Groupwise lockdown
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

GroupWise Lockdown PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on
  • Presentation posted in: General

GroupWise Lockdown. Michael Bell, Ulrich Neumann [email protected], [email protected] About your Presenters…. Michael Bell GWAVA Lead Developer Novell Volunteer SysOp for 8 years Creator of Guinevere Director of QA at GWAVA Favorite Hobby Science Fiction Filing bugs on other devs’ products. .

Download Presentation

GroupWise Lockdown

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Groupwise lockdown

GroupWise Lockdown

Michael Bell, Ulrich Neumann

[email protected], [email protected]


About your presenters

About your Presenters…

Michael Bell

GWAVA Lead Developer

Novell Volunteer SysOp for 8 years

Creator of Guinevere

Director of QA at GWAVA

Favorite Hobby

Science Fiction

Filing bugs on other devs’ products. 


About your presenters1

About your Presenters…

  • Ulrich Neumann

    • GWAVA Lead Developer

    • Novell Virtual Software Engineer

    • Novell Developer Services Volunteer SysOp

    • Open Source Software Engineer

  • Favorite Hobby

    • Karate


Agenda

Agenda

Securing your Infrastructure

Securing your Server

Securing your GroupWise Agents


Infrastructure

Infrastructure

Firewall

Implement a Firewall.

Be careful opening IP Ports.

Use Proxies whenever possible.

Keep logs, and consider backing them up.


Infrastructure1

Infrastructure

Backup

Create functional backups.

Test your Backups on a regular basis and keep tapes offsite.

Use GWTSA/TSAFS compliant Backup Software to obtain complete and consistent backups.

Don't forget to include /home switches for each Agent Directory to GWTSA.

Consider GWAVA Reload as an option!


Infrastructure2

Infrastructure

Antivirus

Implement Antivirus Agents at all points of entry.

Make sure Virus Signature Files are up to date on a regular basis.

Consider adopting AV software which has a high speed response rate to virus outbreaks.

Create and enforce e-mail policy which blocks potentially malicious items. (Fingerprinting)


Server

Server

Make sure you have the latest security patches installed.

Do not use CIFS to access files on a Mail Server.

Set Disk Space Limits.

Do not use the SYS Volume to store user data such as Post Offices.

Don’t use root on Linux for services.

Don't store data on a server outside the Firewall.


Groupwise general

GroupWise General

Don't grant file system rights to any user.

Set all log files to “Verbose” and allow at least 30 days of logs to keep.

Don't use “public” as your SNMP Community string. Disable SNMP if not used.

Use SSL whenever possible

Place gateway servers (GWIA, WebAccess) in DMZ when possible. Never place them on the same server as a Post Office.

Avoid Windows if possible (too many attacks aimed at such servers)


Groupwise general1

GroupWise General

Use isolated parent domains to avoid granting excess rights and increase reliability.

Don't scan GroupWise database files for viruses. Do scan the rest!

Turn off Web Consoles if not used by Redline or GWMonitor.

Use a comprehensive monitoring solution such as Redline or GroupWise Monitor to watch for changes in the health and configuration of your system.


Groupwise domains

GroupWise Domains

Be very paranoid about allowing ANY direct access to your domain files.

Malicious attackers can (with admin rights) see and alter your entire system.

Malicious attackers can mint a Trusted Application. From then on, they don’t need direct access to do horrible things via IMAP or Object API, and soon SOAP (steal mail, alter/delete mail)

Check your Trusted Application list regularly to make sure no programs have been added.


Groupwise internet agent

GroupWise Internet Agent

Upgrade from GroupWise 5.x – too many compromises and DOS attacks are possible.

Turn off all SMTP relay and use NO relay exceptions except when absolutely necessary, in which case use static ip address exceptions.

Mailbomb protection – consider enabling, but don't expect miracles.

Country code RBLS – bad, but possibly effective.

Limitation of GWIA RBL – only looks at last hop.


Groupwise internet agent1

GroupWise Internet Agent

DNS Reverse lookup – fairly effective, but consider the possible loss of communications, especially with specific ISPs or dynamic IP configurations. No exceptions are allowed!

Disable all services not needed (POP3, IMAP, LDAP, HTTP).

If POP3 or IMAP is enabled, require SSL on these services.

Run in protected memory.


Groupwise post office

GroupWise Post Office

Enable Intruder Detection.

Disable SOAP, IMAP if not needed

Force Clients to use Client/Server mode.

Use high security authentication methods (LDAP or eDirectory authentication).

LDAP authentication has many benefits

uses eDirectory password

uses eDirectory password expiration and other policies.

Allows auditing by eDirectory auditing tools.


Groupwise web access

GroupWise Web Access

Use SSL to access WebAccess.

Redirect the insecure (Port 80) webpage to the secure webpage (Port 443).

Use Apache2 as the preferred web server.

Lock down your http server directories, and do not permit any “bare” directories to be browse.

Disable unneeded Apache modules.

Remove sample scripts, and http pages.

Run in protected memory.


  • Login