if you want to have a site specific system user and want
to 'disable' manager.sys, why do you not remove ia capability
from manager.sys.
woki
(these opinions are my own and not those of hewlett-packard.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Nice idea, but MPE/iX doesn't allow it:
>
> :altuser
manager.sys;cap=AM,AL,GL,DI,OP,CV,UV,LG,PS,NA,NM,CS,ND,SF,BA,IA,PM,MR,D
> S,PH
> SM capability cannot be removed from MANAGER.SYS. Command rejected. (CIERR
784)
>
>
> Although enabling this "feature" can cause some heartburn for the system
manager
>
> if the logon UDC's have run wild, and noone currently logged on can reset them,
> in larger companies that have mainframe security products, logon UDC based
secur
> ity
> isn't a very popular method anyway.
> <plug alert(s)>
> . SAFE/3000 from Monterey Software Group uses AIF:PE to authenticate the
> user before the logon (it actually replaces the existing MPE/iX
user/account/g
> roup
> passwords) so this is no longer an issue.
> . Security/3000 from VeSoft can also make use of AIF:PE to do such things as
hav
> e
> a Unix style logon map to the MPE/iX user.account structures among other
thing
> s.
> <end plug(s)>
>
> Since HP doesn't allow you to remove MANAGER.SYS, or remove its SM capability,
i
> t is
> THE target for hackers. So unless you prevent PARM=-1 logons, or have a third
p
> arty
> product protecting you, you are running a risk.
>
> Regards,
> Michael L Gueterman
> Easy Does It Technologies
> email: [log in to unmask]
> http://Editcorp.nwinfo.net
> voice: (509) 946-6179
> fax: (509) 946-1170
>
> ----------
> From: [log in to unmask][SMTP:[log in to unmask]]
> Sent: Tuesday, August 20, 1996 4:45 PM
> To: Editcorp
> Subject: Re: Re[3]: disable PARM=-1 signon
>
>
> Paul suggests:
> > If one is concerned about hackers coming through VT or Telnet trying to gain
> > access to the system and using the '-1' option to bypass any UDCs, why not
tak
> e
> > away the SM capability from MANAGER.SYS and create a site specific sys user
wi
> th
> > SM capability?
>
> Interesting idea...thanks, Paul!
>
> --
> Stan Sieler [log in to unmask]
> http://www.allegro.com/sieler.html
|