Password-Related Logon Controls
Password- Related Logon Controls
Some of the password-related logon controls available depend on whether or not Safeguard software or a third party password product is installed on the system.
| Caution | At Safeguard terminals, the LOGON program processes logons . |
The following chart summarizes the logon control settings with and without Safeguard software. Refer to the PASSWORD Program in the Gazette for a detailed discussion on its configuration and security.
| Parameter Keyword | With Safeguard Software | Without Safeguard Software |
|---|---|---|
| BLINDPASSWORD | ON | Depends on TACLCONF Settings |
| PROMPTPASSWORD | ON | Depends on TACLCONF Settings |
With the Safeguard Subsystem
Control parameters that are used when logging on are configured in the Safeguard Globals. The parameters are:
BLINDLOGON
NAMELOGON
PASSWORD-REQUIRED
BLINDLOGON
The BLINDLOGON Global parameter determines whether or not passwords can be typed on the same line as the user name .
RISK When passwords are entered on the same line as the user name, they will be displayed, in the clear, on the screen.
BP-SAFEGARD-GLOBAL-53 BLINDLOGON should be ON.
NAMELOGON
The NAMELOGON Global parameter determines whether on not a user can logon using a userid ( group number,member number).
RISK Because there are a finite number of userids available on an HP Non- Stop server, it is easier for a hacker to guess a userid than a user name.
If NAMELOGON is ON, only a user name (group name.member name) will be accepted when a user logs on.
If NAMELOGON is OFF, a user may enter either a user name (group name.member name) or a user ID (group number,member number).
The default value is ON.
BP-SAFEGARD-GLOBAL-54 NAMELOGON should be ON
PASSWORD-REQUIRED
The PASSWORD-REQUIRED parameter determines whether or a password is required when SUPER.SUPER or a group manager userid 'logs down' to another userid.
If PASSWORD-REQUIRED is ON, users logged on as SUPER.SUPER or a group manager userid must enter the password of the userid they are 'logging down' to.
If PASSWORD-REQUIRED is OFF, users logged on as SUPER.SUPER or a group manager userid need not enter the password of the userid they are 'logging down' to.
The default value is OFF; no password is required.
BP-SAFEGARD-GLOBAL-04 PASSWORD-REQUIRED = OFF
Password Quality Controls
The ability to 'strengthen' users' passwords is controlled within the PASSWORD program and with Safeguard Global parameters.
Refer to the PASSWORD Program in the Gazette for a detailed discussion on its configuration and security.
Without the Safeguard Subsystem
In the Guardian environment, the Password parameters must be configured by binding them in the PASSWORD program.
The parameters that can be bound into the PASSWORD program are:
BLINDPASSWORD
ENCRYPTPASSWORD
MINPASSWORDLEN
PROMPTPASSWORD
These parameters should be bound to the PASSWORD program even if Safeguard software is installed on the system. To determine the current value, see Viewing the PASSWORD BIND Parameters in Appendix A.
With the Safeguard Subsystem
The quality and protection of passwords is configured in the Safeguard Globals. The parameters are:
PASSWORD-ENCRYPT
PASSWORD-HISTORY
PASSWORD-MINIMUM-LENGTH
PASSWORD-ENCRYPT
The PASSWORD-ENCRYPT parameter determines whether or not passwords will be encrypted when they are stored in the USERID and LUSERID files. If the passwords are stored in encrypted form, they are unreadable even if someone gains access to the files.
A value of ON, causes passwords to be encrypted when stored in the file.
A value of OFF, means that passwords are not encrypted.
The default value is OFF.
BP-SAFEGARD-GLOBAL-06 PASSWORD-ENCRYPT should be ON
| Caution | Just setting this parameter to ON does not cause existing passwords to be encrypted; they will be encrypted the next time they are changed. Therefore, all users should change their passwords after setting this parameter. |
PASSWORD-HISTORY
The PASSWORD-HISTORY parameter determines the number of previously used passwords that will be retained in the 'password database' for each user. Passwords in the database cannot be reused. Each time the user creates a new password it is added to the database. Only the most recent passwords are retained. If PASSWORD- HISTORY is set to ten, then the ten most recent passwords will be retained. When the user creates the eleventh new password, the oldest will be deleted from the database.
The value can be a number between 1 and 99. The default is 0.
RISK A value of zero means that passwords will not be retained; users will be able to reuse passwords.
RISK The longer a password is in use, the more likely that other people will learn it.
BP-SAFEGARD-GLOBAL-05 PASSWORD-HISTORY should be 10 (or greater)
PASSWORD-MINIMUM-LENGTH
The PASSWORD-MINIMUM-LENGTH parameter determine the minimum number of characters users must include in their passwords.
The value must be a number between zero and eight. The default is zero.
RISK A value of zero means that passwords are not required.
RISK The default is zero, no password required. If no password is required, anyone can logon to the system with a valid userid. Lists of userids may be easy to obtain.
BP-SAFEGARD-GLOBAL-07 The PASSWORD-MINIMUM-LENGTH value should be between 6 and 8.
| Caution | At the time that this attribute is set, it does not invalidate existing passwords. It affects passwords the next time they are changed. Therefore, all users should change their passwords after setting this attribute. |
RISK Safeguard software can only validate PASSWORD-MINIMUM- LENGTH if the PASSWORD program is not set for ENCRYPTION.
With Third Party Software
Strong passwords should be at least 6 characters in length and contain at least one number, one upper case and one lower case character and perhaps at least one special character. When a password contains different types of characters, it is much harder for the password to be compromised based on personal knowledge or dictionary attack.
3P-PASSWORD-QUALITY-01 Third party products can provide quality rules and enforce those rules for passwords.
Password Expiration
The ability to expire users' passwords is determined by whether or not Safeguard software or a third party Password Product is in use on the system.
AP-PASSWORD-EXPIRE-01 Users must change their password at regular intervals.
The interval should be as short as possible without being unmanageable. The Corporate Security Policy should dictate how often users must change their password and how often the passwords for the powerful userids should be changed and how they are stored.
The Corporate Security Policy should dictate that whenever a password is created by anyone other than the user himself, the affected user should be forced to change their password the first time they log on after the password change. This minimizes the length of time that the security staff or Help Desk knows any individual's passwords.
AP-PASSWORD-EXPIRE-02 Immediate expiration of passwords when they are reset by someone other than their own user minimizes the length of time that the security staff knows a user's password.
3P-PASSWORD-EXPIRE-01 Third party products can be utilized to immediately expire passwords if they are reset by someone other than the user.
Without the Safeguard Subsystem
RISK It is not possible to expire passwords before the user is logged on to a TACL without Safeguard software unless a third party Password Quality program is in use.
AP-PASSWORD-EXPIRE-03 It is possible to force users to change their password, even without Safeguard software, by writing an in-house macro that can be run from the TACLLOCL file.
RISK The TACLLOCL file approach is not as secure as password-expiration enforced by Safeguard software or a third party product because the user's password has already been accepted, the user authenticated, and TACL started.
With the Safeguard Subsystem
Safeguard can be configured to automatically expire passwords at regular intervals. This feature is set in the Safeguard Globals. The date the password will expire is calculated each time the user's password is changed. The date in the User Record may be overwritten by anyone who is authorized to ALTER the User Record.
The Global parameters are:
PASSWORD-EXPIRY-GRACE
PASSWORD-MAY-CHANGE
Password-Expiration Related Safeguard Global Parameters
The Safeguard Global parameters that affect password expiration are:
PASSWORD-EXPIRY-GRACE
PASSWORD-MAY-CHANGE
PASSWORD-EXPIRY-GRACE
The PASSWORD-EXPIRY-GRACE parameter determines the number of days after a user's password expires that the user will still be able to logon with the old password and create a new password during the logon process.
This parameter may be configured both in the Global Settings and the User Record. If defined in both places, the User Record setting takes precedence.
The default value is zero, no PASSWORD-EXPIRY-GRACE.
BP-SAFEGARD-GLOBAL-09 PASSWORD-EXPIRY-GRACE should be between 7 and 15 days
PASSWORD-MAY-CHANGE
The PASSWORD-MAY-CHANGE parameter defines the number of days before a user's password will expire and if the password may be changed by its user.
The following facts apply:
RISK If no PASSWORD-MAY-CHANGE value is set, the user may change his password at any time and repeatedly. Users can cycle the password to overcome the history limit.
RISK A value of 0 also allows the password to be changed at any time.
RISK The default value is 0; no restrictions on password change date.
RISK If the PASSWORD-MAY-CHANGE period is greater than the PASSWORD-MUST-CHANGE period in a user authentication record, that user's password can be changed at any time.
BP-SAFEGARD-GLOBAL-08 PASSWORD-MAY-CHANGE should be (MUST-CHANGE) minus 1
Password-Expiration Related User-Record Parameters
The User Record attributes that affect password expiration are:
PASSWORD-EXPIRES
PASSWORD-EXPIRY-GRACE
PASSWORD-MAY-CHANGE (display only)
PASSWORD-MUST-CHANGE
PASSWORD-EXPIRES
The PASSWORD-EXPIRES attribute specifies the date that the user's current password will expire. The date is calculated based on the PASSWORD-MUST-CHANGE global attribute.
RISK If the PASSWORD-EXPIRES field in the User Record is set 'manually', it takes precedence over the PASSWORD-EXPIRES date calculated as a result of the PASSWORD-MUST-CHANGE Global parameter.
RISK If the PASSWORD-EXPIRES value is NONE, the user will not be forced to reset the password.
PASSWORD-EXPIRY-GRACE
The PASSWORD-EXPIRY-GRACE attribute specifies the number of days after a user's password expires that the user may still change the password. The user will be forced to change the password at logon. For example if a user's password expires on January 5, and PASSWORD-EXPIRY-GRACE is 5, they will be able to logon and choose a new password until January 10. After January 10, the security staff or another user who has been authorized to reset passwords, will have to reset the user's password before logon is allowed.
This parameter may be configured both in the Global Settings and the User Record. If defined in both places, the User Record setting takes precedence.
RISK The default value is zero, no EXPIRY-GRACE. This generates a lot of password reset requests .
BP-USER-CONFIG-10 PASSWORD-EXPIRY-GRACE should be between 7 and 15 days.
PASSWORD-MAY-CHANGE
The PASSWORD-MAY-CHANGE attribute is a 'display only' field in the User Record. This value is calculated by Safeguard software and cannot be changed at the user level.
The attribute defines the number of days before the password expiration date within which a password may be changed by its user.
The following facts apply:
RISK If no password expiration date set, the password may be changed at any time.
RISK A value of 0 also allows the password to be changed at any time.
RISK The default value is 0; no restrictions on password change date.
RISK If the PASSWORD-MAY-CHANGE period is greater than the PASSWORD-MUST-CHANGE period in a user authentication record, that user's password can be changed at any time, unless set globally.
BP-USER-CONFIG-11 PASSWORD-MAY-CHANGE should be (MUST-CHANGE) minus 1
PASSWORD-MUST-CHANGE
The PASSWORD-MUST-CHANGE parameter determines the number of days that the user may use the same password.
If the PASSWORD-EXPIRES field in the User Record is set 'manually,' it takes precedence over the PASSWORD-EXPIRES date calculated as a result of setting the PASSWORD-MUST-CHANGE Global attribute.
RISK The default value is NONE, the user will not be forced to change the password, unless set globally.
BP-USER-CONFIG-12 PASSWORD-MUST-CHANGE should be set to a value between 30 and 60 days
How the Safeguard Password Expiration-Related Parameters Interact
Use the configuration of Password Expiration-Related Parameters to enforce the Corporate Security Policy:
PASSWORD-HISTORY and PASSWORD-MAY-CHANGE
Use PASSWORD-HISTORY in combination with PASSWORD-MAY-CHANGE to prevent users from re-using passwords over and over.
If PASSWORD-HISTORY is set to 10 and PASSWORD-MAY-CHANGE is set to at least one day less than the PASSWORD-MUST-CHANGE value, then users can't change their passwords more than once per day. This prevents them from re-using a password for at least 10 days.
 |
PASSWORD-MUST-CHANGE = 60 PASSWORD-MAY-CHANGE = 59 PASSWORD-HISTORY = 10
| |
In this example, users may change their password for the last 59 days before it expires. This means that they can change it every day, but not more than once per day.
Because PASSWORD-HISTORY is set to 10, they would have to change their password every day for 10 days before they could reuse their initial password.
PASSWORD-EXPIRES and PASSWORD-EXPIRY-GRACE
To minimize the time that someone other than a user knows his password, use the PASSWORD-EXPIRES and the PASSWORD-EXPIRY-GRACE parameters to immediately expire passwords after they are reset by the Help Desk or Security staffs.
If each time the password is reset, the PASSWORD-EXPIRATION is set to the current date and time, i.e., then when the user logs on for the first time after the reset, they will be forced to change their password during the logon process. The user has the length of time defined by PASSWORD-EXPIRY-GRACE to logon and enter a new password or the password is frozen.
| |
Before: PASSWORD-EXPIRY-GRACE = 7 PASSWORD-EXPIRATION = APR 3 2003
After: PASSWORD-EXPIRY-GRACE = 7 PASSWORD-EXPIRATION = JULY 3 2003 11:50
| |
In this example, the user's password was reset on July 3, 2003 and the PASSWORD-EXPIRATION set to July 3, 2003 11:50. The user will be able to logon and choose a new password until July 10, 2003 at 11:50 (7 days).
Password-Expiration With Third Party Products
Some third party products allow the Security staff to delegate the ability to reset passwords to other users, such as a Help Desk. The userids whose passwords can be reset by the Help Desk can be defined, to ensure that privileged userids, such as SUPER.SUPER or Application Owners, cannot be reset by anyone other than the Security staff.
3P-PASSWORD-EXPIRE-01 Some third party products can automatically expire passwords whenever someone other than their own user creates or resets them.
Who Can RESET Passwords
Who is allowed to reset passwords is determined by whether or not Safeguard software or a third party password product is in use on the system.
Without the Safeguard Subsystem
Without Safeguard SUPER.SUPER, the Group Manager, or the user.
With the Safeguard Subsystem
RISK All of the following users can reset passwords:
The OWNER of the user's Safeguard User Record
The OWNER's Group Manager
Any users granted O(wn) authority in the User Record
The user's Group Manager
SUPER.SUPER (If SUPER.SUPER is configured UNDENIABLE)
BP-USER-OBJTYPE-01 The USER OBJECTTYPE should be created.
With Third Party Password Products
3P-PASSWORD-RESET-O1 Some third party products allow the Security staff to delegate the ability to reset passwords to other users, such as a Help Desk. The userids whose passwords can be reset by the Help Desk can be defined to ensure that privileged userids, such as SUPER.SUPER or Application Owners, cannot be reset by anyone other than the Security staff.
Administering Passwords for Sensitive Userids
RISK Some userids, such as SUPER.SUPER or Application Owner IDs, are so sensitive that restricted knowledge of their passwords is essential to prevent deliberate or inadvertent damage to systems and applications.
The preferred method of protecting these sensitive passwords is to split the password into two or more parts and have different people create and enter the separate parts .
Seal the password in an envelope, which can be locked up if desired. The passwords can only be retrieved for required activity or emergencies.
AP-PASSWORD-POLICY-03 The Corporate Security Standard should specify the Sensitive userids, how often their passwords must be changed, how the passwords will be protected, and the procedures and documentation required to 'check out' their passwords.
| Discovery Questions | Look here: | |
|---|---|---|
| PASSWORD-POLICY-01 | Does the Corporate Security Policy require the use of passwords? | Policy |
| PASSWORD-POLICY-02 | Does the Corporate Security Policy mandate 'Strong' passwords? | Policy |
| PASSWORD-POLICY-03 | Does the Corporate Security Policy mandate that passwords be encrypted? | Policy |
| PASSWORD-POLICY-04 | Does the Corporate Security Policy mandate how often sensitive passwords must be changed? | Policy |
| PASSWORD-QUALITY-01 | Are passwords to be at least 6 characters in length? | BIND Safecom |
| PASSWORD-QUALITY-02 to 04 | Do passwords conform to the quality rules mandated by the Corporate Security Policy? | BIND Safecom |
| PASSWORD-CONFIG-01 | Is the BLINDPASSWORD parameter bound into the PASSWORD program? | BIND |
| PASSWORD-CONFIG-04 | Is the PROMPTPASSWORD parameter bound into the PASSWORD program? | BIND |
| PASSWORD-CONFIG-02 I | s the ENCRYPTPASSWORD parameter bound into the PASSWORD program? | BIND |
| PASSWORD-CONFIG-03 | Is the MINPASSWORDLEN parameter bound into the PASSWORD program? | BIND |
| PASSWORD-EXPIRE-01 | Are passwords configured to expire at the interval mandated by the Corporate Security Policy? | BIND Safecom |
| PASSWORD-EXPIRE-02 | Are passwords expired immediately after RESETs? | Policy |
| USER-CONFIG-01 | Does the User logon with a unique userid? | Safecom |
| USER-CONFIG-02 | Does the User have a DEFAULT VOLUME? | Safecom |
| USER-CONFIG-03 | Is SUBJECT DEFAULT PROTECTION in User Records set off? | Safecom |
| USER-CONFIG-04 | Does the User Record AUDIT-AUTHENTICATE-PASS = ALL? | Safecom |
| USER-CONFIG-05 | Does the User Record AUDIT-AUTHENTICATE-FAIL = ALL? | Safecom |
| USER-CONFIG-06 | Does the Global or User Record AUDIT-MANAGE-PASS = ALL? | Safecom |
| USER-CONFIG-07 | Does the Global or User Record AUDIT-MANAGE-FAIL = ALL? | Safecom |
| USER-CONFIG-08 | Does the User Record AUDIT-USER-ACTION-PASS = NONE? | Safecom |
| USER-CONFIG-09 | Does the User Record AUDIT-USER-ACTION-FAIL = ALL? | Safecom |
| USER-CONFIG-10 | Does the User Record PASSWORD-EXPIRY -GRACE value conform to the Security Policy? | Safecom |
| USER-CONFIG-11 | Does the User Record PASSWORD-MAY-CHANGE value conform to the Security Policy? | Safecom |
| USER-CONFIG-12 | Does the User Record PASSWORD-MUST-CHANGE value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-02 | Does the Safeguard global AUTHENTICATE-FAIL-TIMEOUT value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-03 | Does the Safeguard global AUTHENTICATE-FAIL-FREEZE value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-04 | Does the Safeguard global PASSWORD-REQUIRED value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-05 | Does the Safeguard global PASSWORD-HISTORY value conform to the Corporate Security Policy or to a value of 10 or greater? | Safecom |
| SAFEGARD-GLOBAL-06 | Does the Safeguard global PASSWORD-ENCRYPT = ON | Safecom |
| SAFEGARD-GLOBAL-07 | Does the Safeguard global PASSWORD-MINIMUM-LENGTH value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-08 | Does the Safeguard global PASSWORD-MAY-CHANGE value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-09 | Does the Safeguard global PASSWORD-EXPIRY-GRACE value conform to the Security Policy? | Safecom |
| SAFEGARD-GLOBAL-53 | Does the Safeguard global BLINDLOGON = ON? | Safecom |
| SAFEGARD-GLOBAL-54 | Does the Safeguard global NAMELOGON = ON? | Safecom |
