|
|
Using DECnet Application(Object) Accounts
Summary of Network Objects
You should understand the function of the network objectssupplied with the OpenVMS operating system before you determinethe access control to apply to them. This section provides a descriptionof the most common network objects.
The file access listener (FAL) is the remote file access facility.FAL is an image that receives and processes remote file access requestsfor files at the local node.
Use of general FAL access is stronglydiscouraged. Open access allows general network accessto any files marked world-accessible. It also allows remote usersto create files in any directory with world write access.
Sites with high security requirements, or sites where it isdifficult to recognize all the intended users, should not createa FAL account. To control which users gain access, these sites mayestablish one or more proxy accounts for specific purposes (see Proxy Access Control).
MAIL is an image that provides personal mail services forOpenVMS systems. In most cases, allow the MAIL object general accessto the system.
MIRROR is an image used for particular forms of loopback testing.For example, MIRROR is run during the DECnet phase of the UETP testpackage.
MOM is the Maintenance Operations Module. The MOM image downlineloads unattended systems, transferring a copy of an operating systemfile image from an OpenVMS node to a target node. The MOM objectis established during a system installation.
NML is the network management listener. Remote users withaccess to NML can use NCP TELL commands to gather and report networkinformation from your DECnet databases.
PHONE is an image that allows online conversations with userson remote OpenVMS systems. Note that if you allow default DECnetaccess to PHONE, anyone in the network can get a list of users currentlylogged in to the local system and attempt a login using the listof user names.
Through the default DECnet account, the TASK object allowsarbitrary command procedures (including those that might be usedin intrusions) to be executed on your system.
Note that if you do not allow default DECnet access on yoursystem or if you disable default DECnet access to the TASK object,you can allow remote user-written command procedures (tasks) torun on your system through the use of access control strings orproxy access.
VPM is the Virtual Performance Monitor Server. Access to VPMis required to use the cluster monitoring features of the Monitorutility (MONITOR).
Configuring Network Objects Manually
The command procedure NETCONFIG.COM configures the networkobjects on your system automatically, and the command procedureNETCONFIG_UPDATE.COM updates the network objects automatically.
If you choose not to use the command procedures, you can performthe following steps to allow network access to specific objects:
Network Object Defaults lists thedirectory names, user names, and UICs used by the NETCONFIG.COMand NETCONFIG_UPDATE.COM command procedures to create accounts forspecific network accounts. For consistency, you should specify thesame information when manually creating network object accounts.$
SET DEFAULT SYS$SPECIFIC:[000000]
$
CREATE/DIRECTORY [MAIL$SERVER]/OWNER_UIC=[376,374]
The AUTHORIZE command SHOW MAIL$SERVER displays the networkaccount set up for the MAIL object, as shown in UAF Record for MAIL$SERVER Account.$
RUN SYS$SYSTEM:AUTHORIZE
UAF>
ADD MAIL$SERVER/OWNER=MAIL$SERVER DEFAULT -
_UAF>
/PASSWORD=MDU1294B/UIC=[376,374]/ACCOUNT=DECNET -
_UAF>
/DEVICE=SYS$SPECIFIC: /DIRECTORY=[MAIL$SERVER] -
_UAF>
/PRIVILEGE=(TMPMBX,NETMBX) /DEFPRIVILEGE=(TMPMBX,NETMBX) -
_UAF>
/FLAGS=(RESTRICTED,NODISUSER,NOCAPTIVE) /LGICMD=NL: -
_UAF>
/NOBATCH /NOINTERACTIVE
$
RUN SYS$SYSTEM:NCP
NCP>
DEFINE OBJECT MAIL USER MAIL$SERVER PASSWORD MDU1294B
NCP>
EXIT
Network Object Defaults lists thenetwork object defaults.
Object Name | Directory and User (Account) Name | UIC |
---|---|---|
FAL | FAL$SERVER | [376,373] |
MAIL | MAIL$SERVER | [376,374] |
MIRROR | MIRRO$SERVER1 | [376,367] |
$MOM | VMS$COMMON:[MOM$SYSTEM]2 | [376,375] |
NML | NML$SERVER | [376,371] |
PHONE | PHONE$SERVER | [376,372] |
VPM | VPM$SERVER | [376,370] |
Removing Default DECnet Access to the System
The default DECnet account is appropriate for systems withlow security requirements (see Using DECnet Application (Object) Accounts). If your site has moderate or high security requirements,you should remove default DECnet access to the system once you haveset up accounts for individual network objects.
Before deleting your default DECNET account, as describedin this section, use the NCP command SHOW KNOWN OBJECTS and theAuthorize utility (AUTHORIZE) to verify that all network objectsand layered products that use network objects have network accountsset up in the system user authorization file (SYSUAF.DAT). Otherwise,network objects and layered products that use network objects maynot work as expected. |
Removing Default DECnet Access
Execute the following NCP commands to remove the default DECnetaccess from the network executor database:
The DEFAULT_DECNET user specified in the first command isa nonexistent user account that is specified for auditing purposesonly. (A network login failure message is written to the securityaudit log file each time access to your system is attempted throughthe [nonexistent] DEFAULT_DECNET account.)NCP>
DEFINE EXECUTOR NONPRIVILEGED USER DEFAULT_DECNET
NCP>
PURGE EXECUTOR NONPRIVILEGED PASSWORD
Using AUTHORIZE, remove the DECNET account from SYSUAF, asfollows:
Delete any files in the [DECNET] directory structure.$
SET DEFAULT SYS$SYSTEM
$
RUN AUTHORIZE
UAF>
REMOVE DECNET
UAF>
EXIT
Modifying the Volatile Configuration Database
To have the change take effect immediately, modify the volatiledatabase with the following NCP commands:
NCP
>
SET EXECUTOR NONPRIVILEGED USER DEFAULT_DECNET
NCP
>
CLEAR EXECUTOR NONPRIVILEGED PASSWORD
Setting Privilege Requirements for RemoteObject Connections
You can select specific privileges to control the use of DECnetobjects that are specified during network configuration. In suchinstances, it becomes a privileged operation either to connect toa privileged DECnet object or use an outgoing DECnet object.
For example, the following command establishes the requirementthat users initiating a DECnet connection to the remote object MAILmust possess the OPER and SYSNAM privileges:
This mechanism is a useful way of limiting access to certainDECnet applications to privileged users or programs. However, tobe effective, the privilege requirement must be imposed consistentlyon all nodes in the network.NCP
>
DEFINE OBJECT MAIL OUTGOING CONNECT PRIVILEGES OPER,SYSNAM
1 Because AUTHORIZE enforces a user name limitof 12 characters, you must truncate the user name (and directoryname) of the MIRROR object account to MIRRO$SERVER.
2 MOM has no associated user name.
( Number takes you back )
|
|