NETWORK SECURITY SUPPLEMENTAL INFORMATION - PROTECTING THE DECNET ACCOUNT The most important thing that needs to be done to protect a system against the current WORM attacks is to modify accounts where USERNAME=PASSWORD. This is the default configuration for the DECNET account. This can be changed easily, but there appears to be some confusion about the effect that this has on a network. Changing the DECnet default password DOES NOT IMPACT the normal operation of DECnet in any way. -------- The following section provides some background material to illustrate this point: On your system, issue the following commands from a priviliged (CMKRNL,BYPASS,SYSPRV) account: $MCR NCP (or $RUN SYS$SYSTEM:NCP) NCP> show executor characteristics This will produce a list that resembles the following: Node Volatile Characteristics as of 31-OCT-1989 11:02:23 Executor node = 6.133 (NSSDCA) Identification = DECnet-VAX V4.7, VMS V4.7 . . . Nonprivileged user id = DECNET Nonprivileged password = DECNET . . . This is your DECnet executor database. The information listed is the default configuration for your node. The information contained in this list includes "Nonprivileged user id" and "Nonpriviliged Password". This information is what DECnet uses for userid/password when the connecting process a)does not have a proxy, b)does not specify a username/password as part of the access string, and c)does not have a different userid/password defined for the network object being invoked. The access information contained in the executor database is used for reference only. The candidate userid and password (in this case DECNET and DECNET respectively) are then passed to LOGINOUT to validate them against the *REAL* information contained in SYSUAF.DAT. If the information matches, the access is allowed. If the information does not match, the connecting user gets the following error messages: Unable to connect to listner Login Information Invalid at Remote Node -------- In order to correctly change your default network password so that your system cannot be easily exploited by the current DECnet WORM, the following 2 steps must be followed: 1) Change the password for user DECNET in SYSUAF.DAT: UAF> modify DECNET/Password=NEW_DECNET_PASSWORD *NOTE* It is advisable at this time to check that certain other attributes of the DECNET user are properly set: The ONLY access method for this account should be NETWORK. The BATCH, REMOTE, INTERACTIVE, and DIALUP fields should all read "--no access--" The value of PRCLM should be set to ZERO. This is the number of (SPAWNed) sub-processes allowed. The flag LOCKPWD should be set. This prevents anyone but a priviliged user from changing the password. The following command can be used: UAF> MOD DECNET/FLAGS=LOCKPWD/PRCLM=0/NOBATCH/NODIAL/NOINTER/NOREM/NETW 2) Change the password for DECNET in your network executor database: NCP> set exec nonpriviliged password NEW_DECNET_PASSWORD NCP> define exec nonpriviliged password NEW_DECNET_PASSWORD The important thing to remember is that the password must be changed in BOTH places, otherwise your network WILL break. The worm is breaking nodes by penetrating the DECNET account, and changing only the UAF password with the $SET PASSWORD command. By not changing the NCP password, the network no longer accepts INBOUND connections. For more information, consult the VAX/VMS manuals: VMS V4.X - Volume 6 "Networking Manual" VMS V5.x - Volume 5A&5B "Guide to DECnet-VAX Networking" --------------------------------------------------------------------------- Ron Tencati | NCF::TENCATI /6277::TENCATI SPAN Security Manager | Tencati@Nssdca.gsfc.nasa.gov NASA/Goddard Space Flight Center | (301)286-5223 Greenbelt, MD. USA | ---------------------------------------------------------------------------  Downloaded From P-80 International Information Systems 304-744-2253