GroupWise Lockdown - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

GroupWise Lockdown

Description:

Novell Volunteer SysOp for 8 years. Creator of Guinevere. Director of QA at GWAVA ... DNS Reverse lookup fairly effective, but consider the possible loss of ... – PowerPoint PPT presentation

Number of Views:90
Avg rating:3.0/5.0
Slides: 16
Provided by: gwav
Category:

less

Transcript and Presenter's Notes

Title: GroupWise Lockdown


1
GroupWise Lockdown
Michael Bell, Ulrich Neumann mjb_at_gwava.com,
un_at_gwava.com
2
About your Presenters
  • Michael Bell
  • GWAVA Lead Developer
  • Novell Volunteer SysOp for 8 years
  • Creator of Guinevere
  • Director of QA at GWAVA
  • Favorite Hobby
  • Science Fiction
  • Filing bugs on other devs products. ?

3
About your Presenters
  • Ulrich Neumann
  • GWAVA Lead Developer
  • Novell Virtual Software Engineer
  • Novell Developer Services Volunteer SysOp
  • Open Source Software Engineer
  • Favorite Hobby
  • Karate

4
Agenda
  • Securing your Infrastructure
  • Securing your Server
  • Securing your GroupWise Agents

5
Infrastructure
  • Firewall
  • Implement a Firewall.
  • Be careful opening IP Ports.
  • Use Proxies whenever possible.
  • Keep logs, and consider backing them up.

6
Infrastructure
  • Backup
  • Create functional backups.
  • Test your Backups on a regular basis and keep
    tapes offsite.
  • Use GWTSA/TSAFS compliant Backup Software to
    obtain complete and consistent backups.
  • Don't forget to include /home switches for each
    Agent Directory to GWTSA.
  • Consider GWAVA Reload as an option!

7
Infrastructure
  • Antivirus
  • Implement Antivirus Agents at all points of
    entry.
  • Make sure Virus Signature Files are up to date on
    a regular basis.
  • Consider adopting AV software which has a high
    speed response rate to virus outbreaks.
  • Create and enforce e-mail policy which blocks
    potentially malicious items. (Fingerprinting)

8
Server
  • Make sure you have the latest security patches
    installed.
  • Do not use CIFS to access files on a Mail Server.
  • Set Disk Space Limits.
  • Do not use the SYS Volume to store user data such
    as Post Offices.
  • Dont use root on Linux for services.
  • Don't store data on a server outside the Firewall.

9
GroupWise General
  • Don't grant file system rights to any user.
  • Set all log files to Verbose and allow at least
    30 days of logs to keep.
  • Don't use public as your SNMP Community string.
    Disable SNMP if not used.
  • Use SSL whenever possible
  • Place gateway servers (GWIA, WebAccess) in DMZ
    when possible. Never place them on the same
    server as a Post Office.
  • Avoid Windows if possible (too many attacks aimed
    at such servers)

10
GroupWise General
  • Use isolated parent domains to avoid granting
    excess rights and increase reliability.
  • Don't scan GroupWise database files for viruses.
    Do scan the rest!
  • Turn off Web Consoles if not used by Redline or
    GWMonitor.
  • Use a comprehensive monitoring solution such as
    Redline or GroupWise Monitor to watch for changes
    in the health and configuration of your system.

11
GroupWise Domains
  • Be very paranoid about allowing ANY direct access
    to your domain files.
  • Malicious attackers can (with admin rights) see
    and alter your entire system.
  • Malicious attackers can mint a Trusted
    Application. From then on, they dont need direct
    access to do horrible things via IMAP or Object
    API, and soon SOAP (steal mail, alter/delete
    mail)
  • Check your Trusted Application list regularly to
    make sure no programs have been added.

12
GroupWise Internet Agent
  • Upgrade from GroupWise 5.x too many compromises
    and DOS attacks are possible.
  • Turn off all SMTP relay and use NO relay
    exceptions except when absolutely necessary, in
    which case use static ip address exceptions.
  • Mailbomb protection consider enabling, but
    don't expect miracles.
  • Country code RBLS bad, but possibly effective.
  • Limitation of GWIA RBL only looks at last hop.

13
GroupWise Internet Agent
  • DNS Reverse lookup fairly effective, but
    consider the possible loss of communications,
    especially with specific ISPs or dynamic IP
    configurations. No exceptions are allowed!
  • Disable all services not needed (POP3, IMAP,
    LDAP, HTTP).
  • If POP3 or IMAP is enabled, require SSL on these
    services.
  • Run in protected memory.

14
GroupWise Post Office
  • Enable Intruder Detection.
  • Disable SOAP, IMAP if not needed
  • Force Clients to use Client/Server mode.
  • Use high security authentication methods (LDAP or
    eDirectory authentication).
  • LDAP authentication has many benefits
  • uses eDirectory password
  • uses eDirectory password expiration and other
    policies.
  • Allows auditing by eDirectory auditing tools.

15
GroupWise Web Access
  • Use SSL to access WebAccess.
  • Redirect the insecure (Port 80) webpage to the
    secure webpage (Port 443).
  • Use Apache2 as the preferred web server.
  • Lock down your http server directories, and do
    not permit any bare directories to be browse.
  • Disable unneeded Apache modules.
  • Remove sample scripts, and http pages.
  • Run in protected memory.
Write a Comment
User Comments (0)
About PowerShow.com