NOVELL TECHNICAL INFORMATION DOCUMENT TITLE: Change Password Service Version 1.2d AUTHOR: SM DOCUMENT ID: TID101703 DOCUMENT REVISION: A DATE: 1998/06/4 6:28 PM ALERT STATUS: Yellow INFORMATION TYPE: Issue README FOR: CPS12D.EXE NOVELL PRODUCT CLASS: NetWare API NOVELL PRODUCT and VERSION: NetWare SDK CATEGORY: none ABSTRACT: An example program that demonstrates a simple proxy service that allows the creation of a 'password administrator' on NetWare 4.x networks. DETAILED DESCRIPTION -- Identification --------------------------------------------------- Novell DeveloperNet Change Password Service Example Program Version 1.2d 5 May 1998 -- Legal ------------------------------------------------------------ Copyright 1996 Novell, Inc. All Rights Reserved. With respect to this file, Novell hereby grants to Developer a royalty-free, non-exclusive license to include this sample code and derivative binaries in its product. Novell grants to Developer worldwide distribution rights to market, distribute or sell this sample code file and derivative binaries as a component of Developer's product(s). Novell shall have no obligations to Developer or Developer's customers with respect to this code. DISCLAIMER: Novell disclaims and excludes any and all express, implied, and statutory warranties, including, without limitation, warranties of good title, warranties against infringement, and the implied warranties of merchantibility and fitness for a particular purpose. Novell does not warrant that the software will satisfy customer's requirements or that the licensed works are without defect or error or that the operation of the software will be uninterrupted. Novell makes no warranties respecting any technical services or support tools provided under the agreement, and disclaims all other warranties, including the implied warranties of merchantability and fitness for a particular purpose. -- Overview -------------------------------------------------------- Change Password Service Version 1.2d (CPS) is an update of the program developed by Novell DeveloperNet services and published in the September 1998 edition of the Novell AppNotes journal. CPS is an EXAMPLE PROGRAM. It was designed to be used as a learning tool for Novell developers. The program is released with all source code and as the copyright notice indicates, anyone is free to further develop and sell programs based on this example. Someone could even put this program in a box and sell it together with support, as Novell DeveloperNet does not provide support for the operation of this program. Having said we do not support the program, Version 1.2d address many of the problems that Version 1.0 has in real world networks. Here is a list of the key improvements that have been made: - Unique Passwords - The NLM now creates a random password and then attempts to set the users password to this new random word. If this is successful the password is displayed in the NetWare Administrator SnapIn. - Better Use of NDS - CHPASSWD harnesses the power of object trustees to determine who can reset who's password. By leveraging the effective rights model, you can assign a group or organizational role the right to reset passwords, making the real world implementation far more elegant. - No Admin Resets - CPS will not reset any user that has high level rights over themselves, or the helpdesk user requesting the reset. This means that CPS cannot be used to gain control over high powered NDS accounts. - Improved Client - The client now remembers the server hosting the CHPASSWD NLM, making the real world use of this service more effective. The helpdesk staff now does not select the password, so the system becomes more secure as common passwords are not used by the helpdesk. - Secure, Automated Login Now Possible - Any program that relies on source code secrecy for security can become the target of an attack, as hackers love to reverse engineer things. This version of CPS when combined with a console security package and physical server security will provide a very high level of password safety together with the convenience of automatic startup. - Country Aware - The client software is able to deal with NDS trees that have a country specifier. Previous versions were not able to do this. An interesting note is the previous version which is not country aware works correctly with the new NetWare5 client software. - CW3220.DLL no longer required - The functions needed by the CHPASSWD.DLL have been directly linked in. This change has made the CHPASSWD.DLL 20Kb larger in size. Since the CW3220.DLL is around 230Kb in size this change saves space and makes the system easier to use, wins all round... The space saving occur because the CW3220.DLL supplies many functions that are not used by the CHPASSWD.DLL. By statically linking these functions into the CHPASSWD.DLL, only the required functions are included. -- Installation --------------------------------------------------- There are 4 steps needed to install CPS, extend the schema, install the server, install the client and assign rights to helpdesk staff. -- Extend the Schema -- Required Files: CPSCHEMA.EXE CPS now uses an NDS Schema Extension to control who can reset passwords. The name of the extension is OZDEVNET:CanResetPW. The CPSCHEMA.EXE program is a Win32 console mode application that is used to extend the schema. The program needs to be executed once with the following command line: CPSCHEMA.EXE TreeName This will add the OZDEVNET:CanResetPW attribute to the schema of the tree named on the command line. This attribute has not been added to any objects in the schema, it is technically a non-effective attribute. NDS allows you to grant trustees to attributes an object does not have. This means that although the OZDEVNET:CanResetPW is not part of any object in the schema, you can still grant rights to this attribute. The following step makes the assignment of these rights simpler with NWAdmin. The NetWare5 version of the NetWare Administrator program shows all the attributes in the schema on every object, negating the need to add the attributes to an object in order to see them in the Administrator program. Only follow the instructions in the following paragraphs if you want to make the use of the current version of the NetWare Administrator program easier to use. When you right click on an object in NWAdmin and select the trustees of this object, you only see the attributes that belong to the class. Since the OZDEVNET:CanResetPW is a non effective attribute, you will not see it in this list with the current version of the NetWare Administrator program. To assign rights to a non effective attribute you need to work backwards, from the object you are giving the rights to, not the object getting an additional trustee. The rights to other object command, also found by right clicking on the object is used for this purpose. To make assigning rights more natural, the CPSCHEMA.EXE program allows you to add the OZDEVNET:CanResetPW attribute to one or all of; user, organization and organizational unit object types. CPSCHEMA.EXE TreeName [/ExtendUser|/ExtendO|/ExtendOU/Remove] The reason the program does not add the extension by default is that you currently cannot remove schema extensions that have been added to base object types. You can however remove non effective attributes. The remove option will only work if the extension has NOT been added to any other objects. -- Install the Server Components -- Required Files: CHPASSWD.NLM CHPASSWD.LST Once the schema extension has been added, you then need to load the server based components. This is done by copying the CHPASSWD.NLM to the SYS:SYSTEM directory on the server and placing the CHPASSWD.LST file in the SYS:ETC directory. The command line options for CHPASSWD.NLM are: CHPASSWD.NLM ChangePasswordUserName [options] A special object is no longer used by the change password service to login to the NDS Tree. You need to create a normal user object with NetWare Administrator for the program to use. You would then set the login address restrictions for the new user to just the internal address of the server, making it harder for people to use this account as a security loophole. The NLM depends on another NLM called DSAPI which was not included in the autoload list. Should CHPASSWD not load, please load DSAPI.NLM before CHPASSWD.NLM. The NDSUserName is the full name of the object, without any leading or trailing periods. The name is NOT relative to the context of the server, so you need to specify the full name. Where the top container in your tree is a country, you must supply a qualified NDS name. The CHPASSWD.LST file is a word list used by the NLM to generate passwords. Only the first 128 words are read from the file, with one word per line. The program then picks 2 words and combines them with a period to form the new password. There are now a number of options available on the command line. Here is a list of the each of the options and the effect they have on the program. /Password UsersPassword This option sets the password that belongs to the user specified on the command line. By setting the password here the service will startup automatically. See Q8 in the FAQ for methods of making the console secure. /Log Volume:Path\File This option will write the messages displayed on the screen by the service to the specified file. This file can be placed on any volume on the server. /LogDetails This option forces the program to show detailed log information on the screen by default. By pressing any key when the program is running a menu is displayed which enables you to change the level of logging. /NPC Number Default = 2 /NPS Text Default = "" /NPJ Text Default = "." /NPE Text Default = "" There are four options here that control how the new password is generated. Earlier versions of the program picked two words from the file called chpasswd.lst and joined them together with a period. By using these options you can change the way the new password is generated. The NP in these commands stands for New Password, with the last characters standing for (C)ount, (S)tart, (J)oin and (E)nd. To generate the newpass string the program will start with the text specified by the /NPS command. A random word is then selected and added to the newpass string. If the /NPC is greater than 1, which by default it is, the join character is then added to the newpass string, followed by another random word. This procedure is followed the number of times specified by the /NPC parameter. Finally the /NPE text is added to the string, forming the new password. An example of how the system works is presented here. We will assume the CHPASSWD.LST contains 3 words, DOG, CAT and RAT. If you do not specify any of these options, some of the possible options are: DOG.RAT, DOG.CAT, DOG.DOG, RAT.CAT, CAT.DOG etc... If you load chpasswd with /NPC 3 /NPS "PasswordIs" /NPJ "-" PasswordIsDOG-CAT-RAT, PasswordIsCAT-CAT-RAT etc... A more likely example is /NPC 1 /NPE "BERT" giving: DOGBERT, CATBERT and RATBERT /NoIRFCheck Where your environment contains no Inherited Rights Filters this command instructs the program not to take them into account when calculating rights to the objects. /NoAARCheck This command can be used to speed the checks done when a password is reset. This command prevents the program from checking what the rights assigned to the [All Attributes Rights] are. You do not need to do this if administrators are given [Entry Rights] to the object, as having [Entry Rights] means that you have [All Attributes Rights]. /MinTreeDepth Number This command shifts the point where the search for rights is stopped. The program used to stop the search for rights at the [Root] object, meaning the program was always walking to the root of the tree. In large environments this can be a slow operation. This command shifts the point where the search is stopped down the tree. By doing this any rights assigned above the point where the search is stopped will not be taken into account. Here is an example of container depths. 0 is the default value for this parameter. 0 1 2 3 [Root].O=Novell.OU=Asia-Pacific.OU=Sydney By specifying a depth larger than the depth of you tree, you can prevent the service from tree waling to find rights. NDS on NetWare 5 has a new feature where an attribute level trustee can become inheritable, negating the need for the CPS program to search the tree for rights. If you are using NetWare 5 then load the NLM with /MinTreeDepth set to a large number and use the new attribute inherit system to grant access to the Change Password Service attribute OZDEVNET:CanResetPW. -- Install the Client Components -- Required Files (NetWare 4): CHPASSWD.DLL SNAPIN32.DLL CHPASSWD.REG Required Files (NetWare 5): CHPASSWD.DLL Installing the client component involves placing the 3 DLL files somewhere in the workstations path. You the need to run the .REG file, this can be done by right clicking on the file in the windows explorer, or simply executing the file from the command line by typing the full name of the file. Once this has been done you can then start NWAdmin. By selecting a user and looking at their details, a new page should have been added to dialog. Tip: You can re-arrange the order of the pages by right clicking in the dialog and selecting the page options menu item. By doing this you can move the change password service page closer to the top, making the process faster for the helpdesk staff. The first time you change a users password the change password server will be blank, so you need to browse and find the server. Once this has been done the server name is stored in the users local registry, so it does not need to be set again. * A note for the NetWare 5 users. The new version of the NetWare Administrator does not require the registry extensions to operate. If you simply place the CHPASSWD.DLL into the directory SYS:PUBLIC\WIN32\SNAPIN\ NetWare Administrator will load the Snap-In automatically. -- Grant Rights to Reset Passwords -- Once the above steps have been completed, you need assign the rights to the service. In the previous version of CPS, there were two user lists maintained, those users who can use the service and those accounts that cannot be reset. CPS Version 1.2d uses the NDS concept of effective rights to an attribute with a small twist to control who can and cannot change passwords. Here are the steps followed by CHPASSWD.NLM to determine if one user can reset another users password: - Step 1 - Check the requesting users effective rights to the target objects OZDEVNET:CanResetPW attribute. If the requesting user has supervisor rights over the attribute, goto Step 4 else goto Step 2. - Step 2 - Since the requesting user does not have supervisor rights over the attribute, check to see if an Inherited Rights Filter is preset that would stop rights assigned higher in the tree from flowing down. If an IRF is preset, goto Step 5 else goto Step 3. - Step 3 - The requesting user does not have supervisor rights over the attribute and there is not an IRF preventing rights assigned to a container from flowing down. This step changes what the target object is. If the target object is a user object, then change the target object to be the container holding the user, then goto Step 1. If the target object is a container object and it is not contained by the root object, set the target object to be the containers container and goto Step 1. The container must be off the root object, so goto Step 5. - Step 4 - The requesting user has been granted permission to change the target object password. Once the helpdesk user has been cleared to change the users password, the NLM then checks to see if the user has special NDS rights. If the user has been assigned Write / AddSelf / Supervisor to AllProperties of themselves or to the helpdesk user then CPS will not reset the password. If the user has been assigned Delete / Create / Rename / Supervisor Entry rights over themselves or to the helpdesk user then CPS will not reset the password. The NLM also checks containers holding both the helpdesk and target users to ensure the target user has no special NDS rights. This means that CPS cannot be used to gain admin rights above either user in NDS tree. These users must have their password reset manually. - Step 5 - The requesting object has been denied the right to change the users password. What all this means is that the CHPASSWD.NLM pretends that rights assigned to an attribute in an object can be inherited. It means that by adding a single trustee, grant a user, group or organizational role the right to reset passwords in an entire subtree. Step 4 adds a lot of value to the service by preventing the CPS program from resetting administrator accounts. Without this you would need to place IRF on these users to prevent the helpdesk staff from resetting them. -- FAQ ------------------------------------------------------------- There has also been some questions asked by various people, so here is a mini-FAQ about change password service.... Q1. Is CPS required with NetWare 5? NetWare 5 adds a new attribute called "Password Administrator" to the default NDS schema. If User1 has the [W]rite right to this attribute on User2, then NDS will allow User1 to reset User2's password, without having supervisor rights over the object. Combined with the new ability to make attribute trustee assignments on container objects inheritable allows the creation of "Password Administrators". The Change Password Service adds a lot of value to the password resetting procedure, even in a NetWare 5 environment. Here are some reasons why you would want to run CPS even in a NetWare 5 environment. * By using CPS all the password attempts are logged in one place. Without CPS you would need to turn NDS auditing on to capture these events. * CPS will not reset a user who has administrator rights over themselves or the helpdesk user. This makes it simpler to implement an environment where "Password Administrators" are not allowed to reset "NDS Administrators" passwords. * CPS selects different passwords every for each user, increasing the security of the password resetting process. Without CPS you would need to develop your own program or implement human procedures to do this. * In a NetWare 4 environment, the user that the NLM logged into NDS with required supervisor rights to be able to reset the passwords. With NetWare 5 you are able to revoke the supervisor rights and grant "Password Administrator" rights to this object, making this user a less attractive account for hackers to attack. Q2. What patches are needed on the server to run CPS? The program was developed on a NetWare 4.11 machine with Service Pack 4. I know the program will not load on a native 4.11 server due to missing calls in the directory services NLM. Q3. Why all the options on the CPSchema program? You only need to use these options on NetWare 4. When you grant rights to an attribute in NetWare 5, all the attributes in the schema are displayed. The attributes the object has are black and the additional attributes are gray in color. You would only use the other options in the CPSchema program if you are in a NetWare 4 environment want to make the assigning of rights simpler. In my own network I would not bother running CPSchema with the additional parameters. For those who want to make life a little simpler read on.... CPS only uses NDS to determine if one user can reset another users password. It does this by checking the requesting users effective rights to an attribute called OZDEVNET:CanResetPW. NDS allows you to assign rights to an attribute which the object does not actually have. Presented here are two examples, the first only adds the attribute whereas the second also uses the /ExtendOU option. This is what happens if you only run "CPSchema TreeName". The new attribute is created in the NDS database, but it is NOT associated with any object types. When you right click on an object in NWAdmin and select the "Trustees of this Object..." menu option, only attributes that belong to the object are shown in the "Property Rights" section, so the OZDEVNET:CanResetPW attribute will not be shown. To grant a group of users rights to reset passwords in a branch of your tree you will need to work backwards from the group. By right clicking on the group object and selecting the "Rights to other objects..." option you will need to tell NWAdmin where to start looking for assigned rights. You will need to select the container above the branch that you want to allow access to. The "Property Rights" in the dialog shown after the search will contain all attribute types in the schema, including the OZDEVNET:CanResetPW attribute. You can use the /Remove option to remove the OZDEVNET:CanResetPW attribute from the tree if you have not run any of the /Extend options. If you run "CPSchema TreeName" and then "CPSchema TreeName /ExtendOU" you will find assigning rights simpler. Now when you select the "Trustees of this Object..." you will find the OZDEVNET:CanResetPW in the list of "Property Rights" of the Organization Unit object. The down side of this method is that you cannot remove the OZDEVNET:CanResetPW attribute from the OU object. The current releases of NDS of NDS do not allow the removal of schema extensions made to base object types. So the reason behind all the options is to allow you to decide if you want to be able to remove the schema extension. It is conceivable that in the future NDS may allow the removal of schema extensions made to base object types. Q4. How safe is the program? Is it likely to damage the NDS tree? All the source code is published with the program, you are able to see exactly what the program is doing. To reset the password the program uses the NWDSChangeObjectPassword, it also uses NWDSModifyObject to set the "Reset By Intruder" attribute. Implementing any new program involves some risk, and as the account used by this program has high level rights the impact of a problem would is greater. You would have to weigh the risk of your current security exposure with lots of "administrators" against what the program could if something goes wrong with the program. I would consider the risk to be low, but please read the program licence for the terms that you are accepting by using the program.... Q5. What rights does the user that the NLM logs in as need? How should I set up the account? The best thing to do is create a new used and call it something like, "PasswordAdmin" so you know what it is. You would then restrict the addressed that this user can login to the internal address of the server. This address is XXXXXXXX:000000000001 where XXXXXXXX is the internal network address of the server that will be running the CHPASSWD.NLM. You will then need to set this users password, and then set the options so that this password does not expire and cannot be changed. CPS cannot be used to reset the password of this user, as if it has rights over itself, CPS will not allow the change. You now need to assign the rights to this new user to be allowed to reset the NDS passwords. This can be done by placing the user in the groups that you currently used to assign your administrators rights to reset passwords. If you are running NetWare 5, you can grant the PasswordAdmin user rights to the "Password Management" attribute to restrict the rights assigned to the user. Q6. How will the program perform with multiple helpdesk users requesting resets of users across a WAN? Requests are handled one at a time. The server will hold requests for a maximum of 10 seconds before returning to the client with a timeout. At the client you can simply send the request again. 'Real World' testing has shown that resetting a password takes between 2-5 seconds so this should not be a problem. Q7. What programs are available to protect the password on the command line in AUTOEXEC.NCF? The only program I have seen is called SecureConsole. This program is developed by company called Protocom Development Systems. This program was highlighted in the "Keeping Hackers Out of Your Network" session at BrainShare 98 in Salt Lake City. Their URL is: http://www.serversystems.com If anyone else knows of products that could be used to make the Change Password Service more secure, please email me. Q8. What rights have to be assigned for CPS to work? There are two steps involved in assigning NDS rights necessary for the Change Password Service to operate. Step 1: Allow the CPS user to reset passwords. Using CPS means that you can have helpdesk staff who can reset passwords without having supervisor rights. The user that does have the right to reset the password is controlled by the Change Password Service NLM. So the user that you create for CPS to use has to have enough NDS rights to reset the password on behalf of your helpdesk users. In a NetWare 4 environment you will need to give the user supervisor rights over all the objects that you want the CPS program to manage. You can run the CHPASSWD NLM on more than one server so that the rights can be granted lower down in the tree. In any case this is a very high powered account and steps should be taken to protect the password that it uses, along with restricting the addresses that the user can login from. In a NetWare 5 environment you can make this user an official Novell "Password Administrator". This is done by granting the user [W] rights to the "Password Management" attribute and making it inheritable. This user is not as powerful as it was in NetWare 4, but it still has the ability to reset other users passwords. If the CPS user has the rights to change a REAL Administrators password then I would suggest placing an IRF on the "Password Management" attribute, preventing the account from being used to manually gain control over real administrator accounts. CPS cannot be used to reset any user that has administrator rights over themselves or the helpdesk user requesting the reset. Step 2: Allow users to use the Change Password Service. Once you have completed step one, you then have to allow your helpdesk staff access to the Change Password Service. CPS checks the effective rights to the OZDEVNET:CanResetPW attribute to decide if one user can reset another users password. If CPS is told by NDS that the requesting user has the [W] right to the OZDEVNET:CanResetPW attribute then it will move on to the next stage of the security checking. There are a number of ways that a user can be assigned the rights necessary to satisfy CPS. If the requester has supervisor level object rights over the target user then by definition they will have [W] rights to the OZDEVNET:CanResetPW attribute, in fact they have supervisor access to all the users attributes. Normal helpdesk staff would not get there rights via this route as this defeats the whole purpose of CPS... The best way to assign the necessary rights to your helpdesk staff is to create a group and place your "Password Administrators" into this group. You would then add an NDS rights assignment to the container in the tree where the end users reside. Because CPS supports attribute trustee inheritance in both NetWare 4 and NetWare 5, you can place this trustee on a high level container to grant allow the group to manage all the password for here down. NOTE: The rights that you have assigned to the CPS user and the rights you grant to the users CPS should match. A user can request that CPS reset any user in the tree. If the helpdesk user has not been assigned the rights to the OZDEVNET:CanResetPW attribute the password change will be denied by the CHPASSWD NLM. If you ask CPS to reset a user it does not have sufficient NDS rights to then you will get a -672 error, which means insufficient NDS rights to reset the password. ----------------------------------------------------------------- DISCLAIMER THE ORIGIN OF THIS INFORMATION MAY BE INTERNAL OR EXTERNAL TO NOVELL. NOVELL MAKES EVERY EFFORT WITHIN ITS MEANS TO VERIFY THIS INFORMATION. HOWEVER, THE INFORMATION PROVIDED IN THIS DOCUMENT IS FOR YOUR INFORMATION ONLY. NOVELL MAKES NO EXPLICIT OR IMPLIED CLAIMS TO THE VALIDITY OF THIS INFORMATION. ----------------------------------------------------------------- Self-Extracting File Name: CPS12D.EXE Files Included: Size Date Time CPS12D.TXT (this file) SNAPIN32.DLL 23040 6-4-98 6:24 PM SERVER.ZIP 31887 6-4-98 6:24 PM README.TXT 29936 6-4-98 6:24 PM CPSCHEMA.EXE 45056 6-4-98 6:24 PM CLIENT.ZIP 42488 6-4-98 6:24 PM CHPASSWD.REG 332 6-4-98 6:24 PM CHPASSWD.NLM 26004 6-4-98 6:24 PM CHPASSWD.DLL 49152 6-4-98 6:24 PM CHPASSWD.LST 647 6-4-98 6:24 PM CPS12D.TXT 31838 6-4-98 6:24 PM CPS12D.MSG 141 6-4-98 6:24 PM Installation Instructions: CPS12D.EXE can be found on: The DeveloperNet Support World Wide Web site (developer.novell.com/engsup/sample/new.htm) ----------------------------------------------------------------- Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information. -----------------------------------------------------------------