groupwise lockdown
Download
Skip this Video
Download Presentation
GroupWise Lockdown

Loading in 2 Seconds...

play fullscreen
1 / 15

GroupWise Lockdown - PowerPoint PPT Presentation


  • 203 Views
  • Uploaded on

GroupWise Lockdown. Michael Bell, Ulrich Neumann [email protected], [email protected] About your Presenters…. Michael Bell GWAVA Lead Developer Novell Volunteer SysOp for 8 years Creator of Guinevere Director of QA at GWAVA Favorite Hobby Science Fiction Filing bugs on other devs’ products. .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' GroupWise Lockdown ' - amity


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
about your presenters
About your Presenters…

Michael Bell

GWAVA Lead Developer

Novell Volunteer SysOp for 8 years

Creator of Guinevere

Director of QA at GWAVA

Favorite Hobby

Science Fiction

Filing bugs on other devs’ products. 

about your presenters1
About your Presenters…
  • Ulrich Neumann
    • GWAVA Lead Developer
    • Novell Virtual Software Engineer
    • Novell Developer Services Volunteer SysOp
    • Open Source Software Engineer
  • Favorite Hobby
    • Karate
agenda
Agenda

Securing your Infrastructure

Securing your Server

Securing your GroupWise Agents

infrastructure
Infrastructure

Firewall

Implement a Firewall.

Be careful opening IP Ports.

Use Proxies whenever possible.

Keep logs, and consider backing them up.

infrastructure1
Infrastructure

Backup

Create functional backups.

Test your Backups on a regular basis and keep tapes offsite.

Use GWTSA/TSAFS compliant Backup Software to obtain complete and consistent backups.

Don\'t forget to include /home switches for each Agent Directory to GWTSA.

Consider GWAVA Reload as an option!

infrastructure2
Infrastructure

Antivirus

Implement Antivirus Agents at all points of entry.

Make sure Virus Signature Files are up to date on a regular basis.

Consider adopting AV software which has a high speed response rate to virus outbreaks.

Create and enforce e-mail policy which blocks potentially malicious items. (Fingerprinting)

server
Server

Make sure you have the latest security patches installed.

Do not use CIFS to access files on a Mail Server.

Set Disk Space Limits.

Do not use the SYS Volume to store user data such as Post Offices.

Don’t use root on Linux for services.

Don\'t store data on a server outside the Firewall.

groupwise general
GroupWise General

Don\'t grant file system rights to any user.

Set all log files to “Verbose” and allow at least 30 days of logs to keep.

Don\'t use “public” as your SNMP Community string. Disable SNMP if not used.

Use SSL whenever possible

Place gateway servers (GWIA, WebAccess) in DMZ when possible. Never place them on the same server as a Post Office.

Avoid Windows if possible (too many attacks aimed at such servers)

groupwise general1
GroupWise General

Use isolated parent domains to avoid granting excess rights and increase reliability.

Don\'t scan GroupWise database files for viruses. Do scan the rest!

Turn off Web Consoles if not used by Redline or GWMonitor.

Use a comprehensive monitoring solution such as Redline or GroupWise Monitor to watch for changes in the health and configuration of your system.

groupwise domains
GroupWise Domains

Be very paranoid about allowing ANY direct access to your domain files.

Malicious attackers can (with admin rights) see and alter your entire system.

Malicious attackers can mint a Trusted Application. From then on, they don’t need direct access to do horrible things via IMAP or Object API, and soon SOAP (steal mail, alter/delete mail)

Check your Trusted Application list regularly to make sure no programs have been added.

groupwise internet agent
GroupWise Internet Agent

Upgrade from GroupWise 5.x – too many compromises and DOS attacks are possible.

Turn off all SMTP relay and use NO relay exceptions except when absolutely necessary, in which case use static ip address exceptions.

Mailbomb protection – consider enabling, but don\'t expect miracles.

Country code RBLS – bad, but possibly effective.

Limitation of GWIA RBL – only looks at last hop.

groupwise internet agent1
GroupWise Internet Agent

DNS Reverse lookup – fairly effective, but consider the possible loss of communications, especially with specific ISPs or dynamic IP configurations. No exceptions are allowed!

Disable all services not needed (POP3, IMAP, LDAP, HTTP).

If POP3 or IMAP is enabled, require SSL on these services.

Run in protected memory.

groupwise post office
GroupWise Post Office

Enable Intruder Detection.

Disable SOAP, IMAP if not needed

Force Clients to use Client/Server mode.

Use high security authentication methods (LDAP or eDirectory authentication).

LDAP authentication has many benefits

uses eDirectory password

uses eDirectory password expiration and other policies.

Allows auditing by eDirectory auditing tools.

groupwise web access
GroupWise Web Access

Use SSL to access WebAccess.

Redirect the insecure (Port 80) webpage to the secure webpage (Port 443).

Use Apache2 as the preferred web server.

Lock down your http server directories, and do not permit any “bare” directories to be browse.

Disable unneeded Apache modules.

Remove sample scripts, and http pages.

Run in protected memory.

ad