- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Disabling the system account
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2011 04:14 PM
тАО04-11-2011 04:14 PM
Disabling the system account
I have to prove to auditors that disabling the system account on a VMS server is a bad idea.
Can any body provide me with a "silver bullet" explanation as to why this is?
I'm assuming from my limited understanding of process creation that its because the process owners uic is checked during loginout and if its disusered then the process wont run.
I'm sure this would wreck the boot process pretty comprehensively.
I'd also appreciate if anyone knows for sure that a server with system a/c disabled is not supported by HP.
Many thanks,
Julian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2011 06:14 PM
тАО04-11-2011 06:14 PM
Re: Disabling the system account
In regards to the system account, I am not aware of any documentation that would specifically state that the system would fail. Experience tells me that if disusered, there would be problems. Rather than proving a negative like this, why not determine the issue being investigated. I have dealt with many regulators and auditors about similar things.
Contact me directly via email as this type of issue is best not discussed in a public forum. I can either help directly or direct you to others with more relevant info.
Dan
dansabrservices AT yahoo DOT com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2011 06:35 PM
тАО04-11-2011 06:35 PM
Re: Disabling the system account
In some well-run organizations, the people
who claim to have been abducted by aliens are
expected to provide some evidence to back up
their claims, and the sane people are not
required to prove them wrong.
Personally, I'd be tempted to say, "Ok.
You're the experts. Let's do that." And
then run the experiment. If the abductees
are right, then we'll all learn something
valuable. If they're, let's say, misguided,
then we'll all learn something else, which
would also be valuable. (And which might
also provide lasting relief from similar
future advice from that source.)
> [...] supported by HP.
Only HP can tell you that with any authority,
and I'd expect them not to maintain what
would need to be a very long list of every
possible stupid thing which a customer might
wish to do. If I were HP, I'd save myself
some effort, and advise against it, but I
wouldn't be prepared to guarantee that it
would cause a failure, or that it would work.
> I'm sure this would wreck [...]
Write it down, seal it in an envelope, and
hand it to the super-genius[*] in charge
before running the experiment.
[*] Like, say, Wile E. Coyote.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2011 11:22 PM
тАО04-11-2011 11:22 PM
Re: Disabling the system account
WE had a similar request, AND a test system.
So we tried on the test system.
All kinds of things "went bad" during reboot, and it was not even trivial to get into the system to re-enable SYSTEM.
If you are going to experiment, make REAL SURE you have IN WRITING who is responsible, and who is backing the experiment, and that YOU advised STRONGLY against it.
But hey, if anyone wants the jump down a cliff, there is no way of stopping him/her, just make sure you are NOT tied together...
Good luck,
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 03:47 AM
тАО04-12-2011 03:47 AM
Re: Disabling the system account
> cliff, [...]
Or, the Mark Twain analogue:
http://www.twainquotes.com/Cats.html
...the person that had took a bull by the
tail once had learnt sixty or seventy times
as much as a person that hadn't, and said a
person that started in to carry a cat home by
the tail was getting knowledge that was
always going to be useful to him, and warn't
ever going to grow dim or doubtful.
My dim recollection of one of Hal Holbrook's
"Mark Twain Tonight" recordings includes,
"... but if a man wants to carry a cat home
by the tail, I say, 'Let him.'"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 03:56 AM
тАО04-12-2011 03:56 AM
Re: Disabling the system account
You will keep batch access enabled but remove local, remote and dialup. (I'm not so sure about network access, TBH)
I understand the SYSTEM account can always login to OPA0: if the password is correct (hence the console connection requirement)
HTH
Craig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 04:58 AM
тАО04-12-2011 04:58 AM
Re: Disabling the system account
>>>
I understand the SYSTEM account can always login to OPA0:
<<<
Well, my experiment was (IIRC) in the V5 timeframe, so may be outdated, but NO.
You better do NOT disable it in your SYSUAFALT (or refrain from ever creating one), so you can boot conversational and set UAFALTERNATE.
btw Julian: WELCOME to the VMS forum!!!
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 08:08 AM
тАО04-12-2011 08:08 AM
Re: Disabling the system account
I would definitely recommend not to try this on a production system. It might be a good use of one of the virtual Alpha systems as a sacrificial animal of choice.
Many things expect SYSTEM to be a usable username. I don't think I have ever had Jan's experience, but most cases that I have seen in the wild involve lost passwords, not disable accounts (I would expect the "trick" of conversationally booting with the startup set to OPA0: to work, however there may well be challenges to get the rest of the STARTUP to work -- good idea to backup SYSUAF before trying to make it easier to restore).
As an alternative, consider setting the password to something weird, and sealing the password in an envelope placed in the CFO's vault. Then, add automatic emails from the LOGIN.COM that announce that the account was used.
Your mileage will vary. I will be happy to clarify. I have assisted clients with a variety of security-related audits, interesting issues often arise.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 11:47 AM
тАО04-12-2011 11:47 AM
Re: Disabling the system account
We had this happen to a system when someone attempted to experiment on our security. System started having problems, batch jobs quit working, unable to login, etc and the local admin's first solution was to "reboot" which took a very dark turn. I think our recovery included booting to the CD and mounted the disk and fix things.
What is the Auditor really wanting to accomplish besides making your job tougher?
If you do this - try to keep a bootable backup disk in case you really have to recover from worst case scenario. Please let us know if you do and what exactly happened and recovery. Always curiouse to learn from others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2011 11:52 AM
тАО04-12-2011 11:52 AM
Re: Disabling the system account
Dan