topic Re: Account Lockout Setting on Open VMS 7.3.2 Operating System in Operating System - OpenVMS

Account Lockout Setting on Open VMS 7.3.2 Operating System

Calene — Wed, 20 Feb 2008 02:47:18 GMT

Dear all,

Would like to know if it is possible to set the account lockout duration for Open VMS 7.3.2 user account to '0' (or until System Administrator unlocks the account?) For further elaboration, please refer below:

The "HP Advanced Server for OpenVMS
Server Administrator's Guide" provided the following guideline for setting the Account Lockout Duration:

"Whether a user account is locked out after a specified number of failed attempts to logon --- use the SET ACCOUNT POLICY/LOCKOUT=keyword command. To enable account lockout, you must specify the following three keywords and their values with the /LOCKOUT qualifier:

* ATTEMPTS=n, where n specifies the number of failed attempts to allow before locking the user account.
* DURATION=n, where n specifies the number of minutes before a locked account is automatically unlocked. The value of this parameter must be greater than, or equal to, the value set for the WINDOW parameter.
* WINDOW=n, where n specifies the number of minutes to wait after a user account has been locked out, before resetting the logon count."

The big question is, is it possible to set the "Duration=n" value to infinity/indefinite until the administrator unlocks the account?

For illustration purposes, in the Windows environment, it is possible to set the "account lockout duration" value to 0 using the Active Directory. This means the user account will be lockout indefinitely until the Security Administrator unlocks it.Hence, would like to know if it is possible to do the same for Open VMS 7.3.2 operating system.

Thanks in advance!

Re: Account Lockout Setting on Open VMS 7.3.2 Operating System

Hoff — Wed, 20 Feb 2008 03:38:45 GMT

Duplicate thread and duplicate question (probably yet another ITRC glitch); another and active thread is over at at:

http://forums12.itrc.hp.com/service/forums/questionanswer.do?threadId=1205318

Re: Account Lockout Setting on Open VMS 7.3.2 Operating System

Bill Hall — Wed, 20 Feb 2008 03:45:56 GMT

Calene,

You want to look at the LGI* SYSGEN parameters.

LGI_BRK_DISUSER (D)
LGI_BRK_DISUSER turns on the DISUSER flag in the UAF record when an
attempted break-in is detected, thus permanently locking out that account. The
parameter is off ( 0 ) by default. You should set the parameter ( 1 ) only under
extreme security watch conditions, because it results in severely restricted user
service.

LGI_BRK_LIM (D)
LGI_BRK_LIM specifies the number of failures that can occur at login time
before the system takes action against a possible break-in. The count of failures
applies independently to login attempts by each user name, terminal, and node.
Whenever login attempts from any of these sources reach the break-in limit
specified by LGI_BRK_LIM, the system assumes it is under attack and initiates
evasive action as specified by the LGI_HID_TIM parameter.
The minimum value is 1. The default value is usually adequate.

LGI_BRK_TMO (D)
LGI_BRK_TMO specifies the length of the failure monitoring period. This time
increment is added to the suspectâ s expiration time each time a login failure
occurs. Once the expiration period passes, prior failures are discarded, and the
suspect is given a clean slate.

LGI_HID_TIM (D)
LGI_HID_TIM specifies the number of seconds that evasive action persists
following the detection of a possible break-in attempt. The system refuses to
allow any logins during this period, even if a valid user name and password are
specified.

LGI_RETRY_LIM (D)
LGI_RETRY_LIM specifies the number of retry attempts allowed users
attempting to log in. If this parameter is greater than 0, and a legitimate user
fails to log in correctly because of typing errors, the user does not automatically
lose the carrier. Instead (provided that LGI_RETRY_TMO has not elapsed),
by pressing the Return key, the user is prompted to enter the user name and
password again. Once the specified number of attempts has been made without
success, the user loses the carrier. As long as neither LGI_BRK_LIM nor LGI_
BRK_TMO has elapsed, the user can dial in again and reattempt login.

LGI_RETRY_TMO (D)
LGI_RETRY_TMO specifies the number of seconds allowed between login retry
attempts after each login failure. (Users can initiate login retries by pressing the
Return key.) This parameter is intended to be used with the LGI_RETRY_LIM
parameter; it allows dialup users a reasonable amount of time and number of
opportunities to attempt logins before they lose the carrier.