LISTSERV - HP3000-L Archives

HP3000-L Archives

July 1998, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 1998, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Encrypting MPE Passwords
From:	Tom Madigan <[log in to unmask]>
Reply To:	Tom Madigan <[log in to unmask]>
Date:	Thu, 16 Jul 1998 10:43:35 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (68 lines)

Chris:

As an ex-system administrator for a State university in Virginia, the
word "auditors" brings up memories that immediately trigger certain
physiological responses in me:  1) highly elevated blood pressure; 2)
profuse sweating and 3) use of language (muttered under my breath, of
course!) that would make a merchant seaman blush ;)>!!

The problem is not that the auditors are our enemies -- we both want our
systems to be as secure as possible.  I found the real "enemy" was that
the auditors had to be educated as to what was and was not possible with
the operating system and any third-party software.  Some of their
requests were downright laughable considering the capabilities and
limitations of the MPE/iX OS (in reading their lists of questions, it
was obvious that the auditors were trained to audit IBM "Big Iron").

For example:

        Q:  When moving a program from a test environment to a
production environment, how do you make sure that the source
            code is not lost?

        A:  (suppressed laughter) I hang on to the box of cards tightly!

Until auditors receive at least basic OS training that pertains to the
box that they intend to audit, it will be up to you to provide that
training for them.  It took me a long time to convince auditors that it
was not possible to prevent me as SM from viewing other users'
passwords.  Ultimately, someone has to be trusted with the "keys" to the
system.

Best of luck in your audit!!

Tom Madigan
System Administrator for Hire
Newport News, Virginia

P.S. We had the MPEX product from VESOFT, but not the SECURITY product.

Once Upon a Time, Christopher H. Boggs wrote:

        [Tracy Johnson's original message snipped]

> Our auditors were not satisfied by even limiting SM and AM
> capabilities to only two individuals (both in our department).
> Since we had VESOFT already, I changed our regular logonID's
> to use the VESOFT password which is encrypted.
>
> There are other features in VESOFT security which are handy when
> dealing with auditors such as password obsolescence, password
> "history", minimum password standards, inactivity logouts,
> day/time restrictions, automatic deactivation of logonID's
> after a certain number of failed logon attempts, and
> probably a few others.
>
> <plug> VESOFT - Highly Recommended! <end plug>
>
> Chris
>
> ***************************************************************
>
> Christopher H. Boggs         email:  [log in to unmask]
> Programmer/Analyst                   [log in to unmask]
>   & Systems Administrator    phone:  540/376-1041
> Clinch Valley College        fax #:  540/328-0115
> 1 College Ave.
> Wise, VA 24293            <http://www2.clinch.edu/cvc/c_boggs>

ATOM RSS1 RSS2

RAVEN.UTC.EDU