topic Re: Account Lockout Settings for Open VMS 7.3.2 in Operating System - OpenVMS

Account Lockout Settings for Open VMS 7.3.2

Calene — Wed, 20 Feb 2008 01:45:13 GMT

Dear all,

Would like to know if it is possible to set the account lockout duration for Open VMS 7.3.2 user account to '0' (or until System Administrator unlocks the account?) For further elaboration, please refer below:

The "HP Advanced Server for OpenVMS
Server Administrator's Guide" provided the following guideline for setting the Account Lockout Duration:

"Whether a user account is locked out after a specified number of failed attempts to logon --- use the SET ACCOUNT POLICY/LOCKOUT=keyword command. To enable account lockout, you must specify the following three keywords and their values with the /LOCKOUT qualifier:

* ATTEMPTS=n, where n specifies the number of failed attempts to allow before locking the user account.
* DURATION=n, where n specifies the number of minutes before a locked account is automatically unlocked. The value of this parameter must be greater than, or equal to, the value set for the WINDOW parameter.
* WINDOW=n, where n specifies the number of minutes to wait after a user account has been locked out, before resetting the logon count."

The big question is, is it possible to set the "WINDOW=n" value to infinity/indefinite until the administrator unlocks the account?

Thanks in advance!

Re: Account Lockout Settings for Open VMS 7.3.2

Jon Pinkley — Wed, 20 Feb 2008 02:38:13 GMT

Calene,

Are you asking above OpenVMS the operating system, or the HP Advanced Server (software to serve VMS disks to Windows PC's)? The document you reference sounds like the later.

The short answer is yes, you can have VMS lock user accounts when someone uses the incorrect password too many times (and you get to define "too many").

These are defined by the sysgen parameters that start with lgi

$ mcr sysgen sho lgi
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LGI_CALLOUTS 0 0 0 255 Count D
LGI_BRK_TERM 1 1 0 1 Boolean D
LGI_BRK_DISUSER 0 0 0 1 Boolean D
LGI_PWD_TMO 30 30 0 255 Seconds D
LGI_RETRY_LIM 3 3 0 255 Tries D
LGI_RETRY_TMO 20 20 2 255 Seconds D
LGI_BRK_LIM 5 5 1 255 Failures D
LGI_BRK_TMO 300 300 0 5184000 Seconds D
LGI_HID_TIM 300 300 0 1261440000 Seconds D
$

But I would strongly discourage you from doing that, as it replaces an extremely small likely hood event (guessing the password) with a highly likely Denial of Service.

If you are worried about password guessing, then you should be more worried about people sniffing passwords from telnet and/or ftp sessions.

See this article for a discussion of the parameters.

http://www.openvms.org/stories.php?story=06/07/14/4624233

Jon

Re: Account Lockout Settings for Open VMS 7.3.2

Calene — Wed, 20 Feb 2008 02:41:24 GMT

Hi Jon,

Sorry, to rephrase my question, I'm trying to find out if it is possible to set the "DURATION=n" value to infinity. For e.g.,in the Windows environment, it is possible to set the "account lockout duration" value to 0. This means the user account will be lockout indefinitely until the Security Administrator unlocks it.Hence, would like to know if it is possible to do the same for Open VMS 7.3.2 operating system.

Re: Account Lockout Settings for Open VMS 7.3.2

Hoff — Wed, 20 Feb 2008 03:35:34 GMT

If this is about OpenVMS and not about Windows nor about the Advanced Server package, then the system parameter used to lock out access to usernames that have been the target for a login failure is LGI_BRK_DISUSER.

Set this via SYS$SYSTEM:MODPARAMS.DAT, and invoke AUTOGEN.

If you are asking this question here as you are, I would counsel against this.

This because a simple series of login failures -- a very trivial remote login attack, and one that a botnet might well trigger -- would prevent you from successfully rebooting OpenVMS and from restarting your network.

Attacks against SYSTEM as well as the server usernames -- all widely known -- will result in an inability to access your OpenVMS box, and difficulty in rebooting due to the need to access the boot-time environment using the console and the conversational bootstrap:

http://64.223.189.234/node/204

For a much more sustainable approach, use the existing and default break-in evasion mechanism, and (for those paths into OpenVMS not covered by evasion, reportedly including the SMTP access paths) also consider implementing a password filter:

http://64.223.189.234/node/219

Details on MODPARAMS and AUTOGEN are available in the OpenVMS system management manuals, and documentation on LGI_BRK_DISUSER is likely in the security manual.

http://www.hp.com/go/openvms/doc/

Also consider a security review, either locally, with the assistance of an outside organization or consultant, and/or using documentation such as the following:

http://64.223.189.234/node/43

Here's some other reading material on this LGI_BRK_DISUSER parameter and on break-in evasion as a whole:

http://www.eight-cubed.com/blog/archives/000260.html
http://64.223.189.234/node/689

Stephen Hoffman
HoffmanLabs LLC

Re: Account Lockout Settings for Open VMS 7.3.2

John Gillings — Wed, 20 Feb 2008 23:49:29 GMT

Calene,

There's some confusion here about which "lockout". The one you're talking about appears to be inside Advanced Server.

Although I'm not familiar with how this lockout works, from a purely user interface perspective, it looks like the DURATION and WINDOW are expressed in minutes, and is presumably an INTEGER, perhaps constrained to signed 32 bits.

So, if you set the duration to 2147483647 (maximum positive signed 32 bit value) you have a timeout of about 4085 years. Is that close enough to infinity/indefinite?

If the command won't accept a number that high, use a binary search to find the highest acceptable number.

For reference, 1000000 minutes is about 700 days (call it 2 years).