Date: Tue, 18 May 1999 23:24:23 +0200 From: THC CTheis@happycom.lu X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Vern@Graner.com Subject: I could not agree more Dear Vernon, I read your "research document" THE FACTS, and actually found myself glad and convinced that there remain reasonable people on this planet earth. As a CNE (that means Convinced Novell E.. to me) I have to fight every day against this NT-Mania (my bosses want to migrate to a business-critical application on NT 4.0 and on the fly they want to replace existing Netware SFTIII File and Print Server (a real beauty!!) by some NT Cluster solution. I hope your document will shake them all over ! Thanks anyway Christian Theis
From: Mike Glynn mikeg@netpro.com To: "'vern@graner.net'" vern@graner.net Subject: Thank you Date: Thu, 3 Jun 1999 14:46:57 -0700 Vern, Thank you for such an informative site. You have addressed many of the issues that either I deal with on a daily basis or am asked all the time. My company (NetPro) has products that monitor and alert on NDS, monitor and alert on Groupwise and also troubleshoot and optimize on NDS. Day in and day out I am faced with companies (and many school districts) who are trying to decide whether to stay with Novell or go to NT. In my opinion, the only reason they are even considering NT comes down to one word...Microsoft. I find that the people in the trenches all love Netware, but Microsoft has gotten to the upper level management and sold the "Microsoft hype." I think your site will help bring many issues to light. Just so you don't think I am a total Big Red Fanatic, my company too will benefit from a raw product, Windows 2000. We have a solution that monitors, alerts and optimizes the directory for Windows 2000. Due to all the faults you pointed out, we expect to do a HUGE business playing in the NT world. So, we push people to keep Novell simply because we believe it is in their best interest. Either way, my company wins. We sell product no matter which way they go. Since we are making money either way, we have no true alliances with either direction (ok, maybe slightly towards Novell since they invested 2 mill into us). We just firmly believe that Novell is the smartest route. Thank you again for all the information and insight this site gives. Michael P. Glynn NETPRO )Sales Regional Account Manager Midwest Territory 800.998.9010 mikeg@netpro.com http://www.netpro.com/ "Tell a man that there are 400 billion stars and he'll believe you. Tell him a bench has wet paint and he has to touch it." - Steven Wright
From: "Henry P. Segalas" hsega@aidb.state.al.us To: "'Vernon Graner'" Vern@Graner.com Subject: Webpage Date: Mon, 26 Apr 1999 14:42:22 -0500 Organization: Alabama Industries for the Blind Vernon, I was directed to your site by one of my vendors. I found it an interesting read and wish you luck in your efforts to stave off the NT madness which seems to have taken over the planet. I had a similar experience as you depict three years ago. I had a small LAN that was primarily anchored by a single Novell 3.12 server, and an NT 3.15 server that served as a window to the internet and ran our MS Mail service. Prior to my encountering NT, I had been a CNE for several years - my first Novell install was a 2.11 network. I was pretty comfortable with Novell and felt it would last forever, but I was proven wrong. I somewhat blame Novell for their predicament. Some years ago I then went to a networking conference hosted by BNUG (Boston Novell Users Group) and listened to Mr. Burton, (a former Novell exec), outline what he felt would be Novell's demise. He threw up a slide that depicted the very state of affairs we have now. This speech was given by him a full year before NT was released. The writing was on the wall for Novell, and they let it happen. Of course, the media blitz that Microsoft could afford, took a lot of people away. And we're still flowing down the river without a paddle. In my case, I lost my fight to retain a network anchored in Novell. What would have required two, possibly three Novell servers quickly grew to a 9 NT server network. The cost of this was astronomical, but once committed, money kept stubbornly being spent to reach the objective. Once you step down that path, there is no end... Just promises of the next service pack or upgrade. And when it gets there, instead of the pain going away, you have to relearn everything all over again. I changed jobs and now I am totally surrounded by NT, and I whine like mad about it. I miss the days when a network was stable and your server could be trusted. And all of my vendors know how I feel.... 'Cus they feel the pain too! Great site. Did I say that? Good luck Vernon. Henry P. Segalas Manager, Information Systems Alabama Industries for the Blind PH: 800-348-4242 / (256) 761-3502 Fax: (256) 761-3505 hsega@aidb.state.al.us A CNE since January 1990
From: "Jarrod Scott" jarrod_scott@dragonbbs.com To: Vern@Graner.com Subject: Netware vs. NT Date: Sat, 24 Apr 1999 05:24:45 -0400 X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-Mimeole: Produced By Microsoft MimeOLE V4.72.3155.0 Vern, I don't think you have researched your subject thoroughly enough. Any of those so called security loopholes that you have mentioned in NT can also be exploited in Netware. I personally know of a utility that will provide a regular user with supervisor rights using NDS. I know of several utilities that will provide admin rights to just about anybody on the network and coming in from the internet (providing no firewall software). I will be the first to admit that the ideal world is an environment with NT and Netware running on the same network. But I think that you have overstated the facts. Sincerely, Jarrod Scott, MCSE, MCP+I
Jarrod
Thank you for taking the time to make your opinions known. I would like to respond to your mail topic by topic.
At 0524 AM 4/24/99 -0400, you wrote
Vern,
I don't think you have researched your subject thoroughly enough.
I used both NT Server and Novell NDS platforms in a High School environment on 2 campuses for 2 years (4 net years?) In this environment, despite our applying every service pack and hotfix to our NT server, the students regularly exploited the progression of security holes I pointed out in my article. I have spent 2 years researching, verifying, updating and refining the article you refer to. I would like to know what would meet your criteria of "thoroughly enough"?
Any of those so called security loopholes that you have mentioned in NT can also be exploited in Netware.
This statement is patently false. For starters, Novell doesn't use SMB for password traffic, so it is not subject to the L0PHTcrack utility. OGRE exploits SMB as well and subsequently does not function against Novell NDS. The other security holes I mention also exploit vulnerabilities in NT that are not available under Novell due to wholesale architectural differences in the platforms. I will admit that certain kinds of attacks will function against both Novell and NT in certain circumstances, (IE OOB or DoS) but in both these cases, Novell would have to be intentionally misconfigured to fall pray to these as the default settings defend against these style of attacks. Also, if you were using the Novell native IPX as the *only* protocol, even these attacks fail as they rely on TCP/IP to work.
I personally know of a utility that will provide a regular user with supervisor rights using NDS.
Most of the utilities that function as you describe require access to the Novell Console. As Novell doesn't require console access for general administrative functions, there is far less chance of these exploits working. I also notice you don't give the name or source for the utility you mention subsequently making it impossible for an interested party to verify your claim.
I know of several utilities that will provide admin rights to just about anybody on the network and coming in from the internet (providing no firewall software).
Again you do not give specifics on programs, sources or procedures. Without references to backup your statement, I cannot concede your point. Playing Devil's Advocate however, I can point out that the behavior your statement refers to can be found in a set of utilits from Simple Nomad called Pandora's box http://www.nmrc.org/pandora/ . The hack tools and procedures available there are defeated by 2 simple expedients. (1) Secure the Novell Console from physical and remote access (2) Set NCP packet signature option = 3.
By NOT setting up RCONSOLE (the utility that allows remote access to the console) and by placing the server in a locked room, you deny hackers the ability to use console based hacks. All the password crack tools fail without this access. By signing each packet, the packet signature option defeats any of the packet "spoofing" that would allow impersonation of the administrator. In practice, the only change that must be made to the Novell server is the single line that raises the signature level to 3. Type this line once in the startup.ncf script, then lock the door to the server room and you're secure. A far cry from the pack after pack of patches you must download, unpack and install to attempt to make NT secure. And in the end my experience has shown that NT is STILL not secure.
This is not an opinion simply based on reading articles from pundits or listening to peers, this is first hand experience with 2 High School campuses full of ingenious little hackers that delight in bringing the network down. When we had NT, the network went down repeatedly. With Novell it hasn't gone down once.
I will be the first to admit that the ideal world is an environment with NT and Netware running on the same network.
Actually, In the ideal system, NT would be stable and hack free in its own right. We have to compromise and use NT servers managed by NDS for NT. This allows NT with it's vast array of sought after capability (Back Office, IIS etc) to be made available without subjecting either the NT box or the Network to security flaws gleefully exploited by our sub-adult hackers.
But I think that you have overstated the facts.
I take issue with this concluding statement as the sources I present are simply used to underscore my opinion that NT is poorly suited to our particular environment. It might be possible to overuse facts or to misquote them, but in the practice of providing evidence to reinforce a conclusion, I don't think it is possible to "overstate" them. I can only assume that you imply exaggeration or alteration of the original source (facts) themselves. Since I have provided comprehensive footnotes allowing the reader to examine my sources, I don't see how this would be possible. I think it is paramount that any conclusions I draw be borne out by the supporting material. The sources I present are there so the reader may review the evidence that brought *me* to *my* conclusions. As these references are linked to the original source, how would it be possible for me to alter them?
When you provide facts to support your rebuttal, I will be happy to look at them and maybe become enriched by the experience. I enjoy debating issues if the participants are earnestly endeavoring to enlighten the person holding a contrary position. A *good* debate enriches both parties. A *flame war* is an exercise in passionate emotions and is of little value apart from dubious entertainment. I will gladly welcome the former and ignore the latter.
I am not yet MCSE although I have taken a number of the courses and expect I will have the certification (to join my MCP, my Novell CNA and my Novell CNE certs) soon. If, through your MCSE experience, you have reason to take issue with the accuracy of any of the points I have made, I would enjoy discussing your point of view. But please, make sure you provide me with Facts :)
Sincerely,
Vern Graner