In almost every company I've ever worked with, I have found that some of the most basic security concepts and precautions are often overlooked. Since the topic of security is undoubtedly very complex, the focus of this article is basic and deals only with passwords. The following are general guidelines for protecting passwords on a Novell NetWare system. If you've already got these guidelines covered, great, you're on the right track. Look for the next issue of REDJUJU for additional security tips and guidelines.

Passwords too short Passwords should be a minimum of 8 characters and include non-alpha characters (letters besides A-Z). A long password is more difficult to guess or crack. In general terms, a short password can be cracked almost instantaneously, while a longer password could take several thousand years. Passwords not being changed Users should never be allowed to keep the same password for an extended period of time. In the event that a malicious user or intruder does find someone's password, it will become worthless if the users are changing their passwords regularly. Passwords not Unique Some users have figured out that they can rotate back and forth between two different passwords each time they are required to make a change. This is almost as bad as not changing the passwords at all.		Passwords and Sticky Notes Under no circumstances whatsoever should an employee write their user ID and password on a sticky note and tack it to the monitor. Don't make it so easy for a bystander, the janitor, or a malicious coworker to gain unauthorized access. All employees should be instructed to keep their User ID's and passwords private. Administrator Passwords Password guidelines for administrators should be even more strict than regular users. Longer, more complex, and changed regularly. Furthermore, use a variety of passwords for different things. For example, if you have an "Admin" account, make the password different than the remote console password and SNMP community strings.

HOW TO ENFORCE RESTRICTIONS
Out of the box, there are no password restrictions in place on a Novell NetWare system. You must take additional steps to enforce restrictions on the user accounts. The screen shot of ConsoleOne below shows the settings that I recommend. Depending on the needs of your company, you may want to select a longer time period between forced password changes.

Password restrictions must be configured for each individual user. Use ConsoleOne to select each user, right-click, and select properties. Click on the Restrictions tab and click on each checkbox to enforce the restrictions. Note: You can quickly change the restrictions for all users by highlighting multiple users, then going through the same process.

CLARIFICATIONS OF OPTIONS
In the "Date and Time password expires" field - When you first click on the "Force periodic password changes" box, the current date/time is automatically entered. This causes the current password to expire and will require the user to change their password the next time they login.

The purpose of the "Limit Grace Logins" box is to force the users to change their password to comply with the new restrictions. If they don't change it within the specified number of logins, their account locks and an administrator must unlock it. Because of this, give the users a little room to breathe, but not too much. I generally recommend setting it to 3.

HOT TIP!
Create and use a template for creating new users. Configure the template with the appropriate password restrictions. This will enforce consistency and it is a painless process.