Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome Hope you are having a good time.

Similar presentations

Presentation on theme: "Welcome Hope you are having a good time."— Presentation transcript:

1 Welcome Hope you are having a good time

Sharing files in HP-UX UNIX with Windows ExcaliburEDGE Password Validation High Level/Overview of these 3 topics. Not much detail. Designed to make you aware of what is available. The audience is UNIX users. 3 separate topics All relate to security on your UNIX server

3 Excalibur Systems Support Manager
Presenter Rod Hunley Excalibur Systems Support Manager P2 Energy Solutions Introduce self Go around room and have them introduce self. State your name, company, and title/job description

4 STS Staff Tony Castillo Jim Cannon Rod Hunley Byron Ward
Kham Laychaypha Tony 10 + Jim almost 10 Rod 8+ Byron Kham Paul Idland returning in November

5 OVERVIEW HP-UX UNIX Security Sharing files in HP-UX UNIX with Windows
Importance of security Definitions HP-UX with un-trusted mode HP-UX with shadow passwords HP-UX with TCB (trusted mode) HP-UX & PAM/NTLM HP-UX & TCB & PAM/NTLM Sharing files in HP-UX UNIX with Windows SAMBA CIFS/9000 3 Major Topics HP-UX CIFS/9000 EDGE/SB+ Password Validation

6 OVERVIEW ExcaliburEDGE Password Validation References Setups
Password Validation Options References

7 HP-UX UNIX Security Importance of security
Protect corporate information from: theft, corruption, or unauthorized access Comply with internal IT standards Comply with Sarbanes-Oxley (SOX) audits Why are you here today? Most likely you are an admin and security is one of your most important job responsibilities. SOX topics are very prevalent at this year’s conference.

8 HP-UX UNIX Security Definitions What is a login?
The UNIX program which reads and verifies a user's user name and password and starts an interactive session Why is a user name important? Only authenticated users are allowed access to the UNIX server Access to programs/files are based on user names and groups How does the verification work? The entered user’s name is compared to a list of names in a system file, and then the entered password is compared the encrypted password stored in a system file UNIX is a multi-user, multitasking OS. Have to have a way to manage multiple logins. Can be multiple logins for same user or many logins for different users. Login on UNIX. userid passwd

9 HP-UX UNIX Security HP-UX (un-trusted mode) Un-trusted mode Concept
Standard delivery on HP-UX servers Concept Authenticate & validate against /etc/passwd file Un-trusted is the “out of the box” security implementation for HP-UX. Authenticate – is this a valid userid Validate – check for valid user and valid password

10 HP-UX UNIX Security HP-UX (un-trusted mode)
/etc/passwd file structure (colon delimited) username encrypted password user number group number 4 optional text fields separated by commas user’s home directory startup shell Most of you have dealt with the /etc/passwd file on UNIX, and might be familiar with it. We will review the structure. 4 optional are : Real Name, Office Location, Office Phone, Home Phone HOME is almost always /home/USERNAME Startup Shell should be /usr/bin/ksh

11 HP-UX UNIX Security #cat /etc/passwd
root:/.57wLPQp2cV6:0:3::/:/sbin/ksh rootlike:/.57wLPQp2cV6:0:3::/:/sbin/ksh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico Here is an example listing of the /etc/passwd file 1st 15 entries are OS related and created when the OS is loaded/ignited by HP before delivery to client Go over root field by field. Ask about /sbin/ksh as shell. Why not /usr/bin/ksh? /usr not mounted when system starts up, wouldn’t be able to find it Ask about rootlike? What is it? Why is it bad? Why is it good?

12 HP-UX UNIX Security lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh nobody:*:-2:-2::/: www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:CuRdujgUu53qA:200:200:,,,:/home/unidata:/usr/bin/ksh Here the rest of the OS ids. Point out webadmin id. Shell is /usr/bin/false means that it can’t be used to login to system Point out unidata user. State that it is on everyone’s server, P2 uses it for login access to client’s system. Point out unidata group, 200.

13 HP-UX UNIX Security HP-UX (un-trusted mode)
Ownership & permissions of important files Issues with this security setup Encrypted password is in a world readable file Possible that file would be read and passwords “cracked” #ls -la /etc/passwd -r--r--r root sys Aug 20 15:39 /etc/passwd Now that we have a little background on userids and the /etc/passwd file, we can examine the issues with an un-trusted system. Ownership and permissions on /etc/passwd file is the biggest issue that IT auditors have with an un-trusted system. Show that world has read on the file.

14 HP-UX UNIX Security HP-UX with shadow passwords Concept Requirements
Move encrypted passwords to a file that is secure Requirements HP-UX 11.11(i) Only Implementation Install HP supplied software bundle Run conversion program Reboot New term – shadow passwords Issues? Compatibility, can programs that access /etc/passwd function properly. Leave /etc/password structure in place but move the file with encrypted passwords to another location.

15 HP-UX UNIX Security HP-UX with shadow passwords
Verification of a shadow password bundle installation #swlist # Initializing... # Contacting target ""... # # Target: # Bundle(s): . ShadowPassword B HP-UX Shadow Password Bundle How would you know if your server had shadow passwords enabled? Do a swlist as root, look for the Bundle.

16 HP-UX UNIX Security HP-UX with shadow passwords
Structure of /etc/password with shadow passwords Encrypted password is moved and replaced with an “x” #cat /etc/passwd (after conversion) root:x:0:3::/:/sbin/ksh rootlike:x:0:3::/:/sbin/ksh daemon:x:1:5::/:/sbin/sh bin:x:2:2::/usr/bin:/sbin/sh sys:x:3:3::/: adm:x:4:4::/var/adm:/sbin/sh uucp:x:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:x:9:7::/var/spool/lp:/sbin/sh nuucp:x:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:x:27:1:ALLBASE:/:/sbin/sh nobody:x:-2:-2::/: www:x:30:1::/: webadmin:x:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:x:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:x:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh unidata:x:200:200:,,,:/home/unidata:/usr/bin/ksh #ls -la /etc/passwd -r--r--r root sys Aug 20 15:39 /etc/passwd Here is an example of a system with SHADOW passwords enabled. Notice that the encrypted password has been replaced by an “x”. Everything else is the same. Same ownerships and permissions as un-trusted.

17 HP-UX UNIX Security #ls -la /etc/shadow
-r root sys Aug 20 15:39 /etc/shadow #cat /etc/shadow root:/.57wLPQp2cV6:12650:::::: rootlike:/.57wLPQp2cV6:12650:::::: daemon:*:12650:::::: bin:*:12650:::::: sys:*:12650:::::: adm:*:12650:::::: uucp:*:12650:::::: lp:*:12650:::::: nuucp:*:12650:::::: hpdb:*:12650:::::: nobody:*:12650:::::: www:*:12650:::::: webadmin:*:12650:::::: smbnull:*:12650:::::: opc_op:*:12650:::::: unidata:CuRdujgUu53qA:12650:::::: New file - /etc/shadow Why is this better? Notice the ownership is same as /etc/passwd. Notice the permissions are different. ONLY root user has read access. EVERYONE else has NO access. Notice the structure of the file: user encrypted password a common userid NOTHING ELSE

18 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) What is TCB?
The Hewlett-Packard C2-level trusted system consists of the HP-UX operating system configured in trusted mode and its commands, utilities, and subsystems along with supported hardware. This results in a system designed to meet the criteria of a C2-level trusted system, as described in Section 2.2 of the Department of Defense Trusted Computer System Evaluation Criteria , DOD STD, December 1985, and the E3/FC2 security level as defined by the Information Technology Security Evaluation Criteria (ITSEC) established by the European Community. New term – TCB Trusted Computing Base TCB referred to as Trusted Mode or Trusted System What does it all mean? It means that it meats a set of DOD criteria

19 HP-UX UNIX Security HP-UX with TCB (Trusted Mode)
Why is TCB better than un-trusted system or shadow password system? Provides more stringent password authentication and system auditing Terminal access control Time-base access controls See references for link to the “Administering Your HP-UX Trusted System”. Password – Format: System generated or user selected Aging General Account Policies Terminal Policies – unsuccessful login tries, delay between retries, login timeout value Terminal access – which terminals a user can login from Time-base – what days and what times a user has access Auditing – Very detailed

20 HP-UX UNIX Security HP-UX with TCB (Trusted Mode)
How is it implemented? An understanding of the trusted system structure A lot of planning Train support personnel Run SAM to run conversion to TCB Be prepared initially for questions/problems Read the guide and understand what you are getting into Can’t do enough planning Have at least one backup person Check your /etc/passwd file with pwck and /etc/group with grpck before running the conversion; if there are problems, conversion will fail. After conversion, you MUST modify /etc/profile to put a umask 002 statement so that user create files get created with 664 permissions. Be familiar with the utility programs that unlock user accounts; Sam and command line

21 HP-UX UNIX Security HP-UX with TCB (Trusted Mode)
Encrypted password is moved and replaced with an “*” #cat /etc/passwd (after conversion to trusted system) root:*:0:3::/:/sbin/ksh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:103:103:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh opc_op:*:777:77:OpC default operator:/home/opc_op:/usr/bin/ksh tftp:*:510:8:Trivial FTP user:/usr/tftpdir:/usr/bin/false nsmail:*:110:101:NetScape Mail,,,:/home/nsmail:/usr/bin/sh mailsrv:*:102:101:Netscape Mail Server,,,:/home/mailsrv:/usr/bin/sh unidata:*:204:200:unidata user:/home/unidata:/usr/bin/ksh Example of the /etc/passwd file after conversion to Trusted Note the encrypted field is replaced with a “*”

22 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #ls -ld /tcb
dr-xr-x--x 3 root sys Apr 29 13:36 /tcb #ls -ld /tcb/files drwxrwx--x 3 root sys Apr 29 13:36 /tcb/files #ls -ld /tcb/files/auth drwxrwx--x 55 root sys Apr 29 13:36 tcb/files/auth #cd /tcb/files/auth # ls A G M S Y e k q v B H N T Z f l r w C I O U a g m s x D J P V b h n system y E K Q W c i o t z F L R X d j p u #ls –ld /tcb/files/auth/u drwxrwx root sys Aug 20 21:30 u Note the paths to the new location of the information on user accounts /tcb/files/auth – directory for each alphabetic character (upper and lower) Users are in these directories. Note the ownership and permissions for the /tcb/files/auth/u directory

23 HP-UX UNIX Security HP-UX with TCB (Trusted Mode) #cd u #ls -la
total 8 drwxrwx root sys Aug 20 21:30 . drwxrwx--x 55 root sys Apr 29 13:36 .. -rw-rw-r root root Aug 20 21:30 unidata -rw-rw-r root root Apr 29 13:36 ursetta -rw-rw-r root root Apr 29 13:36 uucp #cat unidata unidata:u_name=unidata:u_id#204:\ :u_pwd=P36658YzF7/z6:\ :u_auditid#22:\ :u_auditflag#1:\ :u_pswduser=unidata:u_suclog# :u_unsuclog# :u_unsuctty=pts/ta:\ We are headed to the location where the unidata user id is located. Notice that each user is a file. There is a general security policy for all users in effect. These are the items that are unique for each user. Notice the user id 204 and encrypted password are just a couple of the more important items Man of prpwd will show all of the possible options.

24 HP-UX UNIX Security HP-UX & PAM/NTLM What is PAM?
The pluggable authentication module (PAM) framework provides the ability to incorporate multiple authentication mechanisms into an existing system through the use of pluggable modules. The PAM framework consists of a library, pluggable modules, and a configuration file. “Out-of-the-box” HP-UX PAM is set of perform UNIX authentication, however other types can be plugged in, for example, NTLM and Kerberos 5, used by Windows Active Directory. Concept authenticate UNIX logins against Windows Active Directory, not the UNIX password files Now we are switching to a completely different method of authentication/validation! New terms PAM and NTLM and Kerberos 5. PAM – Pluggable Authentication Module – HP-UX is PAM aware NTLM – NT Loadable Module – Older Windows compatibility Kerberos – Is a MIT developed Network authentication protocol. Stronger security than NTLM Concept is validate against AD What are we trying to do? A single point of control for both Windows AD and UNIX ids and passwords

25 HP-UX UNIX Security HP-UX & PAM/NTLM What are the prerequisites?
CIFS/9000(Samba) must be: installed running in Domain Authentication mode UNIX server must have joined the Domain UNIX /etc/passwd file still has to exist and new users created on UNIX server This depends upon combinations of sufficient vs. required How is it implemented? Replace and configure /etc/pam.conf file Prerequisites include: CIFS/9000 that we haven’t yet talked about. That is the next major topic after HP-UX UNIX Security. Still have to have UNIX users setup on the UNIX server. Can be un-trusted, shadow, or TCB. How these passwords are used are dependent on how PAM is configured

26 HP-UX UNIX Security Sample /etc/pam.conf HP-UX & PAM/NTLM
# cat /etc/pam.conf # # PAM Configuration # Account Management dtaction account required /usr/lib/security/libpam_unix.1 dtlogin account required /usr/lib/security/libpam_unix.1 ftp account required /usr/lib/security/libpam_unix.1 login account sufficient /usr/lib/security/libpam_ntlm.1 login account required /usr/lib/security/libpam_unix.1 su account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # Authentication Management dtaction auth required /usr/lib/security/libpam_unix.1 dtlogin auth required /usr/lib/security/libpam_unix.1 ftp auth required /usr/lib/security/libpam_ntlm.1 Sample /etc/pam.conf file. Notice the groups – Account, Authentication, Password, Session Management. PAM use new terms and concepts: stacked – meaning the order of execution is top down sufficient – means that if present it will use it required – self explanatory Account – for login having a AD account is sufficient but not necessary, if not AD account, then UNIX account is required

27 HP-UX UNIX Security login auth sufficient /usr/lib/security/libpam_ntlm.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth required /usr/lib/security/libpam_unix.1 OTHER auth required /usr/lib/security/libpam_unix.1 # # Password Management dtaction password required /usr/lib/security/libpam_unix.1 dtlogin password required /usr/lib/security/libpam_unix.1 login password sufficient /usr/lib/security/libpam_ntlm.1 login password required /usr/lib/security/libpam_unix.1 passwd password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1 # Session Management dtaction session required /usr/lib/security/libpam_unix.1 dtlogin session required /usr/lib/security/libpam_unix.1 login session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 Authentication – for login, it will try AD authentication for userid, if it fails then it will try the Unix next, if it fails it will start over again with AD Password management – for login, it will try AD password first, if it fails then it will try Unix next

28 HP-UX UNIX Security HP-UX & TCB & PAM/NTLM Concept Implementation
authenticate user against Windows Active Directory while having the UNIX passwords in a secure location Implementation This is combination of two previously discussed methods Here we have the granddaddy of them all. Concept Implementation – This is a combo of the most secure UNIX password scheme and using a single point of password maintenance What is advantages? Secure, complex What is disadvantage? Complex, might be overkill, still have to maintain UNIX users and passwords Compatibility an issue? ftp will use PAM authentication. UniODBC is a problem. It doesn’t use PAM authentication, it still only uses the Unix password.

29 HP-UX UNIX File Sharing
SAMBA What is it? Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is software that can be run on a platform other than Microsoft Windows that allows the host to interact with a Microsoft Windows client or server as if it is a Windows file and print server. Now we are starting the 2nd Major Topic of this forum, UNIX File Sharing What is Samba? Yes, it is a dance. Open source software that allows interaction between non-Windows platform and Windows. Runs in client and server mode.

30 HP-UX UNIX File Sharing
CIFS/9000 What is it? CIFS/9000 provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. CIFS/9000 implements both the server and client components of the CIFS protocol on HP-UX. The current CIFS/9000 Server (version A.01.08) is based on the well-established open-source software Samba, version 2.2.3a, and provides file and print services to CIFS clients including Windows NT, XP, 2000 and HP-UX machines running CIFS/9000 Client software. Another new Term – CIFS/9000 COMMON INTERNET FILE SYSTEM protocol HP’s implementation of Samba Provides file and print services, we mainly use the file services

31 HP-UX UNIX File Sharing
CIFS/9000 What is CIFS/9000 used for in ExcaliburEDGE software? Its main function in ExcaliburEDGE is to allow a Windows-based PC to map a network drive to a directory structure on a UNIX server It allows the Windows user the ability “drag ’n’ drop” files to and from the UNIX server to previously configured locations Why do we need CIFS/9000 or Samba? As previously stated, it is required by PAM/NTLM Map drive from PC to location on UNIX server Why is drive mapping to UNIX server important? To get or put files on the UNIX server Getting data from the HOLD area, i.e. results of queries that will be imported into spreadsheets, , etc. Putting data into EDI, GL uploads EDGE Help is Windows based, uses a CIFS/9000 share setup in ENV295 Can use instead of ftp if properly configured

32 HP-UX UNIX File Sharing
CIFS/9000 How is it implemented? Preloaded on all new HP servers Can be installed from a HP supplied depot file May require HP-UX patches before installation HP has it preloaded on all new servers Required on all UNIX servers for Sequel or EDGE

33 HP-UX UNIX File Sharing
CIFS/9000 Considerations Authentication options Domain User Share HP-UX user ids ids same as Windows ids different than Windows Sharing Define UNIX directories to be shared Permissions Read only Write Now that we know what it is and what it is used for, what are some of the things that we need to consider: Authentication – domain, user, share, Domain should be your only consideration UNIX ids – Should be same as Windows AD, if not then need to maintain a usermap.txt files that translates the ids Shares – need to determine what to share. Be CAREFUL. Don’t share high level directories like, /sb or /sb/SB.EXC or /sb/SB.EXC/data. Be very specific for shares Permissions on share directories – Determine your needs, only give what is needed. HOLD area might be read only so that modified HOLD files can’t be put back on server The GVMI.UPLOAD directory would have to be write since you are putting information into it

34 HP-UX UNIX File Sharing
CIFS/9000 Configuration smb.conf man smb.conf HP-UX server joins the Domain man smbpasswd Use PCs use Windows Explorer to map drives to shares on UNIX server How do we configure this thing? The man pages for smb.conf gives you more than you everything you could possibly need to know. STS will assist. There is a HP-UX kernel parameter that is very important to allow CIFS/9000 to properly join or stay connected to the Windows AD. Windows Sysadmin has to setup a Domain machine account on the AD. Then HP admin has to join the Windows AD with smbpasswd command We have already talked about the uses.

35 HP-UX UNIX File Sharing
CIFS/9000 Sample /etc/opt/samba/smb.conf # Samba config file created using SWAT # from ( ) # Date: 2003/06/18 15:01:33 # Global parameters [global] workgroup = EAED1 netbios name = HELIOS security = DOMAIN encrypt passwords = Yes password server = devnt2 username map = /etc/opt/samba/usermap.txt printcap name = /var/opt/samba/printers local master = No wins server = guest account = ftp [printers] path = /var/spool/lp/public guest ok = Yes printable = Yes Here is an example of the smb.conf file. Note the location /etc/opt/samba. Also note the comments. What is SWAT? It is a web browser configuration utility for Samba. It is usually easier to use vi and edit the file with the editor. Notice the structure of the file: global, printers, homes, tmp, hold, GVMI_UPLOAD, alltests are called stanzas Global workgroup is domain name netbios name is computer name security – DOMAIN means that it will use the AD to authenticate/validate a request for a share on the UNIX server password server – the dns name of the AD password server username map is the name and location of the file to translate windows to UNIX userids if not same on both servers wins server – the AD wins server to resolve names

36 HP-UX UNIX File Sharing
CIFS/9000 Sample /etc/opt/samba/smb.conf (continued) [homes] comment = Home Directories path = /home/%S writeable = Yes create mask = 0775 [tmp] comment = /tmp on helios path = /tmp guest ok = Yes This is an example from a P2ES server. homes is a share. Every user can map a drive from their PC to their home directory on the UNIX server. Not much use since no EDGE files are written to home directories tmp is very useful for transferring files to and from a UNIX server for the Administrator. Note that it is writeable and creates files with 775 permission

37 HP-UX UNIX File Sharing
Sample /etc/opt/samba/smb.conf (continued) [hold] comment = /sb/SB.EXC/_HOLD_ on helios path = /sb/SB.EXC/_HOLD_ writeable = Yes create mask = 0775 guest ok = Yes [GVMI_UPLOAD] comment = /sb/SB.EXC/data/GL/GVMI_UPLOAD on helios path = /sb/SB.EXC/data/GL/GVMI_UPLOAD [alltests] comment = /sb/SB.EXC/data/EDI/alltests path = /sb/SB.EXC/data/EDI/alltests This is a continuation of the smb.conf file. This shows 3 of the most commonly used shares in EDGE. Note the case of the shares. Note the case of the directory paths, have to be valid. Be careful not to share high level directories. Note GVMI_UPLOAD is under data/GL and is specific to that folder. If a higher level, like GL was shared, users could accidentally delete your UTM or TH files. NOT GOOD Wrap-up – Very useful and powerful utility. Good case for open source software

38 ExcaliburEDGE Password Validation
Setups User Group Menus Now we are at the 3rd and last topic for this forum. EDGE runs on the SB+ development platform and has its own internal security setups. Will discuss user and group, menus will not be covered. Menu access is very specific and must be carefully designed and implemented.

39 ExcaliburEDGE Password Validation
Default (as delivered by IBM) Authentication against the SB+ security files Password is validated against the SB+ encrypted password No password composition rules are in effect Null password is allowed What happens behind the scene when you login to EDGE? Someone would already have setup a userid for you that would define what you have access to. The EDGE encrypted password is stored in a file and your login id and password are authenticated and validated against these files

40 ExcaliburEDGE Password Validation
This is the user security setup screen that shows a password, but it is encrypted.

41 ExcaliburEDGE Password Validation
SB Supplied SB+ password validation can be turned by STS staff It will enforce the following rules: 1-Password that contains a sequence of letters or numbers of 3 or more, such as ABC, or 123. 2-Password that contains repetitive characters of 3 or more, such as using the same letter 3 times in a row, like AAA. 3-Password can not contain comma. 4-Password can not be one of the last 10 password used. 5-Password can not be all numeric. 6-Password can not be null. 7-Password can not be the same as the user id. 8-Password must be between 4-50 characters. What if you don’t like the lack of password controls supplied by SB+? IBM has supplied a means of implementing a set of 8 predetermined rules that will be enforced. Go over the list. All but the last would be acceptable to IT auditors. 4 character passwords might not be acceptable.

42 ExcaliburEDGE Password Validation
Custom SB Supplied rules + custom programming Lock account after a user defined number of unsuccessful tries Custom programming More stringent password composition rules Plus rules 1-4 of the 8 SB supplied rules What if you or your auditors want more than the 8 rules? IBM has supplied hooks into the system that allow for custom programming to define and implement user defined rules. Rules 1-4 of the SB+ supplied are retained, and then all of the user specified/designed/programmed rules are checked. If you need something more that the 8 rules, lets talk later.

43 REFERENCES Administering Your HP-UX Trusted System
SAMBA CIFS/9000 Here are the references to TCB, SAMBA, CIFS/9000 Thanks for coming. Please fill out your evaluations of this forum.

Download ppt "Welcome Hope you are having a good time."

Similar presentations

Ads by Google