Integrating HP-UX 11.x Account Management and Authentication with Microsoft Windows 2000

Security

Traditionally, HP-UX stores user account information in the local /etc/passwd file. Unless, the system is in trusted mode, any

user logging into the system can read all other users’ encrypted passwords in /etc/passwd; and that is still true even if the

system deploys Network Information Service (NIS). The exposure of passwords is a security risk. Windows 2000 uses AD to

store account information, but Kerberos client keys and passwords are well protected. You cannot display them using

directory search tools. Even an administrator cannot obtain a user’s password or client key from AD. So, integrating HP-UX

accounts with Windows 2000 provides better password protection for HP-UX. Also, using Windows 2000 Kerberos Services

to authenticate HP-UX users is more secure than traditional UNIX authentication.

However, be aware of some general security issues when using directory services as a data repository. In UNIX platforms, a

super user, who has all the power to manipulate the system, is identified by uid = 0, which is the attribute uidNumber in AD.

The uidNumber and other security-sensitive attributes (i.e. login shell, home directory) need to be protected from change by

an arbitrary user. By default, a regular Windows 2000 domain user is not given the capability to modify AD objects. When

granting access right, an AD administrator must be very careful about the protection of security-sensitive attributes. HP has

published a white paper for security issues associated directory services. The white paper is “Preparing Your LDAP Directory

for HP-UX Integration White Paper”, which can be downloaded from HP documentation web site,

http://docs.hp.com/hpux/internet. Although the white paper is not specifically dedicated to the information for Windows 2000

Active Directory, the general principles are still applied.