| Previous | Contents | Index |
Three separate wild proxy tests are provided to increase the granularity with which exemptions can be granted in settings where that must be done.
One situation where a wildcard proxy entry may be good for security is when it is used as the method for getting rid of a default incoming DECnet account. Allowing unrestricted access from a particular node is more secure than allowing unrestricted access from all nodes!
Ensure that individual usernames have acceptable password ages.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTHI | Higher than maximum in the policy |
The system User Authorization File (SYSUAF) specifies for each username the date of the last password change for either the primary or secondary password (if any).The purpose of this test is to ensure that the password change for each user complies with organization-wide security policy. This test compares that value for each authorized username against each privilege-related limit set in the policy.
Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector Limits and exemptions for this test can take a selector consisting of a privilege name or a privilege-level name.
Thus, each can be set once for each possible privilege and once for each possible privilege level. If a username has a given privilege or is at a given privilege-level then that limit applies. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges and privilege levels.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTHI | 0---n | 0 |
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTHI | 0---n | <node>, <username> |
1 Usernames with just NETMBX and TMPMBX will be treated as non-privileged. |
Determine whether password encryption algorithm conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| OLD | Password encryption algorithm is older than allowed by policy |
| NEW | Password encryption algorithm is newer than allowed by policy |
Password encryption algorithms are only changed when passwords are changed. If your system has any very old accounts from prior versions of VMS which have relaxed password lifetimes, then older less-secure password encryption algorithms may be in use. If the user changes the password, the newer forms of encryption will be used.Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
| Constraint | Value | Default |
|---|---|---|
| OLD | AD_II, PURDY, PURDY_V, PURDY_S or CUSTOMER_n | PURDY_V |
| NEW | AD_II, PURDY, PURDY_V, PURDY_S or CUSTOMER_n | PURDY_S |
| Constraint | Value | Parameters |
|---|---|---|
| OLD | AD_II, PURDY, PURDY_V, PURDY_S or CUSTOMER_n | <node>, <username> |
| NEW | AD_II, PURDY, PURDY_V, PURDY_S or CUSTOMER_n | <node>, <username> |
Possible values include:
Determine whether password expiration conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| NOTICED | Password has expired and been noticed by user |
| NOTNOTICED | Password has expired and not been noticed by user |
Expired passwords not yet noticed by users will be brought to the user's attention on their next login attempt. Those which have been noticed will require system administrator intervention to make the usernames useful again.Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
A limit or exemption with a value of zero means there is no value which is considered unacceptable
| Constraint | Value | Default |
|---|---|---|
| NOTICED | 0---n (days) | 30 |
| NOTNOTICED | 0---n (days) | 30 |
| Constraint | Value | Parameters |
|---|---|---|
| NOTICED | 0---n (days) | <node>, <username> |
| NOTNOTICED | 0---n (days) | <node>, <username> |
Guess passwords to see if they are too simple.
| Constraint | Nature of the violation |
|---|---|
| TRIES | Guessed in fewer than specified number of tries |
If passwords are simple enough to be guessed by this program, they are simple enough to be guessed by an attacker. Of course the attacker will be hindered by the breakin evasion features of VMS, denying access even with a correct password if it follows too many incorrect guesses. Since LJK/Security accesses the authorization file directly, its guesses are not hindered by VMS breakin evasion.LJK/Security as a matter of policy does not display the password if a correct guess is made, it merely indicates approximately how many tries were required. The exact number of guesses required is not reported, in order to prevent the use of reverse-engineering to determine the password. This approach is taken to prevent LJK/Security from being used as a breakin tool (since learning the password of another allows unauthorized accesses to be made as though they had come from the user whose password was learned).
Password guessing is still performed on usernames which are set to require generated passwords or make use of the password history and screening provided effective with VMS V5.4. These controls only affect passwords set up with the SET PASSWORD command and do not protect against the setting of a weak password by a privileged user with the AUTHORIZE program.
By adjusting the limit you can control how much guessing is done against each password.
By default, only 100 guesses will be made against privileged accounts, in order to minimize execution time
For most situations, a larger number of tries for privileged accounts is appropriate.
Password guessing is at least partially dictionary-based. By editing the file LJK$SECURITY_POLICY_AREA:LJK$SECURITY_WORDS.DAT you can add site-specific terms which you suspect might be used in passwords. As supplied, this file is empty, the words provided by LJK Software are kept elsewhere. selector Limits for this test can take a selector consisting of a privilege name or a privilege-level name.
Thus each can be set once for each possible privilege and once for each possible privilege level. If a username has a given privilege or is at a given privilege-level then that limit applies. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| TRIES | 0---n | 10 or 100* |
* Higher value for levels above Category-Normal.
| Constraint | Value | Parameters |
|---|---|---|
| TRIES | 0---n | <node>, <username> |
You may want to have a special policy and assessment which has higher values for this test, and run that assessment only on weekends when the demand for CPU time is not so great.
If the fact that LJK/Security does not report the guessed password hinders your ability to get users to change their passwords, LJK Software suggests a disclosure meeting, where the user will reveal the password and then change it (use the VMS authorize utility to make sure it has not already been changed since the guessing was reported). If the user had a password which was not "easy to guess" in human terms, LJK Software would like to get a report of what it was.
1 Usernames with just NETMBX and TMPMBX will be treated as non-privileged. |
Ensure that individual usernames have acceptable password lifetimes.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Lower than minimum in the policy |
| ABSOLUTHI | Higher than maximum in the policy |
The system User Authorization File (SYSUAF) specifies for each username the password lifetime for either the primary or secondary password (if any).The purpose of this test is to ensure that the password lifetime established for each user complies with organization-wide security policy. This test compares that value for each authorized username against each limit set in the policy.
VMS treats a password lifetime of 0 as meaning "without limit", so violation notices from LJK/Security may seem strange at times indicating that a value of 0 is higher than the limit of 90.
Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector Limits and exemptions for this test can take a selector consisting of a privilege name or a privilege-level name.
Thus, each can be set once for each possible privilege and once for each possible privilege level. If a username has a given privilege or is at a given privilege-level then that limit applies. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges and privilege levels.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | 0---n | 30 |
| ABSOLUTHI | 0---n | 90 or 30 or 0* |
* 30 for levels above Category-Normal, 0 for explicit privileges.
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | 0---n | <node>, <username> |
| ABSOLUTHI | 0---n | <node>, <username> |
1 Usernames with just NETMBX and TMPMBX will be treated as non-privileged. |
Ensure that individual usernames have acceptable minimum password lengths.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Lower than minimum in the policy |
| ABSOLUTHI | Higher than maximum in the policy |
If passwords are too short, they can be easily guessed. The system User Authorization File (SYSUAF) specifies for each username the minimum password length which can be used by that user for either the primary or secondary password (if any) using the SET PASSWORD command.The purpose of this test is to ensure that the minimum length established for each user complies with organization-wide security policy. This test compares that value for each authorized username against each privilege-related limit set in the policy. This test is not performed for usernames with null passwords.
Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
By default, the minimum password length cannot exceed 14. The reasoning is that very high minimum password lengths encourage users to write down passwords
Thus, each can be set once for each possible privilege and once for each possible privilege level. If a username has a given privilege or is at a given privilege-level then that limit applies. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges and privilege levels.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | 0---31 | 6 or 8* |
| ABSOLUTHI | 0---31 | 14 |
* Higher value for levels above Category-Normal.
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | 0---31 | <node>, <username> |
| ABSOLUTHI | 0---31 | <node>, <username> |
1 Usernames with just NETMBX and TMPMBX will be treated as non-privileged. |
Determine whether the presence or absence of permission to use mixed case passwords conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PROHIBITED | Mixed case passwords are enabled in violation of policy |
| REQUIRED | Mixed case passwords are disabled in violation of policy |
The tests for this element determine whether enabling of mixed case passwords for a user conforms to policy.Tests from this element are not conducted on Usernames allowed only Batch access, since passwords are not meaningful.
| Constraint | Value | Default |
|---|---|---|
| PROHIBITED | FALSE or TRUE | FALSE |
| REQUIRED | FALSE, TRUE or TRY | FALSE |
| Constraint | Value | Parameters |
|---|---|---|
| PROHIBITED | FALSE or TRUE | <node>, <username> |
| REQUIRED | FALSE, TRUE or TRY | <node>, <username> |
| Previous | Next | Contents | Index |