HP OpenVMS System Manager's Manual, Volume 1:...

Security Considerations

Understanding Security Management

Using Intrusion Detection Mechanisms

Managing Passwords  

This section describes basic elements of the standard OpenVMS password policy and how to manage them. For information about how to manage extensions to the standard password policy (also known as external authentication ), refer to the chapter "Managing System Access" in the HP OpenVMS Guide to System Security.

Initial Passwords  

When you open an account for a new user with the Authorize utility, you must give the user a user name and an initial password. When you assign temporary initial passwords, observe all guidelines recommended in Guidelines for Protecting Passwords. You should consider using the automatic password generator. Avoid any obvious pattern when assigning passwords.

Using the Automatic Password Generator

To use the automatic password generator while using the Authorize utility to open an account, add the /GENERATE_PASSWORD qualifier to either the ADD or the COPY command. The system responds by offering you a list of automatically generated password choices. Select one of these passwords, and continue setting up the account.

Using the System Dictionary and the Password History List

The OpenVMS operating system automatically compares new passwords with a system dictionary to ensure that a password is not a native language word. It also maintains a password history list of a user's last 60 passwords. The operating system compares each new password with entries in the password history list to ensure that an old password is not reused.

The system dictionary is located in SYS$LIBRARY. You can enable or disable the dictionary search by specifying the DISPWDDIC or NODISPWDDIC option with the /FLAGS qualifier in AUTHORIZE. The password history list is located in SYS$SYSTEM. To enable or disable the history search, specify the DISPWDHIS or NODISPWDHIS option to the /FLAGS qualifier.

Adding to the System Password Dictionary

You can modify the system password dictionary to include words of significance to your site. The following procedure allows you to add words to the system dictionary. The procedure also allows you to retain a file of the passwords that you consider unacceptable.

1. Create a file containing passwords you want to add to the dictionary. Each password should be on a separate line and in lowercase, as follows:

   $ CREATE LOCAL_PASSWORD_DICTIONARY.DATA
   somefamous
   localheroes
   <Ctrl/Z> 

2. Enable SYSPRV and merge your local additions:

   $ SET PROCESS/PRIVILEGE=SYSPRV
   $ CONVERT/MERGE/PAD LOCAL_PASSWORD_DICTIONARY.DATA -
   _$ SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA

Defining Preexpired Passwords

When you add a new user to the UAF, you might want to define that user's password as having expired previously using the AUTHORIZE qualifier /PWDEXPIRED. This forces the user to change the initial password when first logging in.

Preexpired passwords are conspicuous in the UAF record listing. The entry for the date of the last password change carries the following notation:(pre-expired)

By default, the OpenVMS operating system forces new users to change their passwords the first time they log in. Encourage your site to use a training program for its users that includes information about changing passwords.

System Passwords  

System passwords control access to terminals that might be targets for unauthorized use, as follows:

• All terminals using dialup lines or public data networks for access



• Terminals on lines that are publicly accessible and not tightly secured, such as those at computer laboratories at universities



• Terminals the security manager wants to reserve for security operations

Implementing system passwords is a two-stage operation involving the DCL commands SET TERMINAL and SET PASSWORD. First, you must decide which terminals require system passwords. Then, for each terminal, you enter the DCL command SET TERMINAL/SYSPASSWORD/PERMANENT. To enable system passwords for all terminals, set the appropriate bit in the system parameter TTY$DEFCHAR2.

Primary and Secondary Passwords  

The use of dual passwords is cumbersome and mainly needed at sites with high-level security concerns. The effectiveness of a secondary passwords depends entirely on the trustworthiness of the supervisor who supplies it. A supervisor can easily give out the password or worse yet, change it to a null string.

The main advantage of a second password is that it prevents accounts from being accessed through DECnet for OpenVMS using simple access control.

Another advantage of a second password is that it can serve as a detection tool when a site has unexplained break-ins after the password has been changed and the use of the password generator has been enforced. Select problem accounts, and make them a temporary target of this restriction. If the problem goes away when you institute personal verification through the secondary password, you know you have a personnel problem. Most likely, the authorized user is revealing the password for the account to one or more other users who are abusing the account. Refer to the HP OpenVMS Guide to System Security for an explanation of how to add secondary passwords.

Enforcing Minimum Password Standards  

Security managers can use AUTHORIZE to impose minimum password standards for individual users. Specifically, qualifiers and login flags provided by AUTHORIZE control the minimum password length, how soon passwords expire, and whether the user is forced to change passwords at expiration.

Password Expiration

With the AUTHORIZE qualifier /PWDLIFETIME, you can establish the maximum length of time that can elapse between password changes before the user will be forced to change the password or lose access to the account.

The use of a password lifetime forces the user to change the password regularly. The lifetime can be different for different users. Users who have access to critical files generally should have the shortest password lifetimes.

Forcing Expired Password Changes

By default, users are forced to change expired passwords when logging in. Users whose passwords have expired are prompted for new passwords at login. A password is valid for 90 days unless a site modifies the value with the /PWDLIFETIME qualifier.

Minimum Password Length

With the AUTHORIZE qualifier /PWDMINIMUM, you can direct that all password choices must be a minimum number of characters in length. Users can still specify passwords up to the maximum length of 32 characters.

Requiring the Password Generator

The /FLAGS=GENPWD qualifier in AUTHORIZE allows you to force the use of the automatic password generator when a user changes a password. At some sites, all accounts are created with this qualifier. At other sites, the security manager can be more selective.

Guidelines for Protecting Passwords  

Observe the following guidelines to protect passwords:

• Make certain the password for the SYSTEM account, which is a standard account on all OpenVMS systems, is secure and is changed regularly.



• Disable any accounts that are not used regularly with the AUTHORIZE qualifier /FLAGS=DISUSER (for example, SYSTEST and FIELD).



• Do not permit an outside or an in-house service organization to choose the password for an account they use to service your system. Such service groups tend to use the same password on all systems, and their accounts are usually privileged. On seldom-used accounts, set the AUTHORIZE flag DISUSER, and enable the account only when it is needed. You can also change the password immediately after each use and notify the service group of the new password.



• Set appropriate account expiration dates, especially when you know a user has only short-term requirements for an account.



• Delete accounts no longer in use.



• If you have an account on a system that stores passwords in plaintext (unencrypted), choose a different password on all of your accounts on other machines. Passwords should not even be shared between machines that encrypt the password. A compromised machine can be used to read plain text on its way into the machine, thereby gaining access to the other machine.



• Do not leave listings of operator logs, accounting logs, or audit logs where they could be read or stolen.



• Maintain adequate protection of authorization files. Note that the system user authorization file (SYSUAF.DAT) and network proxy authorization file (NETPROXY.DAT) are owned by the system account ([SYSTEM]). There should be no other users in this group. Accordingly, the categories SYSTEM, OWNER, and GROUP are synonymous. Normally the default UIC-based file protection for these authorization files is adequate.

The following actions are not strictly for password protection, but they reduce the potential of password detection or limit the extent of the damage if passwords are discovered or bypassed:

• Avoid giving multiple users access to the same account.



• Separate users into distinct user groups.



• Protect telephone numbers for dialup lines connected to your system.



• Make all accounts that do not require a password captive accounts.



• Extend privileges to users carefully.



• Ensure that the files containing components of the operating system are adequately protected.

Password History  

The password history database maintains a history of previous passwords associated with each user account. By default, the system retains these records for one year. Password history records that are older than the system password history lifetime are allowed as valid password choices. When a user account is deleted, the system removes the associated password history records from the history database.

Understanding Security Management

Using Intrusion Detection Mechanisms