HPE Community
Operating System - OpenVMS
1755743 Members
4838 Online
108837 Solutions
New Discussion юеВ

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

 
deblaisdell
Occasional Advisor

тАО08-16-2021 06:19 AM

тАО08-16-2021 06:19 AM

What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Please, what OpenVMS documentation covers the specific details of the UAF accounts created by NET$CONFIGURE.COM (FAL$SERVER, CML$SERVER, MAIL$SERVER, VPM$SERVER, MIRROR$SERVER, PHONE$SERVER, etc.)

Looking at the code it appears the accouts are given randomly generated passwords.

We have been given the task (by management) to change these account passwords.

The docs I have access to do not address this.  I do not mind digging through docs, but I need to know what are the correct docs (that I can access) to look through.

I'm tring to find out what will be the impact if thise passwords are changed?  

0 Kudos
Reply
7 REPLIES 7
Volker Halle
Honored Contributor

тАО08-16-2021 06:58 AM

тАО08-16-2021 06:58 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

The answer is similar to your question for the TCPIP$* service accounts...

These are service accounts, no interactive login is possible and these accounts use generated passwords, which are not used, stored or known anywhere else.

Volker.

0 Kudos
Reply
Dave Lennon
Advisor

тАО08-16-2021 08:04 AM

тАО08-16-2021 08:04 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Is the system running DECnet Phase IV ??

If so, these passwords need to also be updated, using NCP, into the volatile (running system) and permanent (next boot) object database or any "anonymous"  DECnet network services will no longer work.

I don't know about DECnet-Plus.

By the way, if this exercise is to improve security, you might want to invest the effort to researching the existing usage and removing the FAL$SERVER username. That can be considered a security hole.

 

0 Kudos
Reply
Volker Halle
Honored Contributor

тАО08-16-2021 08:51 AM

тАО08-16-2021 08:51 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Dave,

the reference to NET$CONFIGURE.COM indicates, that this system is running DECnet-Plus. Passwords for this DECnet implementation are NOT stored in the network object database.

Volker.

0 Kudos
Reply
deblaisdell
Occasional Advisor

тАО08-17-2021 06:23 AM

тАО08-17-2021 06:23 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

"By the way, if this exercise is to improve security, you might want to invest the effort to researching the existing usage and removing the FAL$SERVER username. That can be considered a security hole."

Thank you for the information.

Please, where is it formally documented that FAL$SERVER is a security hole?  Is there an IAVA or some other security report which I can access?  A major issue is that the system documentation is very poor <...a brief pause while you gasp in shock...> as it relates to what UAF accounts listed are required for the system to run properly.

 

0 Kudos
Reply
Volker Halle
Honored Contributor

тАО08-17-2021 06:46 AM

тАО08-17-2021 06:46 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

VSI OpenVMS Guide to System Security (vmssoftware.com)

talks a little bit about 'default DECnet accounts' - although for DECnet Phase IV.

Volker.

0 Kudos
Reply
Dave Lennon
Advisor

тАО08-17-2021 12:35 PM

тАО08-17-2021 12:35 PM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Perhaps "security hole" was not the best terminology. You'll have to research (google) how it can be used nefariously.

If you are looking for vendor documation:

https://vmssoftware.com/docs/VSI_DECnet_IV_Gd_to_Networking.pdf#page=51

In particular:

Do you want a default account for the FAL object? [NO]

VSI advises against creating a default account for the FAL object, except for systems with very low security requirements. If you do not want this account, press RETURN. If you want it, type YES and press RETURN.

0 Kudos
Reply
deblaisdell
Occasional Advisor

тАО08-19-2021 05:33 AM

тАО08-19-2021 05:33 AM

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Thank you for the information.

Regarding "VSI advises against creating a default account for the FAL object,..."

The risk is that (due to poor documenation) the systems running on the OpenVMS platforms do not indicate if FAL$SERVER account is needed to function.  I believe it is going to be disabled and we will see what dependencies exist.  

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.