GroupWise Lockdown. Michael Bell, Ulrich Neumann firstname.lastname@example.org, email@example.com. About your Presenters…. Michael Bell GWAVA Lead Developer Novell Volunteer SysOp for 8 years Creator of Guinevere Director of QA at GWAVA Favorite Hobby Science Fiction Filing bugs on other devs’ products. .
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Michael Bell, Ulrich Neumann
GWAVA Lead Developer
Novell Volunteer SysOp for 8 years
Creator of Guinevere
Director of QA at GWAVA
Filing bugs on other devs’ products.
Securing your Infrastructure
Securing your Server
Securing your GroupWise Agents
Implement a Firewall.
Be careful opening IP Ports.
Use Proxies whenever possible.
Keep logs, and consider backing them up.
Create functional backups.
Test your Backups on a regular basis and keep tapes offsite.
Use GWTSA/TSAFS compliant Backup Software to obtain complete and consistent backups.
Don't forget to include /home switches for each Agent Directory to GWTSA.
Consider GWAVA Reload as an option!
Implement Antivirus Agents at all points of entry.
Make sure Virus Signature Files are up to date on a regular basis.
Consider adopting AV software which has a high speed response rate to virus outbreaks.
Create and enforce e-mail policy which blocks potentially malicious items. (Fingerprinting)
Make sure you have the latest security patches installed.
Do not use CIFS to access files on a Mail Server.
Set Disk Space Limits.
Do not use the SYS Volume to store user data such as Post Offices.
Don’t use root on Linux for services.
Don't store data on a server outside the Firewall.
Don't grant file system rights to any user.
Set all log files to “Verbose” and allow at least 30 days of logs to keep.
Don't use “public” as your SNMP Community string. Disable SNMP if not used.
Use SSL whenever possible
Place gateway servers (GWIA, WebAccess) in DMZ when possible. Never place them on the same server as a Post Office.
Avoid Windows if possible (too many attacks aimed at such servers)
Use isolated parent domains to avoid granting excess rights and increase reliability.
Don't scan GroupWise database files for viruses. Do scan the rest!
Turn off Web Consoles if not used by Redline or GWMonitor.
Use a comprehensive monitoring solution such as Redline or GroupWise Monitor to watch for changes in the health and configuration of your system.
Be very paranoid about allowing ANY direct access to your domain files.
Malicious attackers can (with admin rights) see and alter your entire system.
Malicious attackers can mint a Trusted Application. From then on, they don’t need direct access to do horrible things via IMAP or Object API, and soon SOAP (steal mail, alter/delete mail)
Check your Trusted Application list regularly to make sure no programs have been added.
Upgrade from GroupWise 5.x – too many compromises and DOS attacks are possible.
Turn off all SMTP relay and use NO relay exceptions except when absolutely necessary, in which case use static ip address exceptions.
Mailbomb protection – consider enabling, but don't expect miracles.
Country code RBLS – bad, but possibly effective.
Limitation of GWIA RBL – only looks at last hop.
DNS Reverse lookup – fairly effective, but consider the possible loss of communications, especially with specific ISPs or dynamic IP configurations. No exceptions are allowed!
Disable all services not needed (POP3, IMAP, LDAP, HTTP).
If POP3 or IMAP is enabled, require SSL on these services.
Run in protected memory.
Enable Intruder Detection.
Disable SOAP, IMAP if not needed
Force Clients to use Client/Server mode.
Use high security authentication methods (LDAP or eDirectory authentication).
LDAP authentication has many benefits
uses eDirectory password
uses eDirectory password expiration and other policies.
Allows auditing by eDirectory auditing tools.
Use SSL to access WebAccess.
Redirect the insecure (Port 80) webpage to the secure webpage (Port 443).
Use Apache2 as the preferred web server.
Lock down your http server directories, and do not permit any “bare” directories to be browse.
Disable unneeded Apache modules.
Remove sample scripts, and http pages.
Run in protected memory.