Controlling the Login Process

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Managing System Access

Enabling External Authentication

Controlling Access to System Data and Resources

Controlling the LoginProcess

This section describes many operating system features designedto secure systems from unauthorized users.

Informational Display During Login

This section describes how you can control the display ofvarious pieces of information that appear by default at login time,such as announcement, welcome, last login, and new mail messages.So that you can understand the effect of login restrictions, italso describes how the operating system processes the login fieldsof the system user authorization file (SYSUAF.DAT). In addition,this section describes the use of the secure server and how to setup intrusion detection.

Announcement Message

To provide an announcement message on your system, definethe system logical name SYS$ANNOUNCE in the site-specific startupcommand procedure SYS$MANAGER:SYSTARTUP_VMS.COM. The HPOpenVMS System Manager's Manual describes how to dothis. The announcement message appears at login.

The definition you provide here affects all users on the system.Because this message may provide a clue to the identity of the operatingsystem, you may decide not to display it.

Welcome Message

Similar to the announcement message, the welcome message iscontrolled through a system logical name, SYS$WELCOME. If you donot define SYS$WELCOME, a standard welcome message is provided forall users. This welcome message reveals the operating system andversion number, as well as the node if SYS$NODE is defined.

To define another message for SYS$WELCOME, you can createa text file containing the message. To display the contents of thisfile, use the following line in SYSTARTUP_VMS.COM:

$ DEFINE/SYSTEM SYS$WELCOME "@SYS$MANAGER:WELCOME.TXT"

To disable the welcome message, place the following DCL commandin SYS$MANAGER:SYSTARTUP_VMS.COM. This command prints a blank linein place of the standard welcome message.

$ DEFINE/SYSTEM SYS$WELCOME " "

If you prefer to selectively disable the message for individualusers, you can use the AUTHORIZE qualifier /FLAGS=DISWELCOME onindividual UAF records.

Last Login Messages

By default, the system displays three messages that provideinformation about the last logins and the number of failed loginattempts (see Reading Informational Messages"ReadingInformational Messages" on page 45 ). You canselectively disable the appearance of these three messages. Enter theAUTHORIZE qualifier /FLAGS=DISREPORT for specific users.

New Mail Announcements

By default, the system tells users the number of new mailmessages when they log in. You can prevent users from receivingthis notice by specifying the AUTHORIZE qualifier /FLAGS=DISNEWMAIL.

The new mail announcement is primarily a user convenience,not a security issue. If a user with a restricted account cannotinvoke the Mail utility (MAIL), then you might want to disable thenew mail message at the same time you prohibit mail access. Thefollowing AUTHORIZE qualifier accomplishes both tasks: /FLAGS=(DISMAIL,DISNEWMAIL)

Limiting Disconnected Processes

Virtual terminals let users maintain more than one disconnectedprocess at a time. Virtual terminals are also required by the secureserver feature (see Using the Secure Server).You may want to restrict the use of virtual terminals. For example,if you are concerned about the amount of nonpaged pool, you maynot want to enable this feature on a systemwide basis.

Virtual terminals can be disabled at the terminal, user, orsystem level:

To prevent particular terminals frombeing used as virtual terminals, use the DCL command SET TERMINAL/PERMANENT/NODISCONNECT.

To prevent specific users from attaching to disconnectedprocesses, set the AUTHORIZE qualifier /FLAGS=DISRECONNECT for thoseusers. (An applications account used by multiple users is a good candidatefor the DISRECONNECT flag to prevent the users from connecting toeach other's processes.)

To disable virtual terminals on a systemwide basis,remove the DISCONNECT attribute from the system parameter TTY_DEFCHAR2.

You can also set the amount of time allowed for reconnectionto less than the default of 15 minutes with the system parameterTTY_TIMEOUT. A process that remains disconnected for longer thanthe timeout value is automatically logged out by the system. Limitingthe connection time tends to minimize the number of users who receivemessages, but it also affects the usefulness of the connection feature.

For more information on setting up and reconnecting to virtualterminals, refer to the HP OpenVMS System Manager's Manual.

Providing Automatic Login

You can assign accounts to particular terminals to enablean automatic login feature (see Automatic Login Accounts). This feature permitsusers to log in without specifying a user name. The operating system associatesthe user name with the terminal (or terminal server port) and maintainsthese assignments in the file SYS$SYSTEM:SYSALF.DAT, referred toas the automatic login file or the ALFfile. Maintain this file with the following System Managementutility (SYSMAN) commands:

Task Command Example

Adding terminal/user nameassociation
ALF ADD
ALF ADD TTA5 RENOLDS

Adding terminal server/username association
ALF ADD/PORT
"M34C3/LC-1-2" RENOLDS

Displayingrecords in ALF file
ALF SHOW
ALF SHOW TTA5 ALF SHOW /USERNAME=PONTRE

Removing terminal/user nameassociation
ALF REMOVE
ALF REMOVE TTA3 ALF REMOVE /USERNAME=DOUGLAS

Task	Command	Example
Adding terminal/user nameassociation	ALF ADD	ALF ADD TTA5 RENOLDS
Adding terminal server/username association	ALF ADD/PORT	"M34C3/LC-1-2" RENOLDS
Displayingrecords in ALF file	ALF SHOW	ALF SHOW TTA5 ALF SHOW /USERNAME=PONTRE
Removing terminal/user nameassociation	ALF REMOVE	ALF REMOVE TTA3 ALF REMOVE /USERNAME=DOUGLAS

The ALF file consists of one record for each terminal on whichautomatic logins are enabled. Each record consists of two fields:the device name or terminal server port name of the terminal, followedby the user name of an account. The device names must be uniquewithin the file. However, the same user name can occur in any numberof records; that is, one account can be automatically logged into an unlimited number of terminals.

The ALF file is an indexed file that does not need to be purged,but it should be backed up after a modification.

Using the Secure Server

Guidelines for Protecting Your Password"Guidelinesfor Protecting Your Password" on page 53 describespassword grabbers as a class of programs designed to steal passwordsfrom unsuspecting users who log in to terminals left on. The operatingsystem provides a secure terminal server that stops any currentlyexecuting process before the start of a login at that terminal.

Invoke the secure server separately for each terminal withthe following DCL command: SET TERMINAL/PERMANENT/SECURE/DISCONNECT term-id

The user must then press the Break key followed by the Returnkey to start a login. The login proceeds as usual.

If you apply the secure server to all terminals, you can makethe login procedure consistent throughout the site by putting theSET TERMINAL commands in the site-specific startup command procedure. However, certainapplications that may use the terminal as a communications lineneed to use the Break key for their own purposes, which would beincompatible with the secure terminal server.

The secure terminal server feature is also incompatible withautobaud handling. However, because autobaud handling is necessaryonly on modem terminals (switched and dialup terminals), the modemhandling on such terminals performs the equivalent of secure serverfunctions. For secure operation, set up the terminal characteristicsas follows:

For local terminals (direct-wired),use the following SET TERMINAL qualifiers: /NOMODEM/SECURE/DISCONNECT/NOAUTOBAUD/PERMANENT

For switched terminals (data-switch and dialup),use the following SET TERMINAL qualifiers: /MODEM/AUTOBAUD/NOSECURE/DISCONNECT/PERMANENT

Specifythe /DIALUP qualifier if the terminal port is accessible througha telephone line or the equivalent, regardless of the path (directmodem, data switch, terminal server, or public data network).

Always specify the /DISCONNECT qualifier to guard againstpassword grabbers. To prevent disconnected jobs from filling upyour system, set the system parameter TTY_TIMEOUT to a low timeoutvalue, which determines when disconnected processes are deleted.

If you decide to apply the secure server to individual terminals,include directly wired terminals located in public areas or remote,unsecured areas. Terminals never used for local or dialup loginsare not subject to this security problem. Terminals closely supervisedduring logins may also not require this measure.

Detecting Intruders

Occasionally people fail to log in correctly because theyenter an expired password or make a typing error. But not all failuresare benign: some occur because an unauthorized person is tryingto log in through an expired account or with an unknown user nameor is attempting to guess passwords on a valid account.

The operating system is sensitive to login failures. Afterone failure, it begins to monitor the terminal, terminal serverconnection, or network connection where the login is taking place.At first, the operating system records unsuccessful logins in anintrusion database. As failures continue, the operating system not onlyrecords failures but takes restrictive measures. The person attemptinglogin is monitored more closely and limited to a certain numberof login retries within a limited period of time. Once a personexceeds either the retry or time limitation, he or she cannot login for a while, even with a valid user name and password. At a laterpoint, the restriction eases, and login is allowed once again.

Understanding the Intrusion Database

The DCL command SHOW INTRUSION displays the contents of theintrusion database; Intrusion Database Display shows asample display. The database captures the following types of informationon login failures:

Field Description

Intrusion class
The general source of failure:
Network: failure originating from a remote node,using a valid user name

Terminal: failure originating from one terminal

Term_User: failure originating from one terminal,using a valid user name

Username: failure attempting to create a detachedprocess

Type
Severity of login failure:
Suspect

Intruder
Thesystem parameters for threshold count (LGI_BRK_LIM) and monitoringperiod (LGI_BRK_TMO) define when a suspect becomes an intruder.

Count
Number of login failuresassociated with a particular source.

Expiration
Date and time when a suspect'srecord is deleted or when an intruder is allowed another chanceto log in. When an intruder's record reaches its expiration time,it becomes a suspect, and the failure count is reset to LGI_BRK_LIM.The expiration time is reset to the old expiration plus LGI_BRK_TMO.

Source
Origin of the login failure:
Node and user name if Network class

Terminal if Terminal class

Terminal and user name if Term_User class

User name if Username class

Field	Description
Intrusion class	The general source of failure: Network: failure originating from a remote node,using a valid user name Terminal: failure originating from one terminal Term_User: failure originating from one terminal,using a valid user name Username: failure attempting to create a detachedprocess
Type	Severity of login failure: Suspect Intruder Thesystem parameters for threshold count (LGI_BRK_LIM) and monitoringperiod (LGI_BRK_TMO) define when a suspect becomes an intruder.
Count	Number of login failuresassociated with a particular source.
Expiration	Date and time when a suspect'srecord is deleted or when an intruder is allowed another chanceto log in. When an intruder's record reaches its expiration time,it becomes a suspect, and the failure count is reset to LGI_BRK_LIM.The expiration time is reset to the old expiration plus LGI_BRK_TMO.
Source	Origin of the login failure: Node and user name if Network class Terminal if Terminal class Terminal and user name if Term_User class User name if Username class

Whenever the system detects an intruder, it sends an auditingmessage to the security operator terminal or the log file to alertyou. Using the DCL command SHOW INTRUSION, you can display the sourceand type of intrusion. For example, Intrusion Database Display shows a problem with a user named MAPLE who islogging in over the network. The user has tried to log in 8 times.Because the user failed to log in within the monitoring period, theoperating system suspended all logins from OMNI:.BOSTON.BIRCH::MAPLE. Intrusion Example gives a more detailedexplanation of how the system decides to suspend logins.

Notice that many suspects appear in the display. Sometimesusers forget their passwords or type them incorrectly. To removean entry from the database, use the DCL command DELETE/INTRUSION_RECORD.
Example 5 Intrusion Database Display
$ SHOW INTRUSION
Intrusion Type Count Expiration Source NETWORK SUSPECT 1 2-Jan-2002 13:20:30.89 PCD025:: Intrusion Type Count Expiration Source NETWORK SUSPECT 5 2-Jan-2002 13:36:39.42 DENIM::SYSTEM NETWORK SUSPECT 2 2-Jan-2002 13:25:17.30 N1KDO::SYSTEM Intrusion Type Count Expiration Source NETWORK SUSPECT 2 2-Jan-2002 13:07:57.95 OMNI:.LOWELL.ASH::TESTER NETWORK INTRUDER 8 2-Jan-2002 11:06:50.51 OMNI:.BOSTON.BIRCH::MAPLE Intrusion Type Count Expiration Source NETWORK SUSPECT 2 2-Jan-2002 13:20:10.09 JETTE::TIPH NETWORK SUSPECT 1 2-Jan-2002 13:21:40.75 FTSR::TFREDERICK

How Intrusion Detection Works

Once a login failure occurs, a user becomes a suspect andis monitored for further failures for a period of time. The operatingsystem tolerates only so many login failures by the suspect duringthis given period of time before it declares the source of loginfailure to be an intruder. In other words, suspects become intrudersby exceeding their allowed chances for login during the monitoringperiod.

The chance count, set by the system parameter LGI_BRK_LIM,defines how many times a person can try logging in; the standardlimit is five times. The chance parameter works in tandem with atime factor controlled by the system parameter LGI_BRK_TMO. At eachlogin failure, the suspect's monitoring period is increased by thevalue of LGI_BRK_TMO. Thus, with each failure, the suspect is monitoredfor a longer period of time.

Intrusion Example illustratesa situation where evasive action results when user George failsfive times to log in. At each failure, the monitoring period isextended by 5 minutes. On the fifth failure, the operating systemlabels George an intruder and refuses to log him in. (Notice thatthe example assumes the parameters LGI_BRK_LIM and LGI_BRK_TMO areboth set to 5.)

Table 6 Intrusion Example
Time of Login Failure Failure Count Extension of Monitoring Period

6:00
0
George fails to log in,and the system starts to monitor logins from George's terminal.It monitors for the next 5 minutes.

6:00:30
1
Thirty seconds later, with4.5 minutes left in the monitoring period, George fails again. Themonitoring period is extended by 5 minutes. Thus, the system monitorsGeorge for login failures during the next 9.5 minutes.

6:01
2
Thirty seconds later, 9minutes remain in his monitoring period, and the system extendsit by 5 minutes.

6:02
3
One minute later, Georgehas 13 minutes in his monitoring period, and the system extendsit by 5 minutes.

6:02:30
4
Thirty seconds later, Georgehas 17.5 minutes in the monitoring perod, and the system extendsit by 5 minutes. Thus, the system monitors George for login failuresduring the next 22.5 minutes.

6:04:30
5
Two minutes later, George makes a sixthattempt. Even though the monitoring period allows the time, he runsout of chances. He becomes an intruder and can no longer accessthe system.

**Table 6** **Intrusion Example**
Time of Login Failure	Failure Count	Extension of Monitoring Period
6:00	0	George fails to log in,and the system starts to monitor logins from George's terminal.It monitors for the next 5 minutes.
6:00:30	1	Thirty seconds later, with4.5 minutes left in the monitoring period, George fails again. Themonitoring period is extended by 5 minutes. Thus, the system monitorsGeorge for login failures during the next 9.5 minutes.
6:01	2	Thirty seconds later, 9minutes remain in his monitoring period, and the system extendsit by 5 minutes.
6:02	3	One minute later, Georgehas 13 minutes in his monitoring period, and the system extendsit by 5 minutes.
6:02:30	4	Thirty seconds later, Georgehas 17.5 minutes in the monitoring perod, and the system extendsit by 5 minutes. Thus, the system monitors George for login failuresduring the next 22.5 minutes.
6:04:30	5	Two minutes later, George makes a sixthattempt. Even though the monitoring period allows the time, he runsout of chances. He becomes an intruder and can no longer accessthe system.

Setting the Exclusion Period

An intruder can be excluded temporarily or permanently, dependingon system settings:

Temporary exclusion is controlledby the product of LGI_HID_TIM and a random number between 1 and 1.5.At the end of the temporary exclusion period, the subject is reclassifiedas a suspect. The monitoring period of the suspect is set by thevalue of LGI_BRK_TMO. For the new monitoring period, the failure countis set to LGI_BRK_LIM, allowing one more chance to log in beforethe subject is reclassified as an intruder.

Permanent exclusion results if LGI_BRK_DISUSER isset because this enables the DISUSER flag in a user authorizationrecord when the operating system detects an intrusion.

Enabling the LGI_BRK_DISUSER parameter can have serious consequencesbecause that user name is disabled until you manually intervene.If LGI_BRK_DISUSER is enabled, a malicious user can put all known accounts,including yours, out of service in a short time. To recover, youmust log in on the system console where the SYSTEM account is alwaysallowed to log in.

System Parameters Controlling Login Attempts

Parameters for Controlling Login Attempts describesthe system parameters controlling login and intrusion detection.

Table 7 Parameters for Controlling Login Attempts
If You Want to Control... Set the Parameter Description

Login timeperiod
LGI_PWD_TMO
Allows time to:
Enter the correct system password (if used).

Enter personal account passwords.

Enter the old password, enter a new password, andverify it when using the SET PASSWORD command.

Number of timesa person can try to log in over a phone line or network connection
LGI_RETRY_LIM
Allows a person to retrythe login sequence without losing the phone connection or networklink as long as the retry time (LGI_RETRY_TMO) allows. Someone canreconnect and reattempt login as long as the break-in limit (LGI_BRK_LIM) hasnot been exceeded during the monitoring period.

Interval betweenlogin attempts over phone lines or network connection
LGI_RETRY_TMO
Specifies the number ofseconds allowed between login attempts after a login failure. Ifthere is no user response after a login failure for LGI_RETRY_TMOseconds, LOGINOUT disconnects the session.

Number of loginchances
LGI_BRK_LIM
Specifies the number oflogin failures during the monitoring period that triggers evasiveaction. The failure count applies independently to login attemptsby each user name, terminal, and node.

Length of failure monitoringperiod
LGI_BRK_TMO
Indicates the time incrementadded to the suspect's expiration time each time a login failureoccurs. Once the expiration period passes, prior failures are discarded,and the subject is given a clean slate.

Associationof user name and terminal name in intrusion database source name
LGI_BRK_TERM
Controls whether failuresfrom terminal class logins are counted by terminal, by user (thedefault), or by user across all terminals. LAT is tracked back tothe originating port based on the contents of the TT_ACCPORNAM field.

Duration oflogin denial
LGI_HID_TIM
Specifies the duration oflogin denial. The value of this parameter times a random number(between 1 and 1.5) determines the actual length of evasive actionwhen the failure count has exceeded LGI_BRK_LIM.

Intruder's account
LGI_BRK_DISUSER
Enables the DISUSER flag in user's authorizationrecord, permanently locking out that account.

**Table 7** **Parameters for Controlling Login Attempts**
If You Want to Control...	Set the Parameter	Description
Login timeperiod	LGI_PWD_TMO	Allows time to: Enter the correct system password (if used). Enter personal account passwords. Enter the old password, enter a new password, andverify it when using the SET PASSWORD command.
Number of timesa person can try to log in over a phone line or network connection	LGI_RETRY_LIM	Allows a person to retrythe login sequence without losing the phone connection or networklink as long as the retry time (LGI_RETRY_TMO) allows. Someone canreconnect and reattempt login as long as the break-in limit (LGI_BRK_LIM) hasnot been exceeded during the monitoring period.
Interval betweenlogin attempts over phone lines or network connection	LGI_RETRY_TMO	Specifies the number ofseconds allowed between login attempts after a login failure. Ifthere is no user response after a login failure for LGI_RETRY_TMOseconds, LOGINOUT disconnects the session.
Number of loginchances	LGI_BRK_LIM	Specifies the number oflogin failures during the monitoring period that triggers evasiveaction. The failure count applies independently to login attemptsby each user name, terminal, and node.
Length of failure monitoringperiod	LGI_BRK_TMO	Indicates the time incrementadded to the suspect's expiration time each time a login failureoccurs. Once the expiration period passes, prior failures are discarded,and the subject is given a clean slate.
Associationof user name and terminal name in intrusion database source name	LGI_BRK_TERM	Controls whether failuresfrom terminal class logins are counted by terminal, by user (thedefault), or by user across all terminals. LAT is tracked back tothe originating port based on the contents of the TT_ACCPORNAM field.
Duration oflogin denial	LGI_HID_TIM	Specifies the duration oflogin denial. The value of this parameter times a random number(between 1 and 1.5) determines the actual length of evasive actionwhen the failure count has exceeded LGI_BRK_LIM.
Intruder's account	LGI_BRK_DISUSER	Enables the DISUSER flag in user's authorizationrecord, permanently locking out that account.

Security Server Process

The Security Serverprocess, which is created as part of the normal operating systemstartup, performs the following tasks:

Creates and manages the system's intrusiondatabase

Maintains the network proxy database file (NET$PROXY.DAT)

The system uses the intrusion database to keep track of failedlogin attempts. This information is scanned during process loginto determine if the system should take restrictive measures to preventaccess to the system by a suspected intruder. You can display thecontents of this database by issuing the DCL command SHOW INTRUSION,as shown in Intrusion Database Display.You can delete information from the database by issuing the DCLcommand DELETE/INTRUSION.

The network proxy database file (NET$PROXY.DAT) is used duringnetwork connection processing to determine if a specific remoteuser may access a local account without using a password. You canmanage the information in this database with the Authorize utility.

Enabling External Authentication

Controlling Access to System Data and Resources