As a system administrator responsible for security, I was also concerned not
only with the logon prompt but also the catalog messages like "EXPECTED
HELLO" or "ACCOUNT EXISTS, USERNAME DOES NOT". VESOFT used to provide a job
to modify CATALOG.PUB.SYS that replaced these messages with "** INVALID **".
I went a step further and replaced all logon error messages in
CATALOG.PUB.SYS with the bogus message "Unauthorized Access - Line tracer
activated.......". I thought that might give a wannabe hacker some
palpitations. As for the logon prompt, I use HPSYSNAME#:, e.g., SYSPROD#:.
The only reason I use a ":" at the end of the string is for compatibility
with Reflection logon scripts that might wait for ":". Our welcome banners
also display a legal warning. As for encrypted passwords, Security/3000
does the trick. I also developed a Security/3000 menu system (for all but
I.S. operations & programming support). The entire system is a bit too
complex to fully explain here but the concept was as follows:
1. The system was task oriented, i.e., the menu executed command files.
2. Each user could have a unique menu or users with common functions
could share a menu.
3. All users logged on to the same account and CHLOGON or DSLINE was
used as part of a task to bring them to the account or System desired.
4. Each user had an access file executed at logon, that set variables,
i.e., "SETVAR task-name TRUE" for tasks that they had authority to use. The
access file could either be the same name as the user or the same name as
the menu file in the security profile. A user could only execute tasks on a
menu if the variable for the task-name existed and was set TRUE.
5. The NEWUSER set up consisted of a command file that created the
security profile and built a menu based on an Access file. (Note, the
access files were kept in an ACCESS group & the menus were kept in a MENU
group. Tasks, i.e., command files were in the TASK group, etc., etc.)
-----Original Message-----
From: Patrick Santucci [mailto:[log in to unmask]]
Sent: Thursday, July 16, 1998 3:24 PM
To: [log in to unmask]
Subject: Re: Auditors. Was Encrypting MPE Passwordss
Joseph Rosenblatt wrote:
> Our auditors never even got as far as passwords. They were
upset that
> the Logon Prompt MPE XL: would inform potential hackers
what system they
> were hacking in to. I'm not sure Auditors take reality
into
> consideration.
Our auditors consulted with our legal dept and made us
replace the
user-friendly welcome message: "Welcome to System x" with
the following
in a large tombstone (and yes, it's really all in caps):
"THE SYSTEM IS
RESTRICTED TO AUTHORIZED USERS FOR LEGITIMATE PURPOSES AND
IS SUBJECT TO
AUDIT. THE ACTUAL OR ATTEMPTED UNAUTHORIZED ACCESS, USE OR
MODIFICATION
OF COMPUTER SYSTEMS IS A VIOLATION OF APPLICABLE LAWS AND
REGULATIONS.
VIOLATORS WILL BE PROSECUTED." Friendly, no?
The same message actually appears *before* the login prompt
on our HP-UX
boxes, and the auditors were unhappy that we couldn't find a
way to do
the same on the HP3000 -- because users (or hackers)
actually have to
login to receive this message. Personally, users hate it (I
know because
I was on the Help Desk when they made the change) and
hackers will
probably ignore it, IMO. To me this is like putting a "No
Trespassing"
sign inside your house: ugly and useless to those who live
there,
pointless to thieves who may break in.
One last FYI, it is possible to modify the login prompt on
the system
using SYSGEN, but you're limited to 255 characters.
Patrick
--
Patrick Santucci
Technical Services Systems Programmer
KVI, a division of Seabury & Smith
Visit our site! http://www.kvi-ins.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"If they try to rush me, I always say, 'I've only got
one other speed -- and it's slower.'" ~ Glenn Ford
|
