Technical data

ManualsBrandsCompaq ManualsPrinterLA36

471

472

473

474

475

476

477

478

479

480

Security Considerations

12.2 Managing Passwords

12.2.6 Password History

The password history database maintains a history of previous passwords

associated with each user account. By default, the system retains these records

for one year. Password history records that are older than the system password

history lifetime are allowed as valid password choices. When a user account is

deleted, the system removes the associated password history records from the

history database.

12.3 Using Intrusion Detection Mechanisms

This section describes how to set up intrusion detection and evasion and how to

display the intrusion database.

Controlling the Number of Retries on Dialups

You can control the number of login attempts the user is allowed through a dialup

line. If the user makes a typing mistake after obtaining the connection, the user

does not automatically lose the connection. This option is useful for authorized

users, while still restricting the number of unauthorized attempts.

To implement control of retries, use the following two LGI system parameters:

LGI_RETRY_TMO and LGI_RETRY_LIM. If you do not change the values of

these system parameters, the default values allow the users three retries with a

20-second interval between each.

Keep in mind that controlling dialup retries is only a part of an overall security

program and is not, in itself, sufﬁcient to avoid break-ins. An obstacle like

redialing is not going to prove an effective deterrent to a persistent intruder.

Discouraging Break-In Attempts Further

The OpenVMS operating system offers additional methods of discouraging break-

in attempts. These methods also use system parameters in the LGI category.

Parameter Description

LGI_BRK_LIM Deﬁnes a threshold count for login failures. When the count of login

failures exceeds the LGI_BRK_LIM value within a reasonable time

interval, the system assumes that a break-in is in progress.

LGI_BRK_TERM Controls the association of terminals and user names for counting

failures.

LGI_BRK_TMO Controls the time period in which login failures are detected and

recorded.

LGI_HID_TIM Controls the duration of the evasive action.

LGI_BRK_

DISUSER

Makes the effects of intrusion detection more severe. If you set this

parameter to 1, the OpenVMS operating system sets the DISUSER

ﬂag in the UAF record for the account where the break-in was

attempted. Thus, that user name is disabled until you manually

intervene.

Refer to the OpenVMS Guide to System Security for a full description of these

parameters.

12–6 Security Considerations