Novell GROUPWISE 8 Security Policies
XVII
Security Policies
Chapter 84, “Securing GroupWise Data,” on page 1205
Chapter 85, “Securing GroupWise Agents,” on page 1207
Chapter 86, “Securing GroupWise System Access,” on page 1211
Chapter 87, “Secure Migrations,” on page 1213
Chapter 88, “Undocumented Diagnostic Tools,” on page 1215
novdocx (en) 22 June 2009
XVI
Security Policies
1203
novdocx (en) 22 June 2009
1204 GroupWise 8 Administration Guide
84
Securing GroupWise Data
Section 84.1, “Limiting Physical Access to GroupWise Servers,” on page 1205
Section 84.2, “Securing File System Access,” on page 1205
Section 84.3, “Securing Domains and Post Offices,” on page 1205
84.1 Limiting Physical Access to GroupWise Servers
Servers where GroupWise® data resides should be kept physically secure, where unauthorized
persons cannot gain access to the server consoles.
84.2 Securing File System Access
In ConsoleOne®, Server objects for servers where GroupWise domains, post offices, and agents
reside should be assigned appropriate trustees and rights to prevent access from unauthorized
persons.
novdocx (en) 22 June 2009
84
For additional data security, encrypted file systems should be used on servers where GroupWise
domains, post offices, and agents reside. Only GroupWise administrators should have direct access
to GroupWise data.
84.3 Securing Domains and Post Offices
In ConsoleOne, administrators in addition to the Admin user should be given rights judiciously, as
described in Chapter 79, “GroupWise Administrator Rights,” on page 1177.
The POA should be configured for client/server access, so that GroupWise users do not require any
direct access to any databases in the post office. For more information, see Section 36.2.1, “Using
Client/Server Access to the Post Office,” on page 498.
Securing GroupWise Data
1205
novdocx (en) 22 June 2009
1206 GroupWise 8 Administration Guide
85
Securing GroupWise Agents
Section 85.1, “Setting Up SSL Connections,” on page 1207
Section 85.2, “Protecting Agent Web Consoles,” on page 1207
Section 85.3, “Protecting Agent Startup and Configuration Files,” on page 1207
Section 85.4, “Protecting Agent Log Files,” on page 1208
Section 85.5, “Protecting Agent Processes on Linux,” on page 1209
Section 85.6, “Protecting Trusted Applications,” on page 1209
85.1 Setting Up SSL Connections
All of the GroupWise® agents should be configured to use SSL connections, as described in:
“Securing the Post Office with SSL Connections to the POA” on page 511
“Securing the Domain with SSL Connections to the MTA” on page 643
“Securing Internet Agent Connections with SSL” on page 788
novdocx (en) 22 June 2009
85
“Securing WebAccess Agent Connections with SSL” on page 897
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023
85.2 Protecting Agent Web Consoles
If you do not provide passwords on the GroupWise agent Web consoles, unauthorized persons can
access them by simply knowing the IP address or hostname of the machine where the agent runs,
along with the HTTP port the agent is using. Set up GroupWise agent Web consoles with passwords
as described in:
“Using the POA Web Console” on page 544
“Using the MTA Web Console” on page 673
“Using the Internet Agent Web Console” on page 805
“Using the WebAccess Agent Web Console” on page 949
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023
85.3 Protecting Agent Startup and Configuration Files
The startup and configuration files for all GroupWise agents should be protected from tampering.
Agent startup files are found in the following default locations:
Securing GroupWise Agents
1207
Loading...