%META:TOPICINFO{author="DonnaHofmeister" date="1166035116" format="1.1" version="1.2"}%
%META:TOPICPARENT{name="Hp3000ShopSecurity"}%
*Biggies to look for when securing your system*:

*Security DOs*: 

   * Get a demo of VEAudit from VESoft! It gives you an excellent starting point for an audit of your system. 
   * Get rid of those "always installed" HP accounts that aren't used or that you don't have the products for (CONV/HPPL8#/RJE/etc.) 
   * Put your OWN passwords (or better yet RANDOM passwords) on all the third party software accounts on your system (get the freeware RNDPASS program from the public domain software area on www.3kassociates.com to assist you in randomizing passwords for accounts, users, and groups) 
   * Identify EVERY user on your system that has SM, PM, and OP capability. Do they REALLY need it? 
   * Watch out for "GOD" programs that may be hiding on your system 
   * Watch out for "ALLOWALL" utilities that may be in various utility accounts or groups 
   * If you use any kind of network access to your 3000, setup an option logon UDC that logs the source IP address and node name to the system console 
   * If possible, enforce minimum lengths and formats for passwords (no letter repeated more than once; at least one number; etc.) 
   * If possible, keep password histories and don't let users change their password right back to what they have "used for years..." 
   * Allow users to change their own passwords (subject to restrictions above) 
   * Require users to change their own passwords at least every 30...90 days 


*Security DON'Ts*: 

   * User's DON'T need OP capability to manage printers! 
   * Don't globally ALLOW commands to all your users (or wide groups of users) 
   * Don't give end users access to the colon (:) prompt! It makes their job and yours harder. Setup menus. 
   * Don't leave modems connected to your system and unsecured. At least implement device-level (additional!) passwords. Best to leave them DOWNed or unplugged unless needed. 
   * Don't use the MANAGER.SYS logon. Put a random password on it and assign users that need SM access their own (traceable!) logons with SM capability. And home then into groups OTHER than PUB.SYS! 



-- Main.ChrisBartram - 09 Jun 2006

a point mentioned above:

   * If you use any kind of network access to your 3000, setup an option logon UDC that logs the source IP address and node name to the system console 

this is sound advice indeed.  most shops have a system-level *logon* udc.  in this udc, add the following lines:

<verbatim>
 if hpjobtype = "S"
    announce
 endif
</verbatim>

where "announce" is the name of a script that is in everyone's path.  (alternatively, qualify the script with a group and possibly an account name.)  the following is the "announce" script:

=setvar _an_where   'unknown'=

<verbatim>
# a telnet (23) or vt connection
if hpremipaddr > ''
  setvar _an_where hpremipaddr
  if hplocport = 23
    setvar _an_where _an_where + " (T)"
  else
    setvar _an_where _an_where + " (V)"
  endif
elseif hpdtcportid > ''
# dtc connection
  setvar _an_where hpdtcportid + " (D)"
elseif hpldevin = 20
  setvar _an_where 'console (20)'
elseif hpldevin = 21
  setvar _an_where 'modem (21)'
endif
tellop $$$/!hpjobname/!_an_where/!hpintrodate/!hpintrotime
deletevar _an_where
</verbatim>


the "$$$" make searching for logons easy.  "_an_where" is guaranteed to have a value, so even if all the "if"s fail, the tellop will still work.