Using DECnet Application (Object) Accounts

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Security in a Network Environment

Proxy Access Control

Specifying Routing Initialization Passwords

Using DECnet Application(Object) Accounts

Network objects are system programs and user-written applicationsthat permit communication among nodes in a DECnet network. You needto identify the set of network objects allowed access to your system,and set up the appropriate access controls for each object. Thefollowing mechanisms are available:

DECnet object accounts

These are individual accounts for specific network objects(for example, MAIL) automatically configured on your system. Theseprovide more accountability of remote access to an object than thedefault DECnet account provides. (For example, an object can havea captive account with a login command procedure that grants ordenies access to the object based on the remote node name or username.)

Default DECnet account

This type of account allows all network objects general accessto the system. It is appropriate for systems with low security requirements(for example, a local area network of systems located within a sitewith no outside connections or dialup lines).

The default DECnet user name lets users perform certain networkoperations, such as the exchange of electronic mail between userson different nodes, without having to supply a user name and password. Thedefault DECnet user name is also used for file operations when accesscontrol information is not supplied. For example, it lets remoteusers access local files on which the file protection has been setto allow world access. If you do not want remote users accessing yournode, do not create a default DECnet user name. See Removing Default DECnet Access to the System for information aboutremoving default DECnet accounts.

Summary of Network Objects

You should understand the function of the network objectssupplied with the OpenVMS operating system before you determinethe access control to apply to them. This section provides a descriptionof the most common network objects.

FAL

The file access listener (FAL) is the remote file access facility.FAL is an image that receives and processes remote file access requestsfor files at the local node.

Use of general FAL access is stronglydiscouraged. Open access allows general network accessto any files marked world-accessible. It also allows remote usersto create files in any directory with world write access.

Sites with high security requirements, or sites where it isdifficult to recognize all the intended users, should not createa FAL account. To control which users gain access, these sites mayestablish one or more proxy accounts for specific purposes (see Proxy Access Control).

MAIL

MAIL is an image that provides personal mail services forOpenVMS systems. In most cases, allow the MAIL object general accessto the system.

MIRROR

MIRROR is an image used for particular forms of loopback testing.For example, MIRROR is run during the DECnet phase of the UETP testpackage.

MOM

MOM is the Maintenance Operations Module. The MOM image downlineloads unattended systems, transferring a copy of an operating systemfile image from an OpenVMS node to a target node. The MOM objectis established during a system installation.

NML

NML is the network management listener. Remote users withaccess to NML can use NCP TELL commands to gather and report networkinformation from your DECnet databases.

PHONE

PHONE is an image that allows online conversations with userson remote OpenVMS systems. Note that if you allow default DECnetaccess to PHONE, anyone in the network can get a list of users currentlylogged in to the local system and attempt a login using the listof user names.

TASK

Through the default DECnet account, the TASK object allowsarbitrary command procedures (including those that might be usedin intrusions) to be executed on your system.

Note that if you do not allow default DECnet access on yoursystem or if you disable default DECnet access to the TASK object,you can allow remote user-written command procedures (tasks) torun on your system through the use of access control strings orproxy access.

VPM

VPM is the Virtual Performance Monitor Server. Access to VPMis required to use the cluster monitoring features of the Monitorutility (MONITOR).

Configuring Network Objects Manually

The command procedure NETCONFIG.COM configures the networkobjects on your system automatically, and the command procedureNETCONFIG_UPDATE.COM updates the network objects automatically.

If you choose not to use the command procedures, you can performthe following steps to allow network access to specific objects:

Create a top-leveldirectory for each network object, and specify a unique owner UICand group UIC. For example, the following command sequence createsa top-level directory for the MAIL object on the system disk:
```
$ SET DEFAULT SYS$SPECIFIC:[000000]$ CREATE/DIRECTORY [MAIL$SERVER]/OWNER_UIC=[376,374]
```
Network Object Defaults lists thedirectory names, user names, and UICs used by the NETCONFIG.COMand NETCONFIG_UPDATE.COM command procedures to create accounts forspecific network accounts. For consistency, you should specify thesame information when manually creating network object accounts.

Note that the MOM object is created by the operating systemduring installation.

Using AUTHORIZE, create an account for the object,and use a generated password. (Note that the user name and passwordthat you specify must match the password defined for the objectin the network database [described in step 3].)

For example, the following command sequence sets up an accountfor the MAIL object:
```
$ RUN SYS$SYSTEM:AUTHORIZEUAF> ADD MAIL$SERVER/OWNER=MAIL$SERVER DEFAULT -_UAF> /PASSWORD=MDU1294B/UIC=[376,374]/ACCOUNT=DECNET -_UAF> /DEVICE=SYS$SPECIFIC: /DIRECTORY=[MAIL$SERVER] -_UAF> /PRIVILEGE=(TMPMBX,NETMBX) /DEFPRIVILEGE=(TMPMBX,NETMBX) -_UAF> /FLAGS=(RESTRICTED,NODISUSER,NOCAPTIVE) /LGICMD=NL: -_UAF> /NOBATCH /NOINTERACTIVE
```
The AUTHORIZE command SHOW MAIL$SERVER displays the networkaccount set up for the MAIL object, as shown in UAF Record for MAIL$SERVER Account.

Use the NCP DEFINE command to associate the username and password of the account with the specified object in thenetwork database, as follows:
```
$ RUN SYS$SYSTEM:NCPNCP> DEFINE OBJECT MAIL USER MAIL$SERVER PASSWORD MDU1294BNCP> EXIT
```

Repeat steps 1 through 3 for each network object.

When finished, remove default DECnet access fromthe executor database, and remove the default DECnet account fromthe SYSUAF (see Removing Default DECnet Access to the System ).

Finally, reboot the system to copy changes madeto the permanent executor and object databases to the running system.

Network Object Defaults lists thenetwork object defaults.

Table 2 Network Object Defaults
Object Name Directory and User (Account) Name UIC

FAL
FAL$SERVER
[376,373]

MAIL
MAIL$SERVER
[376,374]

MIRROR
MIRRO$SERVER¹
[376,367]

$MOM
VMS$COMMON:[MOM$SYSTEM]²
[376,375]

NML
NML$SERVER
[376,371]

PHONE
PHONE$SERVER
[376,372]

VPM
VPM$SERVER
[376,370]

**Table 2** **Network Object Defaults**
Object Name	Directory and User (Account) Name	UIC
FAL	FAL$SERVER	[376,373]
MAIL	MAIL$SERVER	[376,374]
MIRROR	MIRRO$SERVER¹	[376,367]
$MOM	VMS$COMMON:[MOM$SYSTEM]²	[376,375]
NML	NML$SERVER	[376,371]
PHONE	PHONE$SERVER	[376,372]
VPM	VPM$SERVER	[376,370]

Example 2 UAF Record for MAIL$SERVER Account
Username: MAIL$SERVER Owner: MAIL$SERVERAccount: MAIL$SERVER DEFAULT UIC: [376,374] ([DECNET,MAIL$SERVER])CLI: DCL Tables:Default: SYS$SPECIFIC:[MAIL$SERVER]LGICMD:Login Flags: RestrictedPrimary days: Mon Tue Wed Thu Fri Sat SunSecondary days:Primary 000000000011111111112222 Secondary 000000000011111111112222Day Hours 012345678901234567890123 Day Hours 012345678901234567890123Network: ##### Full access ###### ##### Full access ######Batch: ----- No access ------ ----- No access ------Local: ----- No access ------ ----- No access ------Dialup: ----- No access ------ ----- No access ------Remote: ----- No access ------ ----- No access ------Expiration: (none) Pwdminimum: 6 Login Fails: 0Pwdlifetime: (none) Pwdchange: (none)Last Login: (none) (interactive), (none) (non-interactive)Maxjobs: 0 Fillm: 16 Bytlm: 12480Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0Maxdetach: 0 BIOlm: 12 JTquota: 1024Prclm: 0 DIOlm: 6 WSdef: 180Prio: 4 ASTlm: 16 WSquo: 200Queprio: 0 TQElm: 10 WSextent: 0CPU: (none) Enqlm: 20 Pgflquo: 25600 Authorized Privileges: TMPMBX NETMBXDefault Privileges: TMPMBX NETMBX

Removing Default DECnet Access to the System

The default DECnet account is appropriate for systems withlow security requirements (see Using DECnet Application (Object) Accounts). If your site has moderate or high security requirements,you should remove default DECnet access to the system once you haveset up accounts for individual network objects.

Before deleting your default DECNET account, as describedin this section, use the NCP command SHOW KNOWN OBJECTS and theAuthorize utility (AUTHORIZE) to verify that all network objectsand layered products that use network objects have network accountsset up in the system user authorization file (SYSUAF.DAT). Otherwise,network objects and layered products that use network objects maynot work as expected.

To do this, remove access to the DECNET account in the networkconfiguration database, and delete the DECNET account from the SYSUAF.

Removing Default DECnet Access

Execute the following NCP commands to remove the default DECnetaccess from the network executor database:

NCP> DEFINE EXECUTOR NONPRIVILEGED USER DEFAULT_DECNETNCP> PURGE EXECUTOR NONPRIVILEGED PASSWORD

The DEFAULT_DECNET user specified in the first command isa nonexistent user account that is specified for auditing purposesonly. (A network login failure message is written to the securityaudit log file each time access to your system is attempted throughthe [nonexistent] DEFAULT_DECNET account.)

Deleting the DECNET Account

Using AUTHORIZE, remove the DECNET account from SYSUAF, asfollows:

$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEUAF> REMOVE DECNETUAF> EXIT

Delete any files in the [DECNET] directory structure.

Modifying the Volatile Configuration Database

To have the change take effect immediately, modify the volatiledatabase with the following NCP commands:

NCP>SET EXECUTOR NONPRIVILEGED USER DEFAULT_DECNETNCP>CLEAR EXECUTOR NONPRIVILEGED PASSWORD

Setting Privilege Requirements for RemoteObject Connections

You can select specific privileges to control the use of DECnetobjects that are specified during network configuration. In suchinstances, it becomes a privileged operation either to connect toa privileged DECnet object or use an outgoing DECnet object.

For example, the following command establishes the requirementthat users initiating a DECnet connection to the remote object MAILmust possess the OPER and SYSNAM privileges:

NCP>DEFINE OBJECT MAIL OUTGOING CONNECT PRIVILEGES OPER,SYSNAM

This mechanism is a useful way of limiting access to certainDECnet applications to privileged users or programs. However, tobe effective, the privilege requirement must be imposed consistentlyon all nodes in the network.

Footnotes

1 Because AUTHORIZE enforces a user name limitof 12 characters, you must truncate the user name (and directoryname) of the MIRROR object account to MIRRO$SERVER.
2 MOM has no associated user name.

( Number takes you back )

Proxy Access Control

Specifying Routing Initialization Passwords