Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
61626364656667686970
Safeguard System Security
Security Management Guide522283-008
3-9
Controlling the Logon Process With the Safeguard
Software
Do not set AUTHENTICATE-FAIL-FREEZE to ON unless your policy specifically
requires it. An intruder could easily freeze all the IDs on a system by simply exceeding
AUTHENTICATE-MAXIMUM-ATTEMPTS for each user.
Password Configuration
Your security policy might require some control over passwords. For example, if your
policy requires that everyone use a password of at least six characters, use the
PASSWORD-MINIMUM-LENGTH attribute as follows:
=ALTER SAFEGUARD, PASSWORD-MINIMUM-LENGTH 6
If the passwords are stored in encrypted form, they are unreadable even if someone
gains access to the USERID file. The following SAFECOM command causes
passwords to be stored in encrypted form:
=ALTER SAFEGUARD, PASSWORD-ENCRYPT ON
This attribute does not cause existing passwords to be encrypted. They are encrypted
the next time they are changed. Therefore, have all users change their passwords after
you set this attribute.
If your policy discourages reuse of passwords, consider the PASSWORD-HISTORY
attribute. It specifies a number of passwords to be retained in the Safeguard password
history file for each user. The user cannot change the password to anything in this list.
The following command sets the PASSWORD-HISTORY to 10:
=ALTER SAFEGUARD, PASSWORD-HISTORY 10
Controlling the Logon Process With the Safeguard Software
Normally TACL is responsible for the logon process. However, if the Safeguard
software is running, TACL enforces special logon security features that are available as
Safeguard configuration options. Some of the special features that can be controlled
with Safeguard global configuration attributes:
Warning of password expiration (The warning occurs during the PASSWORD-MAY-
CHANGE period.)
Ability to require blind logons (Passwords are not echoed to the screen when
typed.)
Ability to require logons by user name only (Logon attempts by user ID number are
not allowed.)
Ability to specify a password expiration grace period (This feature allows users the
opportunity to specify a new password during logon if their old password has
expired.)
You can also specify that the Safeguard software is to control logon attempts occurring
from specified terminals on the system. At a Safeguard terminal, all of the previously
mentioned special features are enforced. In addition, Safeguard terminals provide the
following extended features associated with the logon procedure: