From:	AITGW::"MACRO32@WKUVX1.BITNET" 10-MAR-1992 01:40:29.97
To:	"macro32@wkuvx1.bitnet"@uunet.UU.NET
CC:	JON@uunet.UU.NET
Subj:	Console security - VAXstation 3100 Model 38

Received: by AITGW.DECnet (utk-mail11 v1.5) ; Tue, 10 Mar 92 01:40:00 EST
Received: from ukcc.uky.edu by aitgw.ge.com (5.65/GE Gateway 1.5)
	id AA23518; Tue, 10 Mar 92 01:39:54 -0500
Received: from ukcc.uky.edu by UKCC.uky.edu (IBM VM SMTP V2R2)
   with BSMTP id 9612; Tue, 10 Mar 92 01:33:15 EST
Received: from UKCC by ukcc.uky.edu (Mailer R2.08) with BSMTP id 0520; Tue, 10
 Mar 92 01:32:56 EST
Received: from WKUVX1.BITNET by ukcc.uky.edu (Mailer R2.08) with BSMTP id 0433;
 Tue, 10 Mar 92 01:31:12 EST
Errors-To: MacroMan@WKUVX1.BITNET
X-Listname: "VMS Internals, MACRO, and BLISS Discussions"
    <MACRO32@WKUVX1.BITNET>
Received: from MITVMA.MIT.EDU (MAILER) by WKUVX1 (MX V3.0A) with BSMTP; Tue, 10
          Mar 1992 00:32:10 CST
Received: from MITVMA by MITVMA.MIT.EDU (Mailer R2.08 R208004) with BSMTP id
          6746; Tue, 10 Mar 92 01:22:40 EST
Received: from relay1.UU.NET by mitvma.mit.edu (IBM VM SMTP V2R2) with TCP;
          Tue, 10 Mar 92 01:22:39 EST
Received: from uunet.uu.net (via LOCALHOST.UU.NET) by relay1.UU.NET with SMTP
          (5.61/UUNET-internet-primary) id AA14088; Tue, 10 Mar 92 01:22:22
          -0500
Message-Id: <9203100622.AA14088@relay1.UU.NET>
Received: from tron.UUCP by uunet.uu.net with UUCP/RMAIL (queueing-rmail) id
          012156.1546; Tue, 10 Mar 1992 01:21:56 EST
Date: Mon, 9 Mar 92 23:22:33 -0500
From: "(Jon Pinkley, Westinghouse (216)486-8300 x1335)"
      <tron!clevax.dnet!jon@uunet.UU.NET>
Reply-To: MACRO32@WKUVX1.BITNET
To: "macro32@wkuvx1.bitnet"@uunet.UU.NET
Cc: JON@uunet.UU.NET
Subject: Console security - VAXstation 3100 Model 38
 
Ehud,
 
You didn't specify what your system is, although it must be bootable
over the ethernet.  MicroVAXes and VAXStations both fall into that
category.
 
>         Now obviously there are two holes:
>                 1. Someone can take the disk out and physically
>                    attach it elsewhere.
>                 2. Someone can boot my system as a satellite node
>                    and then access the local device.
>
>         Does anybody have any reasonable ideas how to prevent #2?
 
Does your VAX implement the console password feature?  I know that our
VAX 4000-300's do NOT have this feature, and my VAXstation 3100-M38 does.
We have the VAX 4000's in our computer room with reasonable physical
security, my workstation in a semi open area.
 
As has already been discussed, most (if not all) VAXStations
made in the last 18 months, have password protected consoles.  (My
VAXStation 3100 M38 Owner's Manual discusses it, and it was printed
in June 1990.)  When PSE is set to 1, only the following commands
work:
 
   Boot (with NO parameters)
   Login (to allow normal console commands like examine, deposit)
   Continue (for people that were trying to grant themselves privs
        but discovered they couldn't)
   ! so they can leave you a lame excuse
 
All other commands, including HELP return a
 
23? ILL CMD
 
error message.
 
As long as you can assume the following:
 
   1.  nobody is going to open up your box   (risky assumption)
   2.  you have set the console PASSWORD to something not easily guessable
   3.  you have enabled the console password, i.e. >>> SET PSE 1
   4.  your default boot is set to a local disk that is INSIDE your
       box and is therefore "safe".
   5.  You never boot from ethernet (unless you can be 100% sure that
       you are booting from one of your own machines).
 
If the default boot device is external, someone can just bring
another system disk to your machine, set the SCSI id to what yours
is set to, and replace your disk.  Then they would have control of
your local disks.
 
The reason I mention 5 is because if you ever boot from another
system that you don't control, you can't be sure of the integrity
of your disk and NVRAM.
 
And although it isn't nearly as exciting, you should protect your
system backups with the same degree of paranoia that you protect
your system.
 
Just for the record the VAXStation 3100 M38 that I have displays the
following when I enter the command SHOW VER at the console:
 
>>> SHOW PSE
0
>>> SHOW VER
 
KA42-B  V1.1C6-17A-V6.2-262
 
   PST: 17A
   CON: 1C6
   VMB: V6.2
   ROM: 262
 
>>> SET PSE 1
>>> BOOT ESA0
?23 ILL CMD
>>> HELP
?23 ILL CMD
>>> B
 
-DKA300
 
and boots.
 
Note that it still prints the default boot device, so it would be
easy for someone to know which scsi id to use if they want to
replace your system disk.
 
I would be interested if there is a newer version of firmware than
that listed above.  It should be possible to upgrade older 3100's to
include the password feature with a newer version of firmware, the
encrypted password is stored in the same NVRAM as the default boot
device, boot flags, etc.  Why the feature wasn't included in the
VAX 4000-300, I don't know.  For us it wasn't a problem since ours
are kept in a computer room, but DEC is selling these into the
office environment market.  It doesn't seem that the VAX 4000 would
need to save a lot more in its NVRAM than a VAXstation, and it
probably has about the same amount of NVRAM.
 
Also the following may be of interest for people that want to
compare their VAXstations.
 
$ write sys$output f$getsyi("node_hwtype")
3100
$ write sys$output f$getsyi("node_hwvers")
00940000000000000A000005
$ write sys$output f$getsyi("hw_name")
VAXstation 3100
$ write sys$output f$getsyi("hw_model")
148
$ write sys$output f$getsyi("version")
V5.4-2
 
I don't know about other VAXstations from first hand experience.
 
Jon Pinkley  jon@clevax.wec.com  ...uunet!tron!clevax!jon (216)486-8300 x1335