “Undocumented Diagnostic Tools,” on page 1215
novdocx (en) 22 June 2009
XVI
Security Policies
1203
novdocx (en) 22 June 2009
1204 GroupWise 8 Administration Guide
84
Securing GroupWise Data
Section 84.1, “Limiting Physical Access to GroupWise Servers,” on page 1205
Section 84.2, “Securing File System Access,” on page 1205
Section 84.3, “Securing Domains and Post Offices,” on page 1205
84.1 Limiting Physical Access to GroupWise Servers
Servers where GroupWise® data resides should be kept physically secure, where unauthorized
persons cannot gain access to the server consoles.
84.2 Securing File System Access
In ConsoleOne®, Server objects for servers where GroupWise domains, post offices, and agents
reside should be assigned appropriate trustees and rights to prevent access from unauthorized
persons.
novdocx (en) 22 June 2009
84
For additional data security, encrypted file systems should be used on servers where GroupWise
domains, post offices, and agents reside. Only GroupWise administrators should have direct access
to GroupWise data.
84.3 Securing Domains and Post Offices
In ConsoleOne, administrators in addition to the Admin user should be given rights judiciously, as
described in Chapter 79, “GroupWise Administrator Rights,” on page 1177.
The POA should be configured for client/server access, so that GroupWise users do not require any
direct access to any databases in the post office. For more information, see Section 36.2.1, “Using
Client/Server Access to the Post Office,” on page 498.
Securing GroupWise Data
1205
novdocx (en) 22 June 2009
1206 GroupWise 8 Administration Guide
85
Securing GroupWise Agents
Section 85.1, “Setting Up SSL Connections,” on page 1207
Section 85.2, “Protecting Agent Web Consoles,” on page 1207
Section 85.3, “Protecting Agent Startup and Configuration Files,” on page 1207
Section 85.4, “Protecting Agent Log Files,” on page 1208
Section 85.5, “Protecting Agent Processes on Linux,” on page 1209
Section 85.6, “Protecting Trusted Applications,” on page 1209
85.1 Setting Up SSL Connections
All of the GroupWise® agents should be configured to use SSL connections, as described in:
“Securing the Post Office with SSL Connections to the POA” on page 511
“Securing the Domain with SSL Connections to the MTA” on page 643
“Securing Internet Agent Connections with SSL” on page 788
novdocx (en) 22 June 2009
85
“Securing WebAccess Agent Connections with SSL” on page 897
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023
85.2 Protecting Agent Web Consoles
If you do not provide passwords on the GroupWise agent Web consoles, unauthorized persons can
access them by simply knowing the IP address or hostname of the machine where the agent runs,
along with the HTTP port the agent is using. Set up GroupWise agent Web consoles with passwords
as described in:
“Using the POA Web Console” on page 544
“Using the MTA Web Console” on page 673
“Using the Internet Agent Web Console” on page 805
“Using the WebAccess Agent Web Console” on page 949
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023
85.3 Protecting Agent Startup and Configuration Files
The startup and configuration files for all GroupWise agents should be protected from tampering.
Agent startup files are found in the following default locations:
Securing GroupWise Agents
1207
Table 85-1 Locations of GroupWise Agent Startup and Configuration Files
Platform Directory Startup Files
novdocx (en) 22 June 2009
NetWare
Linux
Windows
sys:\system post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
/opt/novell/groupwise/agents/share post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
monitor.xml
c:\Program Files\Novell\GroupWise Server\Agents
c:\Program Files\Novell\GroupWise Server\Agents
c:\Program Files\Novell\GroupWise Server\GWIA
c:\Program Files\Novell\GroupWise Server\WebAccess
c:\Program Files\Novell\GroupWise Server\Monitor
post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
monitor.xml
85.4 Protecting Agent Log Files
The log files for all GroupWise agents should be protected against access by unauthorized persons.
Some contain very detailed information about your GroupWise system and GroupWise users. Agent
log files are found in the following default locations:
Table 85-2 Locations of GroupWise Agent Log Files
Platform Directory Startup Files
NetWare
Linux
vol:\post_office\wpcsout\ofs
vol:\domain\mslocal
vol:\domain\wpgate\gwia\000.prc
vol:\domain\wpgate\webac80a\000.prc
sys:\system\gwdav.dir\log
/var/log/novell/groupwise/post_office.poa
/var/log/novell/groupwise/domain.mta
/var/log/novell/groupwise/domain.gwia
/var/log/novell/groupwise/domain.webac80a
/var/log/novell/groupwise/gwdva
/var/log/novell/groupwise/gwmon
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmnnmon.nnn
mmnnhist.nnn
1208 GroupWise 8 Administration Guide
Platform Directory Startup Files
novdocx (en) 22 June 2009
Windows
\post_offce\wpcsout\ofs
\domain\mslocal
\domain\wpgate\gwia\000.prc
\domain\wpgate\webac80a\000.prc
c:\Program Files\Novell\GroupWise Server\
WebAccess\gwdva.dir\log
c:\Program Files\Novell\GroupWise Server\Monitor
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmnnmon.nnn
mmnnhist.nnn
85.5 Protecting Agent Processes on Linux
On Linux, the GroupWise agents are installed to run as the
configuration. Immediately after installation, you should set up a nonas, as described in “Running the Linux GroupWise Agents As a Non-root User” in “Installing
GroupWise Agents” in the GroupWise 8 Installation Guide.
root
user by default. This is not a secure
root
user for the agents to run
85.6 Protecting Trusted Applications
Trusted applications are third-party programs that can log in to POAs and Internet Agents in order to
access GroupWise mailboxes. For background information, see Section 4.12, “Trusted
Applications,” on page 74.
Trusted applications log in to GroupWise agents by using trusted application keys that are created
when the trusted application is created. It is essential that these keys are protected and not allowed to
become public. Steps you can take to protect trusted application keys include:
Associating the trusted application key with a single IP address whenever possible
Reviewing third-party log files for sensitive data such as the key before sharing them with
others
Not sharing trusted application keys with others for any reason
Removing old keys that are no longer needed
Securing GroupWise Agents 1209
novdocx (en) 22 June 2009
1210 GroupWise 8 Administration Guide
86
Securing GroupWise System
novdocx (en) 22 June 2009
Access
Section 86.1, “Using a Proxy Server with Client/Server Access,” on page 1211
Section 86.2, “Using LDAP Authentication for GroupWise Users,” on page 1211
Section 86.3, “Managing Mailbox Passwords,” on page 1211
Section 86.4, “Enabling Intruder Detection,” on page 1212
86.1 Using a Proxy Server with Client/Server Access
POAs in your GroupWise® system should be located behind your firewall. If GroupWise client
users want to access their GroupWise mailboxes from outside your firewall using the Windows
client or the Linux/Mac client, you should set up a proxy server outside your firewall to provide
access, as described in Section 36.3.1, “Securing Client/Server Access through an External Proxy
Server,” on page 509. WebAccess client users access their GroupWise mailboxes through their Web
browsers, so your Web server handles the access issues for such users.
86.2 Using LDAP Authentication for GroupWise Users
86
LDAP authentication provides a more secure method of mailbox access than standard GroupWise
authentication, which is the default when you set up your GroupWise system. Therefore, you should
implement LDAP authentication, as described in Section 36.3.4, “Providing LDAP Authentication
for GroupWise Users,” on page 514.
On the Post Office object, the LDAP username that you provide on the Security property page
should be granted only browser rights in the eDirectory tree. The password for the LDAP user
should be long and randomly generated.
On the LDAP Server object, Require TLS for All Operations should be selected on the SSL/TLS
Configuration property page. On the LDAP Group object, Require TLS for Simple Binds with
Password should be selected.
On your LDAP servers, the trusted root certificate file should be write protected so that it cannot be
tampered with.
86.3 Managing Mailbox Passwords
GroupWise offers varying levels of password security, as described in Section 74.1, “Mailbox
Passwords,” on page 1151. Make sure that you understand the options available to you and that you
select the level of password security that is appropriate to your GroupWise system.
Securing GroupWise System Access
1211
86.4 Enabling Intruder Detection
You can configure the POA to lock out a user that provides the wrong mailbox password too many
times, as described in Section 36.3.5, “Enabling Intruder Detection,” on page 519.
novdocx (en) 22 June 2009
1212 GroupWise 8 Administration Guide
87
Secure Migrations
Section 87.1, “GroupWise Server Migration Utility,” on page 1213
87.1 GroupWise Server Migration Utility
During its operation, the GroupWise Server Migration Utility prompts for some restricted-access
information. It also modifies critical GroupWise agent startup files. This section explains why.
87.1.1 Source Server Credentials
The Server Migration Utility prompts for a user ID and password that provides read/write access to
the NetWare or Windows server so that the Linux server can mount the source server with read/write
access.
In addition, the Server Migration Utility needs read/write access to the domain or post office
directory that is being migrated. Read/write access enables the Server Migration Utility to copy the
contents of the post office directory or domain directory, including the post office database and
domain database, so that file locking is respected while the data is being copied. File locking
prevents database damage.
novdocx (en) 22 June 2009
87
87.1.2 Destination Server root Password
The Server Migration Utility prompts for the
volume or the Windows share to the Linux file system. It also needs the
communicate with the SSH (secure shell) daemon on the Linux server. The SSH daemon allows
root
access for the utility to install the GroupWise RPMs, to run the programs required for
migration locally on the Linux server, and to create and save the Linux agent startup files.
root
In addition,
server, depending on where the user decided to locate the post office or domain. After the migration,
the user can configure the GroupWise agents to run as a nondescribed in “Running the Linux GroupWise Agents As a Non-root User” in “Installing GroupWise
Agents” in the GroupWise 8 Installation Guide.
permissions might be required to write the post office or domain data to the Linux
root
password so that it can mount the NetWare
root
password in order to
root
user for improved security, as
87.1.3 Agent Startup Files
When the Server Migration Utility migrates an agent, the only change it makes to its startup file is to
modify the --home switch to point to the new location of the post office or domain on the Linux
server. Existing switch settings are retained, except for paths and IP addresses that would be invalid
in the new Linux environment.
Secure Migrations
1213
novdocx (en) 22 June 2009
1214 GroupWise 8 Administration Guide
88
Undocumented Diagnostic Tools
In ConsoleOne, under Tools > GroupWise Diagnostics, a set of tools is available for use by Novell
support engineers when attempting to diagnose or correct problems in a customer’s GroupWise
system. These tools are not intended for use by GroupWise customers without supervision. These
tools are not documented.
novdocx (en) 22 June 2009
88
Undocumented Diagnostic Tools
1215
novdocx (en) 22 June 2009
1216 GroupWise 8 Administration Guide
Loading...