LDAP and Apache security issues detected by network scan on Netware 6 servers

My network has been scanned and my Netware 6.0 servers were found to have numerous issues regarding LDAP and Apache.  I have search and have not been able to find anything that works.  Security alerts are as follows:

HttpTraceEnabled
ApacheServerTokenNotSet
LDAP Nullbind
LDAP NullSubtree
LDAP Schema

Any help will be appreciated.
clpeaseAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PsiCopCommented:
Ah, network scans. Great way to make money for the consultants. Never mind you pay them for what you could easily do yourself.

NetWare v6.0 loads an LDAP server by default. Kinda stupid, but everyone got into the habit of emulating Micro$oft and turning on most services in default installs.

You certainly don't need more than one or two LDAP servers in any network, and if you don't use LDAP-enabled services, then you don't need the LDAP server component at all. You can disable it on each NetWare server by unloading NLDAP.NLM. You can make the change permanent by commenting out (or deleting) the "LOAD NLDAP.NLM" statement in AUTOEXEC.NCF.

Similarly, the Apache webserver was a default component of NetWare v6.0. There may be two instances of Apache - a "user" instance for typical web pages, and an "admin" instance for iManager, Novell's web-based management interface for the eDirectory/NetWare environment. Look for lines like "ADMSRVUP" and "APWEBUP" in AUTOEXEC.NCF.
ShineOnCommented:
Note that if you rem out ADMSRVUP (or NVXADMUP on NW6) then you won't have iManager access.

If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
ShineOnCommented:
Also note that Tomcat uses secure LDAP to authenticate, and tomcat is what is used for iManager, so it may be unwise to simply unload/rem out NLDAP too.  Maybe set up your LDAP group to only allow secure LDAP?
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

ShineOnCommented:
Also, it'd be nice to know what SP level your NW6 servers are at, because there may be security vulnerabilities in the SP you're running under.  There actually were a handful of security issues that have been addressed over the years, that applying the SP/patch may have closed one or more of the things found by the scan.
clpeaseAuthor Commented:
I was able to find a fix for the LDAP issues by going into Console1 under the LDAP Server object properties and then restrictions.  Under the bind restrictions you can set to diable anonymous etc.

Still have the others as they relate to apache and http.  And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.

I am running Netware 6 SP5 and edirectory 8.7.3.3
ShineOnCommented:
So what's left is the "HTTP TraceEnabled" and "ApacheServer TokenNotSet" ?

The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note: http://www.kb.cert.org/vuls/id/867593

I'd think you'd add it to sys:/apache/http.conf

The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken.  Here's a link with info on that. http://www.bsi.bund.de/english/gshb/manual/s/s04194.html
ShineOnCommented:
Oops, miskey - that'd be httpd.conf, not http.conf... :P

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Novell Netware

From novice to tech pro — start learning today.