From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 11-SEP-1990 10:27:15.59 To: MRGATE::"ARISIA::EVERHART" CC: Subj: More Features of VMS 5.4 Received: by crdgw1.ge.com (5.57/GE 1.70) id AA10333; Tue, 11 Sep 90 10:14:14 EDT Received: From PUCC.PRINCETON.EDU by CRVAX.SRI.COM with TCP; Tue, 11 SEP 90 07:02:39 PDT Received: from IRLEARN.UCD.IE by pucc.PRINCETON.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6828; Tue, 11 Sep 90 09:54:50 EDT Received: from ccvax.ucd.ie by IRLEARN.UCD.IE (Mailer R2.03B) with BSMTP id 5429; Tue, 11 Sep 90 14:25:46 GMT Date: Tue, 11 Sep 90 14:18 WET From: "Tom Wade, VMS Systems" Subject: More Features of VMS 5.4 Sender: "Tom Wade, Systems" To: info-vax@kl.sri.com Message-Id: <37069332469F407A51@ccvax.ucd.ie> X-Envelope-To: info-vax@kl.sri.com X-Vms-To: IN%"info-vax@kl.sri.com" Here are some more features, mainly relating to security, about VMS 5.4. Taken from a presentation to DECUS Ireland 29-31 August 1990. * System Password Dictionary. Contains list of 'forbidden' passwords. This includes all the words used by the Internet Worm. Approx 50000 English words (international spelling). The dictionary is an indexed file, so you can add words via CONVERT/EDIT/CONVERT. UAF flag can disable this check. * Passwords containing username or nodename are forbidden (I think subject to a minimum length, e.g. nodename "E" would cause problems). * Supported access points to the password policy (both at plaintext and hash points) providing the ability for a site to augment password policies. * Password history. You can't reuse a password within a year. 60 passwords are remembered for a year, and if you use them all up within that time you are forced to use generated passwords (this is presumably to stop wise guys from running command procedures to flush out the password cache). * New $GETJPI item codes. Returns info about active process and system rights, date and time of last (non)interactive login, login failures, and various login flags (new mail, password expired, expiry warning). * New $GETSYI item codes for system rights list. Lexical support in F$GETJPI and F$GETSYI for new item codes. * /[NO]RIGHTLIST qualifier on SHOW PROCESS * /DELETE=ALL keyword on SET ACL. * Protected subsystems. This allows identifiers to be temporarily associated with a process while a particular image is activated. This is functionally equivalent of "installing an image with identifiers" [Loud Cheers], although it is not done via INSTALL. * New System Services $AUDIT_EVENT and $CHECK_PRIVILEGE * A future major release after 5.4 will bump the major version ID, requiring the relinking of privileged code and drivers * ARB data structure will in the future move out of the PCB. Replace PCB$L_UIC by ARB$L_UIC and PCB$Q_PRIV by ARB$Q_PRIV recommended that privilege checks are done by the new service. (While I believe the above to be true, please do not take it as a commitment by me, DECUS or DEC to provide this.. etc etc). Anybody else with other 'goodies' in 5.4 (particularly the 9000 sites) like to share ? ------------------------------------------------------------------------------ Tom Wade | Internet: T.Wade@cc.ucd.ie (all domain mailers). Speaker To VAXes | Bitnet: T_WADE@CCVAX EuroKom | PSI-Mail: PSI%27243154000712::T.WADE University College | DEC EASYnet: DECWRL::"t.wade@cc.ucd.ie" (VMS Mail) Belfield | JANET: t.wade%cc.ucd.ie@UK.AC.EARN-RELAY Dublin 4 | X400: [Address Exceeds 65536 byte buffer] Ireland | Telex: (0500) 91178 UCD EI ("TO WADE" at start) --------------------+---------------------------------------------------------- Voice: +353-1-697890| Official Disclaimer: "This is not a disclaimer" Fax: +353-1-838605| -------------------------------------------------------------------------------