T 3.50 Improper configuration of Novell eDirectory

A faulty software configuration is one of the most common reasons for the success of an attack. The high level of complexity and the large number of parameters available with eDirectory may lead to additional security problems due to overlooked side-effects.

Possible misconfigurations may concern, amongst other things:

• the creation and definition of the tree structure itself,
• the configuration of the certificate server,
• the configuration of the objects to be represented,
• the configuration of the access mechanisms,
• the granting of the access rights (see T 3.51 Errors in the assignment of access rights in Novell eDirectory),
• the configuration of the intranet client access to the directory service (see T 3.29 Lack of, or unsuitable segmentation),
• the LDAP access to eDirectory (see T 3.53 Errors in the configuration of LDAP access to Novell eDirectory),
• the configuration of the partitions of the directory database,
• the configuration of the replication of the eDirectory,
• the configuration of the eDirectory events to be logged,
• the configuration of the real-time alert mechanism,
• the configuration of the iMonitor tool for web-based remote monitoring, and
• the configuration of an automated backup mechanism.

The configuration of the system must basically be in accordance with the security policy. Misconfigurations entail the risk that this policy is implemented inconsistently, which means that it is impossible to achieve the objectives of the security policy.

eDirectory allows configuration of a role-based administration of the directory system and for delegating administrative rights. A misconfiguration of these functionalities may lead to significant problems due to unauthorised system accesses. Furthermore, there is a risk that proper administration will be impossible if these functionalities are configured incorrectly.

The following list provides an overview of the security-relevant potential consequences of a misconfiguration of Novell eDirectory:

• selection of authentication mechanisms that are too weak,
• incorrectly assigned rights granting access to the objects of the directory service,
• unauthorised system accesses using the administration interface,
• inadequate protection against attacks to the system,
• blocking of the administration capabilities of the system,
• erroneous or slow replication of the data between the directory databases, as well as
• discrepancies in the implementation of the security policy.