[an error occurred while processing this directive]
Software  >  OpenVMS Systems > Ask the Wizard

HP OpenVMS Systems

ask the wizard
Content starts here

System Security Recommendations?

» close window

The Question is:

 
Hi,
 
I am currently working assist a client to secure
their openVMS v6.2 and have recommended that the
following files be secured in the following manner
 
Files	        Protection Masks
 
AUTHORISE.EXE	S:RWED, O:RWED, G:,W:
DCL.EXE;1	S:RWED, O:RWED, G:,W:
INSTALL.EXE;1	S:RWED, O:RWED, G:,W:
INIT.EXE;1	S:RWED, O:RWED, G:,W:
STARTUP.COM;1 	S:RWED, O:RWED, G:, W:
SYSGEN.EXE;1	S:RWED, O:RWED, G:, W:
 
My question are:
1. would you recommend such a setting for these
system files and;
2. would these settings result in the users
having difficulties signing on to the system.
 
Thanks for your assistance on the matter.
 
Best Regards.
system
and is this

The Answer is :

 
  The recommended protection settings are those in the documentation set.
 
  Altering the protection settings on OpenVMS files can potentially lead
  to (unexpected) system problems, to OpenVMS upgrade or layered product
  installation failures, to simple cases of user or system manager
  confusion, and to potential problems with folks performing customer
  support services.
 
  OpenVMS uses privileges to control access, and makes the assumption
  that users can acquire tools such as AUTHORIZE or INSTALL from other
  sources, such as from distribution kits, or can acquire similar tools
  from other sources.  OpenVMS generally prevents write access to key
  structures and data files, with only a very few files protected
  against read access.  File and object protections are also ineffective
  against privileged users -- before even considering file protections,
  ensure that only the appropriate users and applications are operating
  with or have available enhanced privileges.
 
  Protecting the AUTHORIZE image, for instance, provides no benefits
  unless you also have the necessary protections in place for the
  associated system services and the appropriate privileges removed
  from all untrusted users, and you can prevent the user from reloading
  a copy of AUTHORIZE or a tool such as the freeware DWAUTH utility.
  Protecting the INSTALL image provides no benefits over removing CMKRNL
  privilege from untrusted users.
 
  If system security is of concern, the OpenVMS Wizard recommends following
  the Class C2 settings as documented in the appendix of the _Guide to
  OpenVMS System Security_ manual.
 
  Further, rather than attempting changing the file protection model, the
  OpenVMS Wizard would recommend better use of the auditing and alarm
  subsystems -- on the appropriate files -- to detect and log failed access
  attempts and (when appropriate) even successful accesses.
 


  

     
     
answer written or last revised on ( 8-FEB-1999 )

     
» close window