From: AITGW::"MACRO32@WKUVX1.BITNET" 10-MAR-1992 01:40:29.97 To: "macro32@wkuvx1.bitnet"@uunet.UU.NET CC: JON@uunet.UU.NET Subj: Console security - VAXstation 3100 Model 38 Received: by AITGW.DECnet (utk-mail11 v1.5) ; Tue, 10 Mar 92 01:40:00 EST Received: from ukcc.uky.edu by aitgw.ge.com (5.65/GE Gateway 1.5) id AA23518; Tue, 10 Mar 92 01:39:54 -0500 Received: from ukcc.uky.edu by UKCC.uky.edu (IBM VM SMTP V2R2) with BSMTP id 9612; Tue, 10 Mar 92 01:33:15 EST Received: from UKCC by ukcc.uky.edu (Mailer R2.08) with BSMTP id 0520; Tue, 10 Mar 92 01:32:56 EST Received: from WKUVX1.BITNET by ukcc.uky.edu (Mailer R2.08) with BSMTP id 0433; Tue, 10 Mar 92 01:31:12 EST Errors-To: MacroMan@WKUVX1.BITNET X-Listname: "VMS Internals, MACRO, and BLISS Discussions" Received: from MITVMA.MIT.EDU (MAILER) by WKUVX1 (MX V3.0A) with BSMTP; Tue, 10 Mar 1992 00:32:10 CST Received: from MITVMA by MITVMA.MIT.EDU (Mailer R2.08 R208004) with BSMTP id 6746; Tue, 10 Mar 92 01:22:40 EST Received: from relay1.UU.NET by mitvma.mit.edu (IBM VM SMTP V2R2) with TCP; Tue, 10 Mar 92 01:22:39 EST Received: from uunet.uu.net (via LOCALHOST.UU.NET) by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA14088; Tue, 10 Mar 92 01:22:22 -0500 Message-Id: <9203100622.AA14088@relay1.UU.NET> Received: from tron.UUCP by uunet.uu.net with UUCP/RMAIL (queueing-rmail) id 012156.1546; Tue, 10 Mar 1992 01:21:56 EST Date: Mon, 9 Mar 92 23:22:33 -0500 From: "(Jon Pinkley, Westinghouse (216)486-8300 x1335)" Reply-To: MACRO32@WKUVX1.BITNET To: "macro32@wkuvx1.bitnet"@uunet.UU.NET Cc: JON@uunet.UU.NET Subject: Console security - VAXstation 3100 Model 38 Ehud, You didn't specify what your system is, although it must be bootable over the ethernet. MicroVAXes and VAXStations both fall into that category. > Now obviously there are two holes: > 1. Someone can take the disk out and physically > attach it elsewhere. > 2. Someone can boot my system as a satellite node > and then access the local device. > > Does anybody have any reasonable ideas how to prevent #2? Does your VAX implement the console password feature? I know that our VAX 4000-300's do NOT have this feature, and my VAXstation 3100-M38 does. We have the VAX 4000's in our computer room with reasonable physical security, my workstation in a semi open area. As has already been discussed, most (if not all) VAXStations made in the last 18 months, have password protected consoles. (My VAXStation 3100 M38 Owner's Manual discusses it, and it was printed in June 1990.) When PSE is set to 1, only the following commands work: Boot (with NO parameters) Login (to allow normal console commands like examine, deposit) Continue (for people that were trying to grant themselves privs but discovered they couldn't) ! so they can leave you a lame excuse All other commands, including HELP return a 23? ILL CMD error message. As long as you can assume the following: 1. nobody is going to open up your box (risky assumption) 2. you have set the console PASSWORD to something not easily guessable 3. you have enabled the console password, i.e. >>> SET PSE 1 4. your default boot is set to a local disk that is INSIDE your box and is therefore "safe". 5. You never boot from ethernet (unless you can be 100% sure that you are booting from one of your own machines). If the default boot device is external, someone can just bring another system disk to your machine, set the SCSI id to what yours is set to, and replace your disk. Then they would have control of your local disks. The reason I mention 5 is because if you ever boot from another system that you don't control, you can't be sure of the integrity of your disk and NVRAM. And although it isn't nearly as exciting, you should protect your system backups with the same degree of paranoia that you protect your system. Just for the record the VAXStation 3100 M38 that I have displays the following when I enter the command SHOW VER at the console: >>> SHOW PSE 0 >>> SHOW VER KA42-B V1.1C6-17A-V6.2-262 PST: 17A CON: 1C6 VMB: V6.2 ROM: 262 >>> SET PSE 1 >>> BOOT ESA0 ?23 ILL CMD >>> HELP ?23 ILL CMD >>> B -DKA300 and boots. Note that it still prints the default boot device, so it would be easy for someone to know which scsi id to use if they want to replace your system disk. I would be interested if there is a newer version of firmware than that listed above. It should be possible to upgrade older 3100's to include the password feature with a newer version of firmware, the encrypted password is stored in the same NVRAM as the default boot device, boot flags, etc. Why the feature wasn't included in the VAX 4000-300, I don't know. For us it wasn't a problem since ours are kept in a computer room, but DEC is selling these into the office environment market. It doesn't seem that the VAX 4000 would need to save a lot more in its NVRAM than a VAXstation, and it probably has about the same amount of NVRAM. Also the following may be of interest for people that want to compare their VAXstations. $ write sys$output f$getsyi("node_hwtype") 3100 $ write sys$output f$getsyi("node_hwvers") 00940000000000000A000005 $ write sys$output f$getsyi("hw_name") VAXstation 3100 $ write sys$output f$getsyi("hw_model") 148 $ write sys$output f$getsyi("version") V5.4-2 I don't know about other VAXstations from first hand experience. Jon Pinkley jon@clevax.wec.com ...uunet!tron!clevax!jon (216)486-8300 x1335