%# Underground eXperts United #%

<><><><><><><><><><><><><><><><><><><>!<><><><><><><><><><><><><><><><><><><><>
#% ..uXu.. 1992 %#
%# Underground eXperts United #%
#% presents... %#
%# -=*=- #%
#% The European Digest Series Vol.2 Issue #2 %#
%# 1992 By THE CHIEF ..uXu.. #%
<><><><><><><><><><><><><><><><><><><>!<><><><><><><><><><><><><><><><><><><><>

SECOND SPECIAL MANUAL SERIES - DIGITAL VMS VERSION 5.0 NEW FEATURES MANUAL #1

Contents...

01.............Introduction
02.............Contents In This Issue
03.............New Security Management Features (8)
04.............Recommended
05.............End Comments

1. INTRODUCTION
---------------
Welcome to TED Vol.2 Issue #2 - The uXu File #74!
While we're doing the Xenix tutorial guide, we recently found that people
working with larger systems needed some updates on the security of newer
versions of Operating Systems, and therefor we made this special issue on
the security improvements of Digital's VMS version 5.0. If you need other
updates, perhaps for other operating systems, just let us know, and we'll
supply you with the needed information in future issues of TED.

2. CONTENTS IN THIS ISSUE
-------------------------

DIGITAL VMS Version 5.0 New Features Manual

---> Chapter 8 New Security Management Features

8.1 SET AUDIT Qualifier: /FAILURE_MODE ............................ 8-2
8.2 Forced Password Change ........................................ 8-2
8.3 Managing Proxy Logins ......................................... 8-3

8.3.1 ADD/PROXY Command ..................................... 8-3
8.3.2 REMOVE/PROXY Command .................................. 8-3
8.3.3 MODIFY/PROXY Command .................................. 8-4
8.3.4 Proxy Access by User Identification Code (UIC) ........ 8-4
8.3.5 Permanent Proxy Database: NETPROXY.DAT ................ 8-5
8.3.6 Network Control Program (NCP) SET EXECUTOR Parameters . 8-4

8.4 Queue Protection Using Access Control Lists (ACLs) ............ 8-5
8.5 True Highwater Marking ........................................ 8-5

[EXTRA IN THIS ISSUE: SECTION 7.8 INCLUDED]

7.8 Queue Protection Using Access Control Lists (ACLs) ............ 7-7

7.8.1 Granting Users CONTROL Access to Queues ............... 7-7

3. NEW SECURITY MANAGEMENT FEATURES (8)
---------------------------------------

_______________________________________________________________________________

CHAPTER 8 NEW SECURITY MANAGEMENT FEATURES
_______________________________________________________________________________

VMS Version 5.0 includes the following new security management features:

-----------------------------------------------------------------------------
Feature Function
-----------------------------------------------------------------------------
MANAGING AUDITS
-----------------------------------------------------------------------------

New SET AUDIT qualifier: Specifies how VMS should proceed when unable
/FAILURE MODE to perform security audits due to insufficient
system resources.

-----------------------------------------------------------------------------
MANAGING PASSWORDS
-----------------------------------------------------------------------------

Forced Password Change Requires users to change expired passwords at
login.

-----------------------------------------------------------------------------
MANAGING PROXY LOGINS
-----------------------------------------------------------------------------

Enchanced ADD/PROXY Command Allows remote users proxy access to up to 16
local accounts. Designates one proxy account
as the default for the specified remote user.

Enchanced REMOVE/PROXY Command Removes proxy access to the specified local
accounts by the remote user.

New MODIFY/PROXY Command Changes the default designation to the
specified proxy account or removes the
default designation.

Proxy access by UIC Allows users on non-VMS operating systems
proxy access to accounts on the locl node.

New permanent proxy database Specifies NETPROXY.DAT as the permanent proxy
database.

New Network Control Program Control whether or not proxy accounts are
(NCP) SET EXECUTOR Parameters accessible.

-----------------------------------------------------------------------------
MANAGING QUEUES
-----------------------------------------------------------------------------

Queue protection using access Provides added protection of queues with
control lists (ACLs) ACLs. For information about this new
feature, see Section 7.8.

[Below, you'll find Section 7.8 for your comfort =uXu Staff=]

-----------------------------------------------------------------------------
MANAGING FILES
-----------------------------------------------------------------------------

True high water marking Provides true highwater marking for
sequential, exclusively accessed files.

-----------------------------------------------------------------------------
_______________________________________________________________________________

8.1 SET AUDIT Qualifier: /FAILURE_MODE
_______________________________________________________________________________

The system manager can use the DCL command SET AUDIT to enable a variety
of security alarms. Security alarms are written to a permanent system mailbox
and copied to the operator log file, OPERATOR.LOG, by OPCOM (the operator
communication process). If the write should fail because of insufficient
resources on the system, the process is put in the MWAIT (miscellaneous wait)
state to wait for the resource.

It may be undesirable to have processes put in the MWAIT state. (For
example, a process in MWAIT might cause a cluster to hang if the process holds
an exclusive lock on a cluster-wide resource, such as the user authorization
file.) For VMS Version 5.0, the system manager can use the new SET AUDIT
qualifier /FAILURE_MODE to chose the action the VMS operating system takes
when security alarms cannot be written.

Use the new SET AUDIT qualifier /FAILURE_MODE to specify how the VMS
operating system proceeds if it is unable to perform a security audit.

For more information about the new SET AUDIT qualifier /FAILURE_MODE, see
the SET AUDIT command description in the VMS DCL DICTIONARY.

_______________________________________________________________________________

8.2 Forced Password Change
_______________________________________________________________________________

In VMS Version 5.0, users whose passwords have expired must change their
expired passwords before being allowed to log in. The operating system prompts
for a new password at login. If users abort the login attempt using CTRL/Y,
they will be prompted for a new password at each subsequent login attempt until
they set a new password.

In VMS Version 5.0, users cannot log in until they change their expired
passwords. In previous versions of VMS, users were warned of expired passwords
but were allowed one final login. Users who logged out before setting a new
password were locked out of the system and forced to request the system manager
to restore the account. With VMS Version 5.0, the system manager can set the
AUTHORIZE flag DISFORCE_PWD_CHANGE to disable the forced password change
feature and return to VMS Version 4.0 behaviour.

For more information about the forced password feature, see Chapter 3 and
Chapter 5 in the GUIDE TO VMS SYSTEM SECURITY.

_______________________________________________________________________________

8.3 Managing Proxy Logins
_______________________________________________________________________________

VMS Version 5.0 includes the following new proxy login features:

Proxy access to multiple local accounts. The system manager can use the
Authorize Utility ADD/PROXY command to allow remote users proxy access
to up to 16 local accounts. Use the /DEFAULT qualifier to designate one
account as the default proxy account.

Ability to modify the default proxy account. Use the new AUTHORIZE
command MODIFY/PROXY to designate a different proxy account as the
default, or specify MODIFY/PROXY/NODEFAULY to remove the default
designation from the specified remote user.

Proxy access for users on operating systems where users are identified
only by User Identification Code (UIC). Note that these systems must be
Phase IV DECnet nodes.

New Network Control Program (NCP) SET EXECUTOR parameters to manage
proxy logins.

_______________________________________________________________________________

8.3.1 ADD/PROXY Command
_______________________________________________________________________________

Prior to VMS Version 5.0, the Authorize Utility command ADD/PROXY enabled
you to allow remote users proxy access to a single local account. VMS Version
5.0 enables system managers to provide remote users with proxy access to up to
16 local accounts. The 16 accounts include 1 default proxy account and 16
alternate proxy accounts.

For more information about the ADD/PROXY command, see the Commands section
of the VMS AUTHORIZE UTILITY MANUAL.

_______________________________________________________________________________

8.3.2 REMOVE/PROXY Command
_______________________________________________________________________________

The Authorize Utility command REMOVE/PROXY has been enchanced for VMS
Version 5.0 to allow you to selectively delete proxy accounts from the network
proxy database for a specified remote user.

For more information about the REMOVE/PROXY command, see the Commands
section of the VMS AUTHORIZE UTILITY MANUAL.

_______________________________________________________________________________

8.3.3 MODIFY/PROXY Command
_______________________________________________________________________________

VMS Version 5.0 includes a new Authorize Utility command, MODIFY/PROXY,
that changes the designation of the default proxy account or removes the
default in the network proxy database.

For more information about the MODIFY/PROXY command, see the Commands
section of the VMS AUTHORIZE UTILITY MANUAL.

_______________________________________________________________________________

8.3.4 Proxy Access by User Identification Code (UIC)
_______________________________________________________________________________

Prior to VMS Version 5.0, proxy access was not supported from systems other
than the VMS operating system. For VMS Version 5.0, users on any remote systems
that implement DECnet Phase IV+ can be granted proxy access to the local node.
For non-VMS systems, specify the remote user's User Identification Code (UIC)
in the user name field.

For more information about specifying proxy accounts by UIC, see the
ADD/PROXY command description in the VMS AUTHORIZE UTILITY MANUAL.

_______________________________________________________________________________

8.3.5 Permanent Proxy Database: NETPROXY.DAT
_______________________________________________________________________________

Prior to VMS Version 5.0, the name of the proxy database was NETUAF.DAT.
The new permanent proxy database is NETPROXY.DAT. All changes made to the
permanent database with the Authorize Utility are automatically updated in
the volatile database on the running system and cluster.

_______________________________________________________________________________

8.3.6 Network Control Program (NCP) SET EXECUTOR Parameters
_______________________________________________________________________________

Prior to VMS Version 5.0, network managers enabled proxy access with the
NCP SET EXECUTOR command parameter DEFAULT PROXY. VMS Version 5.0 replaces the
DEFAULT PROXY parameter with the following new SET EXECUTOR parameters:

INCOMING PROXY - Controls proxy access from the remote node to the
local node.

OUTGOING PROXY - Controls proxy access from the local node to the
remote node.

Each parameter has the following options:

ENABLED - Enables proxy access

DISABLED - Disables proxy access

For more information about the NCP SET EXECUTOR parameters, see Chapter
3 of the VMS NETWORKING MANUAL.

_______________________________________________________________________________

8.4 Queue Protection Using Access Control Lists (ACLs)
_______________________________________________________________________________

Prior to VMS Version 5.0, system managers defined access to queues through
standard UIC-based protection. VMS Version 5.0 provides additional protection
of batch and device (printer, server, and terminal) queues with ACLs. Specify
the new object type, QUEUE, to the /OBJECT_TYPE qualifier when adding ACLs to
queues with the ACL editor or with the DCL command SET ACL.

For more information about queue protection using ACLs, see Section 7.8.
For more information about ACLs, see the VMS ACCESS CONTROL LIST EDITOR MANUAL,
and the description of the SET ACL command in the VMS DCL DICTIONARY.

_______________________________________________________________________________

8.5 True Highwater Marking
_______________________________________________________________________________

Highwater marking keeps users from reading file space beyond the areas
where they have been permitted to write. The outer limit of written space
on the file is that file's highwater mark. This technique prevents users
from scavenging unauthorized portions of the disk.

Prior to VMS Version 5.0, the VMS operating system implemented highwater
marking using a technique known as 'erase-on-allocate', where blocks of
disk space are erased as they are allocated to the user. VMS Version 5.0
features true highwater marking for all sequential, exclusively accessed files.

For more information about highwater marking, see Chapter 4 of the GUIDE
TO VMS SYSTEM SECURITY.

_______________________________________________________________________________

------------------------------------------------------------------------------
SECTION 7.8 (extra in this issue of TED) SECTION 7.8
------------------------------------------------------------------------------

7.8 Queue Protecting Using Access Control Lists (ACLs)

Access control lists (ACLs) define the kinds of access users are granted or
denied to system resources such as files, devices and directories. VMS
Version 5.0 extends the use of ACLs to queues.

Prior to VMS Version 5.0, system managers defined access to queues only
through standard UIC-based protection. VMS Version 5.0 provides protection
of batch and device (printer, server, and terminal) queues using access
control lists (ACLs) through use of a new object type, QUEUE.

VMS provides two methods for manipulating ACLs: the ACL editor, invoked with
he EDIT/ACL command, and the DCL command SET ACL. Use either method to apply
or modify ACLs on queues.

7.8.1 Granting Users CONTROL Access to Queues

In addition to the four types of access defined by the UIC-based protection
scheme - READ, WRITE, EXECUTE, and DELETE - the VMS operating system provides
a fifth access type available with ACLs - CONTROL. When used in combination
with EXECUTE access, CONTROL access allows queue users to act as operators
of the queue. Users with CONTROL and EXECUTE access to a queue can change any
attributes of the queue. Users with only EXECUTE access to the queue are
prohibited from modifying any of the security-related attributes of the queue,
including the queue owner and queue protection (UIC or ACL).

For more information about applying ACLs to queues, see Chapter 4 of the
GUIDE TO VMS SYSTEM SECURITY, the description of the SET ACL command in the
VMS DCL DICTIONARY, and the VMS ACCESS CONTROL LIST EDITOR MANUAL.

[The above mentioned chapters will be included in the TED series On REQUEST]
[=uXu Staff=]

------------------------------------------------------------------------------

4. RECOMMENDED
--------------
This section is included in every issue of The European Digest and will
contain recommended stuff/boards/reading and so on. For this file, we
recommend that you read the uXu file #58, and then WRITE to us, commenting
on the idea. If we don't see any comments about the Awards, it is of no
use to start working on the project and go through with it. You can mail
me (The Chief) on the boards listed at the end of this file.

Please understand that you all can vote, participate, and contribute to
a better Computer Underground by letting us know what YOU think about
the ideas expressed in the 58th file from uXu. Without input from our
readers, we're nothing.

With respect for the CU people (just not very much right now),

THE CHIEF

5. END COMMENTS
---------------
[] Scanning the file-areas and message-subs of the once full-of-hacker
boards in the U.S of A, gives you a chill down your neck. Where have
all the people gone? Where are the groups, once so successful? WHEN
is the 200:th file from cDc going to be released? Are they dead?
(I know they're not, I'm just trying to put some pressure on Ratt�
here, heh heh..) What has happened to Activist Times Inc. and Network
Information Access? WHERE IS 'THE SENSEI' (The Syndicate Report) ???

Is it true that all of them have converted to eLiTe-d00dz? WILL
the pirate industy take over the computer underground? (God forbid).

If anyone got answers to these questions, please feel
free to contact me ASAP, thank you.

The European Digest will not feature Hacking techniques, Phreaking, Carding,
information about government systems or the basic underground rap. It will
be different. It IS different. Manuals, The Underground Scene, Deep Deep
whatever, and so on. Less 'general rag stuff' and More Miscellaneous stuff.
Swedish Hacker News will be presented through the 'uXu - Swedish News' series,
but ONLY in Swedish. English translations will however be published in another
well-known underground rag.

Check out the Next TED for the continuing Xenix Tutorial or More on VMS 5.0.

You can reach me on the following boards for comments, contributions,
membership, questions, ANSWERS or whatever:

Ripco ][ [312]-528-5020
Condemned Reality [618]-397-7702
Demon Roach Underground [806]-794-4362
Solsbury Hill [301]-428-3268
Anonymous [+45]-981-89771
The Stash [+46]-498-22113
Sedes Diaboli [+46]-586-43766

You can't reach me on the following boards anymore. Reason(s) stated below.

Balanced pH [818] Down
Land Of Karrus [215] Down
Lunatic Labs [213] (Well, sometimes)

The Chief 1992

%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&
% %
& "Congress shall make no law respecting an establishment of religion, or &
% prohibitting the free excercise thereof; or abbridging the freedom of %
& speech or of the press; or of the right of the people peaceably to &
% assemble, and to petition the Goverment for a redress of grievances." %
& &
% This work is released according to the above Constitutional rights %
& for INFORMATIONAL PURPOSES ONLY. &
% %
&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%&%

____________________________________________________________________________
____________________________________________________________________________

Downloaded From P-80 International Information Systems 304-744-2253 12yrs+