When you register the node you can add 'forcepw=y' to the reg command,
or check box it on a gui/web panel. This will make the initial password
pre-expired. If you use 'passwordaccess=generate' on the client,
the initial password will be requested once, then a new one will be generated
and stored on the client in the registry. No one will know this new password!
This effectivly ties a node to a machine.
Do the set command 'SET INVALIDPWLIMIT' to limit attempts by others to crack
the password. Monitor the ip address in the ANR0406I messages to track cracking
attempts.
--
--------------------------
--------------------------
Bill Colwell
Bill Colwell
C. S. Draper Lab
Cambridge, Ma.
--------------------------
In
<0AB1037CADA70420*/c=US/admd=TeleMail/prmd=Deloitte/o=ccMailGW/s=Cooper/g=Joel/@MHS>,
on 08/30/99
In
<0AB1037CADA70420*/c=US/admd=TeleMail/prmd=Deloitte/o=ccMailGW/s=Cooper/g=Joel/@MHS>,
on 08/30/99
at 02:24 PM, Joel Cooper <jocooper AT DTTUS DOT COM> said:
>Hello:
>I am working with about 50 Windows clients (so far) and will also have about 4
>or 5 Novell clients going to my ADSM Server. When our IBM engineer came to help
>us get started, he used our node names for the node passwords also. This is
>nice
>and easy to remember, but as I work through implementation, it becomes obvious
>that there is a security risk. Other clients could identify themselves to the
>server as a different node and restore information that wasn't really theirs.
>I am expiring the passwords right now and letting the client generate new,
>encrypted passwords. But I wondered if someone had brainstormed this already
>and found the best solution. All of my clients are Windows and Novell. I don't
>have any Unix clients on this server.
>Thanks for any feedback,
>Joel Cooper
>Deloitte & Touche LLP
>jocooper AT dttus DOT com
>615-882-7701
|