Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!hao!ames!rutgers!rochester!cornell!batcomputer!tedcrane
From: tedcrane@batcomputer.tn.cornell.edu (Ted Crane)
Newsgroups: comp.os.vms
Subject: Re:  DCL DECnet command procedure
Message-ID: <3018@batcomputer.tn.cornell.edu>
Date: Thu, 26-Nov-87 15:13:14 EST
Article-I.D.: batcompu.3018
Posted: Thu Nov 26 15:13:14 1987
Date-Received: Sun, 29-Nov-87 16:49:32 EST
References: <28rrk@byuvax.bitnet>
Reply-To: tedcrane@tcgould.tn.cornell.edu (Ted Crane)
Organization: Tompkins County Computing, Ithaca, NY
Lines: 50

In article <28rrk@byuvax.bitnet> rrk@byuvax.bitnet writes:
>If you set your print devices spooled, anyone on or off the system can print
>for free by copying to node::device:.

Only if there is a default DECnet account, proxy logins, or they supply
an explicit username/pswd string.  Once again, the default DECnet account
is the security hole...if a system manager provides it, they are inviting
others to use it!

>I know of NO reason for ever making a device spooled, but most system managers
>do it anyway.

Well, in most if not all of the examples they provide, DEC suggests that this
be done.  I agree with you--there isn't a whole lot of excuse to spool a device
(see caveat below), but you've got to argue with Dr.DEC as well as the
misguided system managers.  Caveat:  some applications have a bad habit of
printing by opening a file directly to the line printer device (or equivalent).
This is not a great idea, really, but is usually the result of ported, updated,
or just plain resurrected old code.  Sure, someone should rewrite the old code,
but who?  Until then, spooled devices *sure are handy*!

>Another good idea is probably to enter a proxy for node::* to * so that
>all local users cannot access the local system via the DECNet account.
>(It is a very BAD idea to do such a wildcard proxy between two systems not
>managed by the same person, as it allows "superusers" of one system to exploit
>the other system by changing username).

Sure, I agree.  But there are problems.  First, you should avoid (like the
plague) setting proxys to privileged accounts.  Do this by adding explicit
proxys to the list in addition to the one wildcard entry.  Second, this 
scheme requires that usernames be the same on all machines.  Not impossible,
but not real likely, either.  Clusters with a common SYSUAF help a lot here.
Third, *almost any* privileged user on any node can fake this system out.
Once again, we are relying on trustworthy users.

>I would disallow all access for the DECNET username except for mail (possibly).
>Why allow remote users to see all your directorys, to execute com procedures,
>print files, see who's on the system, etc.  If a manager doesn't worry about
>his network--I won't go so far as to say that he deserves to have his security
>compromised; noone deserves that--he can expect to have his security
>compromised.

The default DECnet account is a useful tool.  Yes, it opens up a real can of
worms.  This may be more than a security minded manaager can accept.  But the
functionality you lose by removing it is significant.  The manager should
provide replacement tools.  Has anyone considered something like this in the
SYS$SYLOGIN procedure:
	$ if  .eqs.  -
	  then set command/delete=
Not totally effective, yet worth a try.