- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: An image can not be activated
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 10:13 AM
тАО11-24-2008 10:13 AM
Re: An image can not be activated
Yes, it would be possible for a skilled hacker to get the necessary bits in a file to create an .EXE file anyway. That doesn't mean protecting LINK.EXE is useless.
Hein, Robert - I assume you don not bother to lock your front door. After all, anyone with an axe would be able to get through, so locking it would only give you a false sense of security.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 10:21 AM
тАО11-24-2008 10:21 AM
Re: An image can not be activated
"You may be better of monitoring (audit) linker usage."
Clearly you don't get the "layer" concept. You are not better off using auditing INSTEAD - you are better off using auditing IN ADDITION to all other security measures you can implement, including setting images to no world access that untrusted users have no business running.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 11:34 AM
тАО11-24-2008 11:34 AM
Re: An image can not be activated
With all due respect, I do lock my front door, and my car for that matter.
However, I do recommend caution on protecting "normal" non-privileged utilities. I have encountered references to them in far too many surprising contexts over the years to want to find additional dependencies as security alarms.
One can also remove things from DCLTABLES, but at the risk that command procedures will suddenly stop working when an otherwise innocuous change is made.
Security can indeed be subtle, and reasonable professionals can disagree on issues like these.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 01:06 PM
тАО11-24-2008 01:06 PM
Re: An image can not be activated
LINK is an unprivileged image. If I have access to DCL, and a network, or any external media, I can easily get a copy of LINK.EXE from distribution media, or any other system (I'm sure it wouldn't take long to find a copy somewhere on the web). Place the image anywhere I like, point the logical name LINK at it and I'm back in business.
This is nowhere near the domain of "skilled hacker", it's a very basic understanding of how command and image activation work.
It's not like locking the gun cabinet at all, it's more like putting sign on the unlocked cabinet saying "locked". The real problem is the illusion of security where none exists.
The same is true for any image in SYS$SYSTEM that is not required to be installed with privilege to function.
Similarly removing verbs from DCLTABLES and creating a rod for your own back on every update. It's trivially simple to add a command back - even if you also protect the CLDs in SYS$UPDATE (again they're public domain and easy to reconstruct)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 01:54 PM
тАО11-24-2008 01:54 PM
Re: An image can not be activated
John, you have mentioned in this and other threads that you think it is trivial for a user to put missing commands back into their command tables.
Assuming, of course, that the deleted commands include the SET COMMAND syntax, and the user has the restricted flag, please tell me how to do this trivial act? I can't figure it out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-24-2008 03:54 PM
тАО11-24-2008 03:54 PM
Re: An image can not be activated
> We don't allow our untrusted users to
>download files from the internet
Can they receive mail (even just text)?
>every extra step you make an attacker take
>leaves another footprint.
In this case you'd probably be better off leaving LINK unprotected, but audited. You then know when someone uses it, without tipping your hand. If someone gets a private copy, you don't know when or how it's being used.
>I can't figure it out.
Maybe for the sake of your security I'd better not say ;-)
- « Previous
-
- 1
- 2
- Next »