topic Re: Disable OPEN VMS User Account Automatically in Operating System - OpenVMS

Disable OPEN VMS User Account Automatically

Kumar_Sanjay — Mon, 18 Feb 2008 11:15:05 GMT

I have requirement to disable the privilege user account (ABCUSER) after every successful login.
Could any one please help me find out? How to disable the user account automatically?

This implementation is for security purpose. Normally this powerful Application account should always be disabled. Once the user required using this ABCUSER account, he needs approval for it.
After performing the task, once he logout. The user account will automatically disable after 1 or 2 hrs.
User again needs approval to unlock this account and login.

Re: Disable OPEN VMS User Account Automatically

Karl Rohwedder — Mon, 18 Feb 2008 11:32:37 GMT

You may set a very short lifetime or disable the account in its LOGIN.COM or SYLOGIN.
But note: since the account is privileged, the user has all he needs to circumvent your mesasures, except it is tied into a captive account.

regards Kalle

Re: Disable OPEN VMS User Account Automatically

Kumar_Sanjay — Mon, 18 Feb 2008 11:35:38 GMT

This Account is equivalents to system account added some special identifiers for applications. I couldnâ t make this as captive account.

Re: Disable OPEN VMS User Account Automatically

Jan van den Ende — Mon, 18 Feb 2008 12:14:27 GMT

Hi,

>>>
This Account is equivalents to system account
<<<

- A. Let the account have expiration in the past.
When enabling it, do so by setting short expiration.

(from other prive'd account):
$ MC authorize mod /EXPI="+2:0:0"
will allow two hours. of login window.

Mind. this will also block NETWORK and BATCH logins!

- B. Always allow just ONE login:
in the LOGIN.COM of the account, do
# MCR AUTHORIZE MOD /NOINTERACTIVE.

Befoe use, another priv'd account will need to set /INTERACTIVE.

Caveat: any user logged in into this account will always be able to change his own account at will!
There exists NO way to avoid that, once a priv'd user has command line access.

hth

Proost.

Have one on me.

jpe

Re: Disable OPEN VMS User Account Automatically

labadie_1 — Mon, 18 Feb 2008 12:46:11 GMT

I think what you try to do is nonsense.

How do you know that this privileged account has not started a detached or batch process that will re-enable this account, or create another privileged account, or anything else, like what some guys did long ago, patch loginout.exe, while still having a correct checksum ?
Are you suspicious if you have usually about 100 symbiont processes, if you have one more, that in fact does something completely different ?

I do not believe you can reliably do what you want.

Re: Disable OPEN VMS User Account Automatically

Robert Gezelter — Mon, 18 Feb 2008 12:59:08 GMT

CA1467620,

Since the account has full privileges, and is not captive, it is straightforward to neutralize such restrictions, as Karl and Labadie have observed.

The obvious way to attempt this is to pre-expire the account. However, the expiration can simply be reset by using AUTHORIZE or another program. Resetting the LOGIN.COM file (e.g., to something that automatically logs off) can be similarly defeated.

Automatic emails to multiple persons can act as a discouragement to improper use, but they do not prevent the use.

It may be appropriate to reduce the privilege level of this account, in which case something can be done. Consulting with someone with extensive experience in OpenVMS security would be a sound idea [Disclosure: We provide services in this area, as do several other frequent participants in this forum].

- Bob Gezelter, http://www.rlgsc.com

Re: Disable OPEN VMS User Account Automatically

The Brit — Mon, 18 Feb 2008 13:17:07 GMT

In my own experience, it is almost always possible to use a CAPTIVE account for this kind of issue, i.e. accounts used to access an application. In your case, you specify a user called ABCUSER (I don't know if this is just coincidental, or if the user is actually accessing Archive Backup Client (ABC)), however is is relatively simple to limit the input command strings at the DCL Level, to some predefined sub-set. Once inside the application/utility, then the DCL restrictions no longer apply so the user has full access to the application/utility commands. This solution does however require some skill at DCL scripting.
Alternatively, while the problems with privileged accounts being able to modify their own account while logged in, are certainly valid, if the user/application does not actually require BYPASS or SECURITY, then an identifier on the AUTHORIZE exe or the SYSUAF.DAT of the form,
(IDENTIFIER=ABCUSER, ACCESS=NONE) will stop them modifying their own account. However, if the account does require either of those privileges then there is little you can do.

Dave

Re: Disable OPEN VMS User Account Automatically

Jan van den Ende — Mon, 18 Feb 2008 13:17:17 GMT

CA1467620,

It really boils down to the old main question: "What are you trying to achieve?"

If this is some application, that several applic managers must be able to stop and start, then there exist tricks to have this done from their own accounts (without ever logging in to this "application super user").

In general, LOTS of things CAN be done in controlled ways in VMS, but most of those DO require advanced skills and experience.

And, after a certain treshold, some people just HAVE to have full access to the system(s). In those cases, TRUST is all that is left.
And then, all that is left is to "trust, but verify".
(alas in many cases, the skills to verify are badly missing!)

hth

Proost.

Have one on me.

jpe

Re: Disable OPEN VMS User Account Automatically

Willem Grooters — Mon, 18 Feb 2008 14:52:55 GMT

I would try the following:

Create the account to be a captive, normal user (that is: non-SYSTEM) account, with normal default privileges and only those that are required in some actions, as authorized.
The procedure (actually a menu) would do a SET PRIV to elevated levels before the required action (no more than really needed) and revoke these privileges afterwards - no matter the outcome.
On exit (whatever way) the procedure would need to set the /DISUSER flag of the account. Another approach is keeping the first login time of the script, and set the expiration date accordingly. You could do so in a (SYSTEM or GROUP) logical, that is deleted on logout after expiration.

Be sure this user has NO DCL access; all he does should be under full control of the procedure, and any escape should result in logout (that's what a captive account is meant for).

To reuse the account, someone that is able to chnage UAF records (using a similar captive account?) could allow him access for the next period.

Any file, touched by this account, should be secured for write access for any non-privileged user. You can do so by an ACL on identifier, and no access for non-holders.

If you require DCL access, it's a no-go. You cannot do without to prevent activities you do NOT want to be executed. Otherwise, this account should have no access to ANY file or resource unless explicitly allowed. Writing a DCL procedure that limits activities to the bare minimum required is less time consuming (and earier to maintain).

I have used such an approach in a development area to allow the (non-system) developers do some limietd system tasks they otherwise couldn't execute (except for the time limitation)

Re: Disable OPEN VMS User Account Automatically

Hoff — Mon, 18 Feb 2008 15:51:06 GMT

Here's a configuration approach that should lead to a single-use password:

http://64.223.189.234/node/682

Alternatively, some sites use the two-password login mechanism for cases such as this, where two folks each have one of the two passwords needed to log into the (privileged) username for the target system. Both folks must be present to log in.

Re: Disable OPEN VMS User Account Automatically

Kumar_Sanjay — Mon, 18 Feb 2008 16:12:27 GMT

Hi Willem Grooters

Thanks for your reply. We have two different accounts for this application.

1. User id -ABCLOWPRV - This is regular user account for application startup and shutdown.
2. User id -ABCUSER - this account has all the privilege and use rarely for application maintained or trouble shooting application problems. Since this has all the privileges we want to protect this account.

You suggested procedure is suitable to this environment and want to implement the same.
I want to add the /DISUSER Flag on the exit/logout of the ABCUSER. This will prevent users login if he know the last password..

How do I implement the same;
Is there any options in authorize to do this ?
or do i need to write a command procedure for this?

Re: Disable OPEN VMS User Account Automatically

Jan van den Ende — Mon, 18 Feb 2008 16:29:52 GMT

CA1467620 ,

>>>
I want to add the /DISUSER Flag on the exit/logout of the ABCUSER. This will prevent users login if he know the last password..

How do I implement the same;
Is there any options in authorize to do this ?
<<<

$ MCR AUTHORIZE MODIFY ABCUSER /FLAG=DISUSER

(undo with /FLAG=NODISUSER)

Before using AUTHORIZE in this way, you should have defined
$ DEFINE /SYSTEM/EXECUTIVE SYSUAF (by default: SYS$SYSTEM:SYSUAF.DAT)
Be aware that the logical might already be defined, in that case LEAVE it!

hth

Proost.

Have one on me.

jpe

Re: Disable OPEN VMS User Account Automatically

Robert Gezelter — Mon, 18 Feb 2008 16:51:34 GMT

CA1467620,

AUTHORIZE is used to set the DISUSER flag (see HELP MOD /FLAGS within AUTHORIZE).

As Willem noted, unless the user has NO ACCESS to DCL, this is not an effective measure. If the user has access to DCL, they can undo (or fail to do) this measure as they please.

- Bob Gezelter, http://www.rlgsc.com

Re: Disable OPEN VMS User Account Automatically

Jan van den Ende — Mon, 18 Feb 2008 17:42:09 GMT

CA1467620,

In the spirit of "trust but verify", giving this account TWO different passwords (see AUTHORIZE HELP /SECONDARY ), where each person to use the account has only ONE of those, then the account can only ever be used if TWO people are available to log in.
Now, (as long as they do not conspire :-) ), you can be reasonably sure that they will only do legitimate things.

This will get you much closer to what you want than any other OS. If this does not satidfy the auditors, then let THEM show how it has to be done!

hth

Proost.

Have one on me.

jpe

Re: Disable OPEN VMS User Account Automatically

Hein van den Heuvel — Mon, 18 Feb 2008 17:45:37 GMT

Hmm, I don't know why the first reply by Karl did not get the full 10 points for a perfect reply and closed the question.

It solves the problem and as bonus points out legitimate and serious concerns.

As Karl indicates, in the login.com for the account issue MCR AUTHOURIZE /DISUER.

Anything more is just window dressing / fluff.

You may want to describe the real problem better. That is, what is the task to be 'protected' and why is the user not trusted the rest of the time.

One of my customs uses a 'careful' mode where specially flagged users can login with full privs, but with all input and output logged. I'm sure that also can be hacked around, but any person caught attempting that is 'questionable'.
Just enough of a hurdle and clear demarkation imho.

fwiw,
Hein.

Re: Disable OPEN VMS User Account Automatically

Doug Phillips — Mon, 18 Feb 2008 18:58:32 GMT

No user should have ALL privileges unless they need access to ALL resources on the system, and those *few* users should be very knowledgeable and very trusted.

Any Application-level manager should only have full access to the resources needed to manage that application. It's better to look at the system's security from the bottom-up rather than top-down.

To use AUTHORIZE, a user needs W access to the SYSUAF, NET($)PROXY and RIGHTSLIST files (SYSTEM uic or SYSPRV) so you shouldn't give them that, and don't give them BYPASS or any such elevated priv's (which they *really* shouldn't need to do what you describe.) Application resources should be protected/isolated at the Group level, and/or via ACL's.

Following the other advice on ways to limit their access times should work fine for you if your system and application's security is properly configured.

Re: Disable OPEN VMS User Account Automatically

John Gillings — Mon, 18 Feb 2008 21:12:25 GMT

>I want to add the /DISUSER Flag on the
>exit/logout of the ABCUSER. This will
>prevent users login if he know the last
>password..

If I'm understanding your objective, I'd suggest adding the DISUSER it to the *LOGIN* rather than the LOGOUT. DISUSER doesn't affect an existing process, it just prevents new processes from starting. You definitely have control over LOGIN, but may not get to the LOGOUT (process disconnection, bug in application, power fail, system crash, etc...). This also prevents your user from connecting a second session before finishing with the first.

Assuming your user has a high level of privileges, just add these lines to LOGIN.COM

$ IF F$TRNLNM("SYSUAF").EQS."" THEN DEFINE/USER SYSUAF SYS$SYSTEM:SYSUAF
$ MCR AUTHORIZE MODIFY 'F$GETJPI("","USERNAME")' /FLAG=DISUSER

This will use the system defined SYSUAF, or set a logical name to use the default one if there's no system defined one.
(note to Jan, for AUTHORIZE use, the SYSUAF logical name may be in any mode, or in any table visible to the process)

If the user doesn't have SYSPRV (and doesn't need it for the other processing), you can set it as a "trapdoor" privilege:

(permanent setting for account:
$ MCR AUTHORIZE user/DEFPRIVILEGE=SYSUAF/PRIVILEGE=NOSYSUAF

Once you've done the AUTHORIZE command in LOGIN.COM, issue:

$ SET PROCESS/PRIVILEGE=NOSYSPRV

Once SYSPRV has gone from the default mask, it can't be reinstated because it's not in the authorized mask.

All that said, as others have already mentioned, but it's worth stressing... if the privileged user has ANY access to DCL, or, in some cases even a prompt for data, it really doesn't matter how many tricks and traps you set, if they know what they're doing they WILL be able to get past them.

It comes down to a very simple test - If you don't trust the person, don't give them privilege.

Re: Disable OPEN VMS User Account Automatically

John Gillings — Mon, 18 Feb 2008 21:13:41 GMT

>I want to add the /DISUSER Flag on the
>exit/logout of the ABCUSER. This will
>prevent users login if he know the last
>password..

If I'm understanding your objective, I'd suggest adding the DISUSER it to the *LOGIN* rather than the LOGOUT. DISUSER doesn't affect an existing process, it just prevents new processes from starting. You definitely have control over LOGIN, but may not get to the LOGOUT (process disconnection, bug in application, power fail, system crash, etc...). This also prevents your user from connecting a second session before finishing with the first.

Assuming your user has a high level of privileges, just add these lines to LOGIN.COM

$ IF F$TRNLNM("SYSUAF").EQS."" THEN DEFINE/USER SYSUAF SYS$SYSTEM:SYSUAF
$ MCR AUTHORIZE MODIFY 'F$GETJPI("","USERNAME")' /FLAG=DISUSER/NOACCESS

This will use the system defined SYSUAF, or set a logical name to use the default one if there's no system defined one.
(note to Jan, for AUTHORIZE use, the SYSUAF logical name may be in any mode, or in any table visible to the process)

If the user doesn't have SYSPRV (and doesn't need it for the other processing), you can set it as a "trapdoor" privilege:

(permanent setting for account:
$ MCR AUTHORIZE user/DEFPRIVILEGE=SYSUAF/PRIVILEGE=NOSYSUAF

Once you've done the AUTHORIZE command in LOGIN.COM, issue:

$ SET PROCESS/PRIVILEGE=NOSYSPRV

Once SYSPRV has gone from the default mask, it can't be reinstated because it's not in the authorized mask.

All that said, as others have already mentioned, but it's worth stressing... if the privileged user has ANY access to DCL, or, in some cases even a prompt for data, it really doesn't matter how many tricks and traps you set, if they know what they're doing they WILL be able to get past them.

It comes down to a very simple test - If you don't trust the person, don't give them privilege.

Re: Disable OPEN VMS User Account Automatically

Thomas Ritter — Mon, 18 Feb 2008 22:58:54 GMT

CA1467620, if you want the account disusered as the user logs off then bad news. No direct way of doing it.
We use a nightly job which disables and changes password for a number of selected accounts. One being FIELD. We also produce reports on when specific accounts were used. This seems to please the auditors.

Maybe an internals specialist can hook in some code to disable accounts at logout ?

My 2 cents.

Re: Disable OPEN VMS User Account Automatically

Martin Hughes — Mon, 18 Feb 2008 23:35:02 GMT

If you decide to DISUSER the account during login, I'd also add the RESTRICTED flag to the account, to ensure that LOGIN.COM is executed.

Another tool that I use is a daily job to analyse accounting records and report on what I deem to be suspect modifications to SYSUAF. This approach is not bullet proof, but I find it adequate for keeping an eye on privileged users (typically application managers).