Here are two command procedures for protecting a networked vax from attacks
directed at the default decnet account.  The procedures were written for easy
readability and modification.

Both of the schemes embodied in these procedures have been tested and
proven successful against a variety of scenarios.

The first procedure, CLOSEUP-II.COM, selectively allows access from default
DECNET processes only to the objects MAIL, $MOM, NML, PHONE and if present,
FINGER and SEND.

The second procedure, CLOSEUP-III.COM, turns off all access to FAL and takes
the additional step of redirecting all requests for access to the object TASK,
to a different account with a different default directory.

Both procedures set the DECNET account for no-interactive logins and lock
its password.

CLOSEUP-II provides for some fine-tuning in that the procedure can be edited
to provide default DECNET access to more or fewer objects as one wishes.

In either case, any of the network objects may be freely executed when
the remote process has provided an access control string to an account
on your machine other than the default DECNET account.

There has been no consideration regarding mutual compatibility.  So please,
just use one or the other.