When you register the node you can add 'forcepw=y' to the reg command,
or check box it on a gui/web panel.  This will make the initial password
pre-expired.  If you use 'passwordaccess=generate' on the client,
the initial password will be requested once, then a new one will be generated
and stored on the client in the registry.  No one will know this new password!

This effectivly ties a node to a machine.

Do the set command 'SET INVALIDPWLIMIT' to limit attempts by others to crack
the password.  Monitor the ip address in the ANR0406I messages to track cracking
attempts.

--
--------------------------
--------------------------
Bill Colwell
Bill Colwell
C. S. Draper Lab
Cambridge, Ma.
--------------------------
In 
<0AB1037CADA70420*/c=US/admd=TeleMail/prmd=Deloitte/o=ccMailGW/s=Cooper/g=Joel/@MHS>,
 on 08/30/99
In 
<0AB1037CADA70420*/c=US/admd=TeleMail/prmd=Deloitte/o=ccMailGW/s=Cooper/g=Joel/@MHS>,
 on 08/30/99
   at 02:24 PM, Joel Cooper <jocooper AT DTTUS DOT COM> said:

>Hello:

>I am working with about 50 Windows clients (so far) and will also have about 4
>or 5 Novell clients going to my ADSM Server. When our IBM engineer came to help
>us get started, he used our node names for the node passwords also. This is 
>nice
>and easy to remember, but as I work through implementation, it becomes obvious
>that there is a security risk. Other clients could identify themselves to the
>server as a different node and restore information that wasn't really theirs.

>I am expiring the passwords right now and letting the client generate new,
>encrypted passwords. But  I wondered if someone had brainstormed this already
>and found the best solution. All of my clients are Windows and Novell. I don't
>have any Unix clients on this server.

>Thanks for any feedback,

>Joel Cooper
>Deloitte & Touche LLP
>jocooper AT dttus DOT com
>615-882-7701