LJK/Security Reference Manual

* Higher value for privileges other than TMPMBX and NETMBX and levels above NORMAL.

Exemptions

Constraint	Value	Parameters
ABSOLUTLO	Category-None---Category-All	<node>, <username>
ABSOLUTHI	Category-None---Category-All	<node>, <username>
ACCESSMAX	Category-None---Category-All	<node>, <username>
ACCESSMIN	Category-None---Category-All	<node>, <username>

Practical considerations

These tests and the UAF_PRIVILEGE tests both detect excessive privilege, so when exemptions are granted for one they need to be granted for the other if both are in use.

PRIVLGILAT

Ensure ability for privileged users to login over LAT conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to log in over LAT terminals, their passwords can be read by any station on the Ethernet through the use of promiscuous mode. If privileged users are allowed to log in over LAT terminals, compromise of their password can threaten the security of the entire system.
These tests determine whether user authorization access masks, in combination with terminal DIALUP indications, prohibit privileged users from logging in over LAT terminals.
Such a scheme is only effective if one of the following conditions is true:

DECnet is not running on the node
NETMBX privilege is prohibited by these tests
Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGILAT
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
In addition to terminals served by the LAT terminal port driver supplied as part of VMS (devices named LTAn), this test also includes terminals served by older terminal drivers used by products from Pacer Software (devices named PCLn) and from Xyplex (devices named TTP).

Default policy

All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized

Customizing

If an Ethernet is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well terminal server serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

Exemptions for individual usernames are not useful, since the exposure comes not from the authorized individual, but from an eavesdropper along the Ethernet.

For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.

PRIVLGINET

Ensure ability for privileged users to perform DECnet logins conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to perform DECnet logins, their passwords can be read by eavesdroppers, particularly on the Ethernet through the use of promiscuous mode. If privileged users are allowed to perform DECnet logins, compromise of their password can threaten the security of the entire system.
These tests determine whether user authorization access masks prohibit privileged users from performing DECnet logins.

Default policy

All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized

Customizing

If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well terminal server serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

Exemptions for individual usernames are not useful, since the exposure comes not from the authorized individual, but from an eavesdropper on the network.

PRIVLGIPRX

Ensure ability for privileged users to perform proxy logins conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to perform proxy logins, their identity can be subverted by another DECnet node masquerading as the authorized proxy source. If privileged users are allowed to perform proxy logins, compromise of their identity can threaten the security of the entire system.
These tests determine whether user authorization access masks, in combination with the proxy database, prohibit privileged users from performing proxy logins.

Default policy

All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized

Customizing

If an Ethernet is entirely protected by encryption hardware (e.g., DESNC), and DECnet Phase V is not in use, setting these limits FALSE can be done with reduced hazard. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

Exemptions for individual usernames are not useful, since the exposure comes not from the authorized individual, but from an interloper on the DECnet network.

PRIVLGIREM

Ensure ability for privileged users to perform remote logins (SET HOST) conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to perform remote logins (SET HOST), their passwords can be read by eavesdroppers on the network, particularly on Ethernet through the use of promiscuous mode. If privileged users are allowed to perform remote logins (SET HOST), compromise of their password can threaten the security of the entire system.
These tests determine whether user authorization access masks prohibit privileged users from performing remote logins (SET HOST).

Default policy

All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized

Customizing

If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

Exemptions for individual usernames are not useful, since the exposure comes not from the authorized individual, but from an eavesdropper along the Ethernet.

PRIVLGITCP

Ensure ability for privileged users to perform TCP/IP logins conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to perform TCP/IP logins, their passwords can be read by eavesdroppers, particularly on the Ethernet through the use of promiscuous mode. If privileged users are allowed to perform TCP/IP logins, compromise of their password can threaten the security of the entire system.
These tests determine whether user authorization access masks prohibit privileged users from performing TCP/IP logins.
Such a scheme is only effective if one of the following conditions is true:

DECnet is not running on the node
NETMBX privilege is prohibited by these tests
Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGITCP
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
Terminal device names considered by LJK/Security to be coming from a TCP/IP network are:

NTAn - Process Software TCPware
NTYn - Wollongong WIN, Multinet

Default policy

All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized

Customizing

If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

Exemptions for individual usernames are not useful, since the exposure comes not from the authorized individual, but from an eavesdropper on the network.

For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.

PRIVLGIX29

Ensure ability for privileged users to perform logins via P.S.I. X29 software conforms to policy.

Violation reports

Constraint	Nature of the violation
PRIVPROHIB	Login with privilege permitted in violation of policy
ABSOLUTHI	Login with privilege permitted in violation of policy

Description

When users are allowed to perform logins via X29 connections, there is a possibility an attacker from an unknown remote location could break in. If such breakin were to a privileged account, the damage could be considerable.
These tests determine whether user authorization access masks prohibit privileged users from performing logins via X29 connections.
Such a scheme is only effective if one of the following conditions is true:

DECnet is not running on the node
NETMBX privilege is prohibited by these tests
Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGIX29
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
Terminal device names considered by LJK/Security to be coming from a X29 network are:

NVAn - P.S.I.

Default policy

All privileges except for TMPMBX are prohibited to be either held by default or authorized

Customizing

Exemptions can be added if required, at considerable reduction in security. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.

Limits

Constraint	Value	Default
PRIVPROHIB	FALSE or TRUE	FALSE
ABSOLUTHI	Category-None---Category-All	Category-Normal

Exemptions

Constraint	Value	Parameters
PRIVPROHIB	FALSE or TRUE	<node>,<filespec>
ABSOLUTHI	Category-None---Category-All	<node>, <username>

Practical considerations

NETMBX access is forbidden in the default policy because an attacker who gained access via a username which had NETMBX privilege could then make the next step of the attack as a network user rather than an X29-based attack.

For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.

PROXY

Ensure any proxy logins are established in accordance with policy.

Violation reports

Constraint	Nature of the violation
MULTIUSER	Shared proxy access from two users on a remote node
NOSUCHUSER	Proxy access to a non-existent username
PROHIBITED	Any proxy access
OTHERUSER	Proxy access from a different username
WILDNODE	Proxy access from a wildcard node
WILDTARGET	Proxy access to a wildcard user
WILDUSER	Proxy access from a wildcard user

Description

Test MULTIUSER prohibits more than a single username from the same remote node having proxy access to a single target username.
Test NOSUCHUSER prohibits proxy entries which point to usernames which do not exist.
Test PROHIBITED prohibits any proxy entries (except those covered by exemptions).
Test OTHERUSER prohibits proxy entries where the username on the remote node differs from the username on the target node. This is only of use for networks where there is considerable coordination of usernames across the network.
Test WILDNODE prohibits proxy entries which contain an asterisk for the remote node specification (the percent-sign wildcard character is not supported for proxy logins).
Test WILDTARGET prohibits proxy entries which contain an asterisk for the local user specification.
Test WILDUSER prohibits proxy entries which contain an asterisk for the remote user specification (the percent-sign wildcard character is not supported for proxy logins).

Default policy

All tests for this facility are set TRUE, except for OTHERUSER

Customizing

Customization of test OTHERUSER is only appropriate where a guarantee of uniform user naming is provided by the organization. Uniform username choice across a network is not particularly an aid to security, and in many cases runs contrary to the best security implementation.

There are two common circumstances under which test NOSUCHUSER may find violations:

proxy entries are left over for former usernames
proxy entries are common for a VAXcluster or VMScluster, but separate authorization files are used, so the proxy entries are valid for some other node

In the second case, an argument could be made that separate proxy database files should be used in cases where separate authorization files exist. Until such time as that is accomplished, exemptions for test NOSUCHUSER might be appropriate for the affected nodes

Selector

Limits

Constraint	Value	Default
MULTIUSER	FALSE or TRUE	TRUE
NOSUCHUSER	FALSE or TRUE	TRUE
PROHIBITED	FALSE or TRUE	FALSE
OTHERUSER	FALSE or TRUE	FALSE
WILDNODE	FALSE or TRUE	TRUE
WILDTARGET	FALSE or TRUE	TRUE
WILDUSER	FALSE or TRUE	TRUE

Exemptions

Constraint	Value	Parameters
MULTIUSER	FALSE or TRUE	<node>,<filespec>
NOSUCHUSER	FALSE or TRUE	<node>, <username>
PROHIBITED	FALSE or TRUE	<node>, <username>
OTHERUSER	FALSE or TRUE	<node>, <username>
WILDNODE	FALSE or TRUE	<node>, <username>
WILDTARGET	FALSE or TRUE	<node>, <username>
WILDUSER	FALSE or TRUE	<node>, <username>

Practical considerations

In most cases any of the three types of wildcard proxy entries are bad for security, but due to historical reasons in a particular organization it may be that at least temporarily exemptions are required for particular nodes. (Note that in the case of test WILDTARGET, there is no particular meaning to qualifying an exemption by username.)

Contents

Index