HP3000-L Archives

August 1996, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Re[3]: disable PARM=-1 signon
From:
[log in to unmask][log in to unmask], 23 Aug 1996 02:40:44 -0400723_- --PART.BOUNDARY.0.508.emout19.mail.aol.com.840782443
Content-ID: <[log in to unmask]>
Content-type: text/plain

By 8:30, a great many more people began to arrive -- and things began to pick
up speed. None of us knew precisely how best to lay the paper down with a
high degree of alignment, so it was "on-the-job" training for everyone
involved.

In this picture are: Jon Diercks (the American flag shirt), Rich Trapp, and
Tony Shepard (both Rich and Tony are wearing blue shirts and facing away from
us). Also in this picture is Ken Sletten (at the far right), one of the
original co-conspirators on the poster project. I've included this [...]39_23Aug199602:40:[log in to unmask]
Reply To:
[log in to unmask]
Date:
Wed, 21 Aug 1996 10:08:16 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (78 lines) 
if you want to have a site specific system user and want
to 'disable' manager.sys, why do you not remove ia capability
from manager.sys.
 
woki
(these opinions are my own and not those of hewlett-packard.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
> Nice idea, but MPE/iX doesn't allow it:
>
> :altuser
manager.sys;cap=AM,AL,GL,DI,OP,CV,UV,LG,PS,NA,NM,CS,ND,SF,BA,IA,PM,MR,D
> S,PH
> SM capability cannot be removed from MANAGER.SYS.  Command rejected. (CIERR
784)
>
>
> Although enabling this "feature" can cause some heartburn for the system
manager
>
> if the logon UDC's have run wild, and noone currently logged on can reset them,
> in larger companies that have mainframe security products, logon UDC based
secur
> ity
> isn't a very popular method anyway.
> <plug alert(s)>
> . SAFE/3000 from Monterey Software Group uses AIF:PE to authenticate the
>   user before the logon (it actually replaces the existing MPE/iX
user/account/g
> roup
>   passwords) so this is no longer an issue.
> . Security/3000 from VeSoft can also make use of AIF:PE to do such things as
hav
> e
>   a Unix style logon map to the MPE/iX user.account structures among other
thing
> s.
> <end plug(s)>
>
> Since HP doesn't allow you to remove MANAGER.SYS, or remove its SM capability,
i
> t is
> THE target for hackers.  So unless you prevent PARM=-1 logons, or have a third
p
> arty
> product protecting you, you are running a risk.
>
> Regards,
> Michael L Gueterman
> Easy Does It Technologies
> email: [log in to unmask]
> http://Editcorp.nwinfo.net
> voice: (509) 946-6179
> fax:   (509) 946-1170
>
> ----------
> From:   [log in to unmask][SMTP:[log in to unmask]]
> Sent:   Tuesday, August 20, 1996 4:45 PM
> To:     Editcorp
> Subject:        Re: Re[3]: disable PARM=-1 signon
>
>
> Paul suggests:
> > If one is concerned about hackers coming through VT or Telnet trying to gain
> > access to the system and using the '-1' option to bypass any UDCs, why not
tak
> e
> > away the SM capability from MANAGER.SYS and create a site specific sys user
wi
> th
> > SM capability?
>
> Interesting idea...thanks, Paul!
>
> --
> Stan Sieler                                          [log in to unmask]
>                                      http://www.allegro.com/sieler.html

ATOM RSS1 RSS2