Novell GROUPWISE 8 Security Policies

XVII
Security Policies
Chapter 84, “Securing GroupWise Data,” on page 1205
Chapter 85, “Securing GroupWise Agents,” on page 1207
Chapter 87, “Secure Migrations,” on page 1213
Chapter 88, “Undocumented Diagnostic Tools,” on page 1215
novdocx (en) 22 June 2009
XVI
Security Policies
1203
novdocx (en) 22 June 2009
1204 GroupWise 8 Administration Guide
84

Securing GroupWise Data

Section 84.1, “Limiting Physical Access to GroupWise Servers,” on page 1205
Section 84.2, “Securing File System Access,” on page 1205
Section 84.3, “Securing Domains and Post Offices,” on page 1205

84.1 Limiting Physical Access to GroupWise Servers

Servers where GroupWise® data resides should be kept physically secure, where unauthorized persons cannot gain access to the server consoles.

84.2 Securing File System Access

In ConsoleOne®, Server objects for servers where GroupWise domains, post offices, and agents reside should be assigned appropriate trustees and rights to prevent access from unauthorized persons.
novdocx (en) 22 June 2009
84
For additional data security, encrypted file systems should be used on servers where GroupWise domains, post offices, and agents reside. Only GroupWise administrators should have direct access to GroupWise data.

84.3 Securing Domains and Post Offices

In ConsoleOne, administrators in addition to the Admin user should be given rights judiciously, as described in Chapter 79, “GroupWise Administrator Rights,” on page 1177.
The POA should be configured for client/server access, so that GroupWise users do not require any direct access to any databases in the post office. For more information, see Section 36.2.1, “Using
Client/Server Access to the Post Office,” on page 498.
Securing GroupWise Data
1205
novdocx (en) 22 June 2009
1206 GroupWise 8 Administration Guide
85

Securing GroupWise Agents

Section 85.1, “Setting Up SSL Connections,” on page 1207
Section 85.2, “Protecting Agent Web Consoles,” on page 1207
Section 85.3, “Protecting Agent Startup and Configuration Files,” on page 1207
Section 85.4, “Protecting Agent Log Files,” on page 1208
Section 85.5, “Protecting Agent Processes on Linux,” on page 1209
Section 85.6, “Protecting Trusted Applications,” on page 1209

85.1 Setting Up SSL Connections

All of the GroupWise® agents should be configured to use SSL connections, as described in:
“Securing the Post Office with SSL Connections to the POA” on page 511
“Securing the Domain with SSL Connections to the MTA” on page 643
“Securing Internet Agent Connections with SSL” on page 788
novdocx (en) 22 June 2009
85
“Securing WebAccess Agent Connections with SSL” on page 897
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023

85.2 Protecting Agent Web Consoles

If you do not provide passwords on the GroupWise agent Web consoles, unauthorized persons can access them by simply knowing the IP address or hostname of the machine where the agent runs, along with the HTTP port the agent is using. Set up GroupWise agent Web consoles with passwords as described in:
“Using the POA Web Console” on page 544
“Using the MTA Web Console” on page 673
“Using the Internet Agent Web Console” on page 805
“Using the WebAccess Agent Web Console” on page 949
“Configuring Authentication and Intruder Lockout for the Monitor Web Console” on
page 1023

85.3 Protecting Agent Startup and Configuration Files

The startup and configuration files for all GroupWise agents should be protected from tampering. Agent startup files are found in the following default locations:
Securing GroupWise Agents
1207
Table 85-1 Locations of GroupWise Agent Startup and Configuration Files
Platform Directory Startup Files
novdocx (en) 22 June 2009
NetWare
Linux
Windows
sys:\system post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
/opt/novell/groupwise/agents/share post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
monitor.xml
c:\Program Files\Novell\GroupWise Server\Agents
c:\Program Files\Novell\GroupWise Server\Agents
c:\Program Files\Novell\GroupWise Server\GWIA
c:\Program Files\Novell\GroupWise Server\WebAccess
c:\Program Files\Novell\GroupWise Server\Monitor
post_office.poa
domain.mta
gwia.cfg
webac80a.waa
gwdva.dva
monitor.xml

85.4 Protecting Agent Log Files

The log files for all GroupWise agents should be protected against access by unauthorized persons. Some contain very detailed information about your GroupWise system and GroupWise users. Agent log files are found in the following default locations:
Table 85-2 Locations of GroupWise Agent Log Files
Platform Directory Startup Files
NetWare
Linux
vol:\post_office\wpcsout\ofs
vol:\domain\mslocal
vol:\domain\wpgate\gwia\000.prc
vol:\domain\wpgate\webac80a\000.prc
sys:\system\gwdav.dir\log
/var/log/novell/groupwise/post_office.poa
/var/log/novell/groupwise/domain.mta
/var/log/novell/groupwise/domain.gwia
/var/log/novell/groupwise/domain.webac80a
/var/log/novell/groupwise/gwdva
/var/log/novell/groupwise/gwmon
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmnnmon.nnn
mmnnhist.nnn
1208 GroupWise 8 Administration Guide
Platform Directory Startup Files
novdocx (en) 22 June 2009
Windows
\post_offce\wpcsout\ofs
\domain\mslocal
\domain\wpgate\gwia\000.prc
\domain\wpgate\webac80a\000.prc
c:\Program Files\Novell\GroupWise Server\
WebAccess\gwdva.dir\log
c:\Program Files\Novell\GroupWise Server\Monitor
mmddpoa.nnn
mmddmta.nnn
mmddgwia.nnn
mmddweb.nnn
mmdddva.nnn
mmnnmon.nnn
mmnnhist.nnn

85.5 Protecting Agent Processes on Linux

On Linux, the GroupWise agents are installed to run as the configuration. Immediately after installation, you should set up a non­as, as described in “Running the Linux GroupWise Agents As a Non-root User” in “Installing
GroupWise Agents” in the GroupWise 8 Installation Guide.
root
user by default. This is not a secure
root
user for the agents to run

85.6 Protecting Trusted Applications

Trusted applications are third-party programs that can log in to POAs and Internet Agents in order to access GroupWise mailboxes. For background information, see Section 4.12, “Trusted
Applications,” on page 74.
Trusted applications log in to GroupWise agents by using trusted application keys that are created when the trusted application is created. It is essential that these keys are protected and not allowed to become public. Steps you can take to protect trusted application keys include:
Associating the trusted application key with a single IP address whenever possible
Reviewing third-party log files for sensitive data such as the key before sharing them with
others
Not sharing trusted application keys with others for any reason
Removing old keys that are no longer needed
Securing GroupWise Agents 1209
novdocx (en) 22 June 2009
1210 GroupWise 8 Administration Guide
86
Securing GroupWise System
novdocx (en) 22 June 2009
Access
Section 86.1, “Using a Proxy Server with Client/Server Access,” on page 1211
Section 86.2, “Using LDAP Authentication for GroupWise Users,” on page 1211
Section 86.3, “Managing Mailbox Passwords,” on page 1211
Section 86.4, “Enabling Intruder Detection,” on page 1212

86.1 Using a Proxy Server with Client/Server Access

POAs in your GroupWise® system should be located behind your firewall. If GroupWise client users want to access their GroupWise mailboxes from outside your firewall using the Windows client or the Linux/Mac client, you should set up a proxy server outside your firewall to provide access, as described in Section 36.3.1, “Securing Client/Server Access through an External Proxy
Server,” on page 509. WebAccess client users access their GroupWise mailboxes through their Web
browsers, so your Web server handles the access issues for such users.

86.2 Using LDAP Authentication for GroupWise Users

86
LDAP authentication provides a more secure method of mailbox access than standard GroupWise authentication, which is the default when you set up your GroupWise system. Therefore, you should implement LDAP authentication, as described in Section 36.3.4, “Providing LDAP Authentication
for GroupWise Users,” on page 514.
On the Post Office object, the LDAP username that you provide on the Security property page should be granted only browser rights in the eDirectory tree. The password for the LDAP user should be long and randomly generated.
On the LDAP Server object, Require TLS for All Operations should be selected on the SSL/TLS Configuration property page. On the LDAP Group object, Require TLS for Simple Binds with Password should be selected.
On your LDAP servers, the trusted root certificate file should be write protected so that it cannot be tampered with.

86.3 Managing Mailbox Passwords

GroupWise offers varying levels of password security, as described in Section 74.1, “Mailbox
Passwords,” on page 1151. Make sure that you understand the options available to you and that you
select the level of password security that is appropriate to your GroupWise system.

Securing GroupWise System Access

1211

86.4 Enabling Intruder Detection

You can configure the POA to lock out a user that provides the wrong mailbox password too many times, as described in Section 36.3.5, “Enabling Intruder Detection,” on page 519.
novdocx (en) 22 June 2009
1212 GroupWise 8 Administration Guide
87

Secure Migrations

Section 87.1, “GroupWise Server Migration Utility,” on page 1213

87.1 GroupWise Server Migration Utility

During its operation, the GroupWise Server Migration Utility prompts for some restricted-access information. It also modifies critical GroupWise agent startup files. This section explains why.

87.1.1 Source Server Credentials

The Server Migration Utility prompts for a user ID and password that provides read/write access to the NetWare or Windows server so that the Linux server can mount the source server with read/write access.
In addition, the Server Migration Utility needs read/write access to the domain or post office directory that is being migrated. Read/write access enables the Server Migration Utility to copy the contents of the post office directory or domain directory, including the post office database and domain database, so that file locking is respected while the data is being copied. File locking prevents database damage.
novdocx (en) 22 June 2009
87

87.1.2 Destination Server root Password

The Server Migration Utility prompts for the volume or the Windows share to the Linux file system. It also needs the communicate with the SSH (secure shell) daemon on the Linux server. The SSH daemon allows
root
access for the utility to install the GroupWise RPMs, to run the programs required for
migration locally on the Linux server, and to create and save the Linux agent startup files.
root
In addition, server, depending on where the user decided to locate the post office or domain. After the migration, the user can configure the GroupWise agents to run as a non­described in “Running the Linux GroupWise Agents As a Non-root User” in “Installing GroupWise
Agents” in the GroupWise 8 Installation Guide.
permissions might be required to write the post office or domain data to the Linux
root
password so that it can mount the NetWare
root
password in order to
root
user for improved security, as

87.1.3 Agent Startup Files

When the Server Migration Utility migrates an agent, the only change it makes to its startup file is to modify the --home switch to point to the new location of the post office or domain on the Linux server. Existing switch settings are retained, except for paths and IP addresses that would be invalid in the new Linux environment.
Secure Migrations
1213
novdocx (en) 22 June 2009
1214 GroupWise 8 Administration Guide
88

Undocumented Diagnostic Tools

In ConsoleOne, under Tools > GroupWise Diagnostics, a set of tools is available for use by Novell support engineers when attempting to diagnose or correct problems in a customer’s GroupWise system. These tools are not intended for use by GroupWise customers without supervision. These tools are not documented.
novdocx (en) 22 June 2009
88
Undocumented Diagnostic Tools
1215
novdocx (en) 22 June 2009
1216 GroupWise 8 Administration Guide
Loading...