| Previous | Contents | Index |
Ensure ability for privileged users to perform DECnet logins conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to perform DECnet logins, their passwords can be read by eavesdroppers, particularly on the Ethernet through the use of promiscuous mode. If privileged users are allowed to perform DECnet logins, compromise of their password can threaten the security of the entire system.Default policy All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized. Customizing If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well terminal server serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks prohibit privileged users from performing DECnet logins.
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
Ensure ability for privileged users to perform proxy logins conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to perform proxy logins, their identity can be subverted by another DECnet node masquerading as the authorized proxy source. If privileged users are allowed to perform proxy logins, compromise of their identity can threaten the security of the entire system.Default policy All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized. Customizing If an Ethernet is entirely protected by encryption hardware (e.g., DESNC), and DECnet Phase V is not in use, setting these limits FALSE can be done with reduced hazard. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks, in combination with the proxy database, prohibit privileged users from performing proxy logins.
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
Ensure ability for privileged users to perform remote logins (SET HOST) conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to perform remote logins (SET HOST), their passwords can be read by eavesdroppers on the network, particularly on Ethernet through the use of promiscuous mode. If privileged users are allowed to perform remote logins (SET HOST), compromise of their password can threaten the security of the entire system.Default policy All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized. Customizing If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard, depending on how well serial lines are protected. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks prohibit privileged users from performing remote logins (SET HOST).
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
Ensure ability for privileged users to perform TCP/IP logins conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to perform TCP/IP logins, their passwords can be read by eavesdroppers, particularly on the Ethernet through the use of promiscuous mode. If privileged users are allowed to perform TCP/IP logins, compromise of their password can threaten the security of the entire system.Default policy All privileges except for NETMBX and TMPMBX are prohibited to be either held by default or authorized. Customizing If a network is entirely protected by encryption hardware (e.g., DESNC), setting these limits FALSE can be done with reduced hazard. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks prohibit privileged users from performing TCP/IP logins.
Such a scheme is only effective if one of the following conditions is true:
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
- DECnet is not running on the node
- NETMBX privilege is prohibited by these tests
- Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGITCP
Terminal device names considered by LJK/Security to be coming from a TCP/IP network are:
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.
Ensure ability for privileged users to perform logins via P.S.I. X29 software conforms to policy.
| Constraint | Nature of the violation |
|---|---|
| PRIVPROHIB | Login with privilege permitted in violation of policy |
| ABSOLUTHI | Login with privilege permitted in violation of policy |
When users are allowed to perform logins via X29 connections, there is a possibility an attacker from an unknown remote location could break in. If such breakin were to a privileged account, the damage could be considerable.Default policy All privileges except for TMPMBX are prohibited to be either held by default or authorized. Customizing Exemptions can be added if required, at considerable reduction in security. selector Limits and exemptions for test PRIVPROHIB can take a selector consisting of a privilege name.These tests determine whether user authorization access masks prohibit privileged users from performing logins via X29 connections.
Such a scheme is only effective if one of the following conditions is true:
This is because once a process is logged in, it could be used to initiate a further DECnet connection, resulting of transmission of a password in the clear.
- DECnet is not running on the node
- NETMBX privilege is prohibited by these tests
- Elements PRIVLGINET and PRIVLGIREM prohibit all privileges prohibited by element PRIVLGIX29
Terminal device names considered by LJK/Security to be coming from a X29 network are:
Thus, it can be set once for each possible privilege. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges.
| Constraint | Value | Default |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | FALSE |
| ABSOLUTHI | Category-None---Category-All | Category-Normal |
| Constraint | Value | Parameters |
|---|---|---|
| PRIVPROHIB | FALSE or TRUE | <node>,<filespec> |
| ABSOLUTHI | Category-None---Category-All | <node>, <username> |
For information on controlling the UCB "dialup" bit, consult Section H.3, Changing Template Terminal UCB Characteristics.
Ensure any proxy logins are established in accordance with policy.
| Constraint | Nature of the violation |
|---|---|
| MULTIUSER | Shared proxy access from two users on a remote node |
| NOSUCHUSER | Proxy access to a non-existent username |
| PROHIBITED | Any proxy access |
| OTHERUSER | Proxy access from a different username |
| WILDNODE | Proxy access from a wildcard node |
| WILDTARGET | Proxy access to a wildcard user |
| WILDUSER | Proxy access from a wildcard user |
Test MULTIUSER prohibits more than a single username from the same remote node having proxy access to a single target username.Default policy All tests for this facility are set TRUE, except for OTHERUSER. Customizing Customization of test OTHERUSER is only appropriate where a guarantee of uniform user naming is provided by the organization. Uniform username choice across a network is not particularly an aid to security, and in many cases runs contrary to the best security implementation.Test NOSUCHUSER prohibits proxy entries which point to usernames which do not exist.
Test PROHIBITED prohibits any proxy entries (except those covered by exemptions).
Test OTHERUSER prohibits proxy entries where the username on the remote node differs from the username on the target node. This is only of use for networks where there is considerable coordination of usernames across the network.
Test WILDNODE prohibits proxy entries which contain an asterisk for the remote node specification (the percent-sign wildcard character is not supported for proxy logins).
Test WILDTARGET prohibits proxy entries which contain an asterisk for the local user specification.
Test WILDUSER prohibits proxy entries which contain an asterisk for the remote user specification (the percent-sign wildcard character is not supported for proxy logins).
There are two common circumstances under which test NOSUCHUSER may find violations:
| Constraint | Value | Default |
|---|---|---|
| MULTIUSER | FALSE or TRUE | TRUE |
| NOSUCHUSER | FALSE or TRUE | TRUE |
| PROHIBITED | FALSE or TRUE | FALSE |
| OTHERUSER | FALSE or TRUE | FALSE |
| WILDNODE | FALSE or TRUE | TRUE |
| WILDTARGET | FALSE or TRUE | TRUE |
| WILDUSER | FALSE or TRUE | TRUE |
| Constraint | Value | Parameters |
|---|---|---|
| MULTIUSER | FALSE or TRUE | <node>,<filespec> |
| NOSUCHUSER | FALSE or TRUE | <node>, <username> |
| PROHIBITED | FALSE or TRUE | <node>, <username> |
| OTHERUSER | FALSE or TRUE | <node>, <username> |
| WILDNODE | FALSE or TRUE | <node>, <username> |
| WILDTARGET | FALSE or TRUE | <node>, <username> |
| WILDUSER | FALSE or TRUE | <node>, <username> |
Three separate wild proxy tests are provided to increase the granularity with which exemptions can be granted in settings where that must be done.
One situation where a wildcard proxy entry may be good for security is when it is used as the method for getting rid of a default incoming DECnet account. Allowing unrestricted access from a particular node is more secure than allowing unrestricted access from all nodes!
Ensure that individual usernames have acceptable password ages.
| Constraint | Nature of the violation |
|---|---|
| ABSOLUTLO | Lower than minimum in the policy |
| ABSOLUTHI | Higher than maximum in the policy |
The system User Authorization File (SYSUAF) specifies for each username the date of the last password change for either the primary or secondary password (if any).Default policy The password age minimum and maximum are 0 for non-privileged accounts and privileged accounts 1 relying instead on tests (UAF,PWDLIFE,*). Customizing Change the default limits to match your own organization policy.The purpose of this test is to ensure that the password change for each user complies with organization-wide security policy. This test compares that value for each authorized username against each privilege-related limit set in the policy.
A limit or exemption with a value of zero means there is no value which is considered unacceptable. selector Limits and exemptions for this test can take a selector consisting of a privilege name or a privilege-level name.
Thus, each can be set once for each possible privilege and once for each possible privilege level. If a username has a given privilege or is at a given privilege-level then that limit applies. When using the Command Interface if you do not specify a selector when changing the limit or exemptions your change applies to all privileges and privilege levels.
| Constraint | Value | Default |
|---|---|---|
| ABSOLUTLO | 0---n | 30 |
| ABSOLUTHI | 0---n | 90 or 30 or 0* |
* 30 for levels above Category-Normal, 0 for explicit privileges.
| Constraint | Value | Parameters |
|---|---|---|
| ABSOLUTLO | 0---n | <node>, <username> |
| ABSOLUTHI | 0---n | <node>, <username> |
1 Usernames with just NETMBX and TMPMBX will be treated as non-privileged. |
| Previous | Next | Contents | Index |