- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- TCPIP command line question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-24-2006 10:35 AM
тАО09-24-2006 10:35 AM
Currently, with some users that has more than standard VMS privs and know their way around VMS. I am trying to maintain a trouble free environment or just get a handle by keeping non VMS system personel from playing with the TCPIP, such as adding to routes, etc. I am currently running VMS 7.3-2 and I would like to know how I can make it more difficult for a non system personel to access TCPIP protocol? I'd at least a long command string before they can access the TCPIP prompt.
Is there anything I can do since the previous System Manager created these simple access privs for all these people and thought them way too much before he left the company??
Please help!!
Jorge
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-24-2006 06:24 PM
тАО09-24-2006 06:24 PM
SolutionYou could simple set a ACL to the TCPIP Control Programms, like TCPIP$UCP or TCPIP$IFCONFIG (all TCPIP exe files in Sys$system). With the acl you can arrange, that only user System and other well selected users can execute those programms.
Regards
Heinz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-24-2006 08:41 PM
тАО09-24-2006 08:41 PM
Re: TCPIP command line question
Managing privs is a people problem not a really a technical problem. Can you find some excuse for reviewing (downgrading) their privs?
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 12:37 AM
тАО09-25-2006 12:37 AM
Re: TCPIP command line question
Does any know how I can set the ACL parameter on the TCIP services?
Thanks much!
Jorge
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 12:57 AM
тАО09-25-2006 12:57 AM
Re: TCPIP command line question
$ MCR AUTHORIZE ADD/ID TCPIP_MANAGE
then add the ACL e.g.
$ set security/acl=((id=tcpip_manage,access=r+e),(id=[*,*],access=none)) sys$system:tcpip$ucp.exe
Add also to TCPIP$IFCONFIG.EXE and TCPIP$SYSCONFIG.EXE
Grant the identifier to appropriate people
$ MCR AUTHORIZE GRANT/ID TCPIP_MANAGE SYSTEM
$ MCR AUTHORIZE GRANT/ID TCPIP_MANAGE trusteduser
etc
ensure use of BYPASS gets recorded
$ SET AUDIT/AUDIT/ENABLE=(ACCESS=EXECUTE+BYPASS)
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 07:04 AM
тАО09-25-2006 07:04 AM
Re: TCPIP command line question
I am not convinced that monitoring of BYPASS is enough.
I would suggest that any mention of BYPASS in Ian's solutions entails SYSPRV as well.
Just my EUR 0.02
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 07:09 AM
тАО09-25-2006 07:09 AM
Re: TCPIP command line question
This may or may not apply:
What are the group-UICs of the potentially malignant users?
Should they be within MAXSYSGROUP, consider changing their UICs, or, if they are not as low as 1, maybe lower MAXSYSGROUP sufficiently.
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-25-2006 08:59 PM
тАО09-25-2006 08:59 PM
Re: TCPIP command line question
$ SET AUDIT/AUDIT/ENABLE=(ACCESS=EXECUTE+SUCCESS+BYPASS+SYSPRV+GRPPRV)
essentially this is about collecting enough evidence to be allowed to remove privileges from some people.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-26-2006 12:12 AM
тАО09-26-2006 12:12 AM
Re: TCPIP command line question
Or they can stop audit and restart it after they are finished.
Or simply create a new version instead of modifiying the config file.
Also tcpip$etc:syscconfigtab.dat should be protected (config of tcp params). Never understood why it has its own place (instead of in tcpip$configuration).
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-26-2006 01:28 AM
тАО09-26-2006 01:28 AM
Re: TCPIP command line question
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-26-2006 01:46 AM
тАО09-26-2006 01:46 AM
Re: TCPIP command line question
As of now, you guys are going way over my head with all these good ideas. Without making any mistakes or ???, I am auditing their login so that I can have enough evidence to remove their privileges. Worst of all, these folks are within the IS dept but never been a systems, systems person.
Please don't get me wrong, but these ideas are great and please keep it coming.
Have a great day!
Jorge