graham@DRCVAX.ARPA ("Daniel J. Graham") (06/24/87)
Greetings and Somniferations; The allegation has just been made that VMS is, from the standpoint of security, "full of holes." I couldn't disagree more. I would not normally respond in this manner on the net, but I know there are many new or inexperienced system managers reading the info-vax material who could become very worried about the security on their systems. I have used a number of different operating systems in low, medium and high security environments. While VMS does have some weak areas, it is fully adequate for nearly all applications situations. In five years of system management, I have never had a security breach. Perhaps I've been lucky, or maybe I'm really a bumpkin and don't know it, but I've found that attention to the following will provide a system with reasonably tight security: - good password management, i.e. at least 8 characters long and renewed every 60 days; - captive accounts, These work great for limiting people to menu driven systems like Allin1 or your own invention, they may fail if there is a software bug, though; - correct UIC group allocaton; don't lump too many users into one group, conversly, don't separate users into different groups if they have a need to access the same set of files - good use of the file protection scheme; this is made easier if the above step is carried out with wisdom; - use of ACLs on selected files and directories; ACLs on every file are a true waste, judicious use on selected directories will usually accomplish all control over use that is needed; - use of security alarms if you have a system with particularly inquisitive users who must have DCL access; - don't Don't DON'T **D O N ' T** give users privelages that aren't absolutely necessary, and then try to avoid it at all costs; - be sure you apply the recent security patch from DEC. I admit that no system is perfectly secure, and no VAX will ever be an exception to that. You can't cover every single possibility of a security breach, if you did, the system would be difficult to use. There are circumstances where special, severe methods that aren't included in the above list are needed, but they are rare. I have found that the greatest deterrant to security problems is to treat the population of users as people and not as problems. If they are taught the system, and shown what is there, they will gain knowledge, and perhaps assist in solving problems instead of producing them. If you have a persistant hacker who gets by all security measures, hire 'em. Better they work for you than against you. Hackito, ergo sum. Dan Graham, Dynamics Research Corporation, (617) 475-9090 Ext. 2352 GRAHAM@DRCVAX.ARPA Hoc est meum hackum. Ideas and opinions are mine, not my employers. In fact, my employer barely claims to know me at all. I make no claim to sanity in any form or on any level. ------
CHAA006@vaxb.rhbnc.ac.UK (01/19/88)
I believe I have discovered a serious loophole in VMS security. If breakin- detection is in force, and a user enters his/her username incorrectly, without noticing the error, then enters the correct password, that password can appear on the operator console and in the operators' log. This occurs when the same, incorrect, username is entered sufficient times for breakin-detection to become activated. As it is not unknown for system managers to reduce the detection limit to two, the appearance of such passwords, in clear, is a distinct possibility. For example, a user changes his/her password; later, on logging-in, mis-types the username (but doesn't notice the fact), and enters the old password; sees "Invalid username/password", and remembers that he/she has a new password; uses <Control-B>/<Up-arrow> to recall the username (to save re-typing it), then enters the new, correct, password. Breakin-detection is set at two, and the correct password, plus the username with perhaps a single error in it, appear in clear. An unlikely scenario ? Well, it happened to me, yesterday ! Since for common privileged usernames such as SYSTEM, it would typically be the work of a moment to guess the mis-typed username, system security can be seriously compromised. Furthermore, anything which results in a valid password being stored and displayed in clear is a serious breach of the zeroth rule of system security. ** Phil.
rrk@byuvax.bitnet (01/22/88)
We get around this security loophole by disabling incorrect logins on the operator console. It is still logged in the operator log file, but not displayed to anyone around who can read the console. You are right, it is a problem, but easily fixed. Robin