LISTSERV - HP3000-L Archives

HP3000-L Archives

August 1996, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L August 1996, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Re[3]: disable PARM=-1 signon
From:	[log in to unmask][log in to unmask]
Reply To:	[log in to unmask][log in to unmask], 20 Aug 1996 22:09:57 -0700443_- Ken writes: > the end of August (I think it was), HP's web site would > provide an "Ask VP Dick Watts" feature. It's there; it > works; and Dick Watts is answering questions..... ... > http://www.hp.com:80/hpworld/watts.html Oh oh...Ken's in trouble if Dick Watts ever discovers that it was Ken that pointed me towards this web page! Stan (15 questions or so later) Sieler40_20Aug199622:09:[log in to unmask]
Date:	Wed, 21 Aug 1996 10:08:16 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (78 lines)

if you want to have a site specific system user and want
to 'disable' manager.sys, why do you not remove ia capability
from manager.sys.
 
woki
(these opinions are my own and not those of hewlett-packard.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
> Nice idea, but MPE/iX doesn't allow it:
>
> :altuser
manager.sys;cap=AM,AL,GL,DI,OP,CV,UV,LG,PS,NA,NM,CS,ND,SF,BA,IA,PM,MR,D
> S,PH
> SM capability cannot be removed from MANAGER.SYS.  Command rejected. (CIERR
784)
>
>
> Although enabling this "feature" can cause some heartburn for the system
manager
>
> if the logon UDC's have run wild, and noone currently logged on can reset them,
> in larger companies that have mainframe security products, logon UDC based
secur
> ity
> isn't a very popular method anyway.
> <plug alert(s)>
> . SAFE/3000 from Monterey Software Group uses AIF:PE to authenticate the
>   user before the logon (it actually replaces the existing MPE/iX
user/account/g
> roup
>   passwords) so this is no longer an issue.
> . Security/3000 from VeSoft can also make use of AIF:PE to do such things as
hav
> e
>   a Unix style logon map to the MPE/iX user.account structures among other
thing
> s.
> <end plug(s)>
>
> Since HP doesn't allow you to remove MANAGER.SYS, or remove its SM capability,
i
> t is
> THE target for hackers.  So unless you prevent PARM=-1 logons, or have a third
p
> arty
> product protecting you, you are running a risk.
>
> Regards,
> Michael L Gueterman
> Easy Does It Technologies
> email: [log in to unmask]
> http://Editcorp.nwinfo.net
> voice: (509) 946-6179
> fax:   (509) 946-1170
>
> ----------
> From:   [log in to unmask][SMTP:[log in to unmask]]
> Sent:   Tuesday, August 20, 1996 4:45 PM
> To:     Editcorp
> Subject:        Re: Re[3]: disable PARM=-1 signon
>
>
> Paul suggests:
> > If one is concerned about hackers coming through VT or Telnet trying to gain
> > access to the system and using the '-1' option to bypass any UDCs, why not
tak
> e
> > away the SM capability from MANAGER.SYS and create a site specific sys user
wi
> th
> > SM capability?
>
> Interesting idea...thanks, Paul!
>
> --
> Stan Sieler                                          [log in to unmask]
>                                      http://www.allegro.com/sieler.html

ATOM RSS1 RSS2

RAVEN.UTC.EDU