LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2001, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2001, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Help!! Auditors
From:	Andreas Schmidt <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Fri, 14 Sep 2001 10:26:23 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (51 lines)

Folks,

auditors are not our enemies ... their main purpose is to secure the
companies IT environment and the data there for the sake of the business.

We have been approached several times by auditors not knowing MPE ... but
when they found the complete SM logon string with ;parm=1 on an Operator's
Lotus Notes Database (which had some consequences ...) they tried to learn
MPE! And the 1st issue they had: we can see all passwords! This was
detected within the minute before they were kicked off. This lead them to
ask some tough questions on MPE.

Some of the technical consequences:
* we activated the LOGON task within VESOFT's BACKG job, beside
HELLO,ALARM,CMDPROT,LOGOFF,OBSFILL,AUDITC.
* we stopped all unnecessary services in services.net.sys like time,
daytime.
* we check VESOFTs VEAUDIT report more seriously.

All the time we had VESOFT's Sec/3000 in place for ALL logons (;ASKPASS),
only a few wildcarded profiles like for people having SM cap (session-id,@.
@) or AM cap (session-id,@.account.

Now, on top of this, we use RSA's SecurID two-factor-token authentication,
requiring a token's number, changing every minute,  plus a personal PIN.
This bases purely on individuals identified with an unique session name,
checked as profile vs. Sec/3000, now with ;NOPASS. More details in an
article I wrote some time ago for the 3000 Newsletter.

Auditors may also check Apache/iX (port 80) and Samba wide open shares. You
need to have some answers why you allow this!

They didn't complain (so far) that MPE's Samba currently requires
un-encrypted passwords ... but this maybe a matter of time ...

They complaint also on the program banner strings for Sendmail/iX,
Samba/iX, Apache/iX, and FTP/iX because the version number displayed per
default may encourage a hacker to use this port for a known vulnerability
of this version. They do not recognise the fact that the underlying OS MPE
always is a bit different - all their "hacks" didn't come through! But they
didn't want to see this. For Sendmail and Samba is was easy to change,
Apache and FTP not for the hard-coded banners.

That's all I can remember. If you have more questions, hints, additional
concerns, feel free to reply directly.

Best regards, Andreas Schmidt, CSC, Germany

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU