Initial Security Configuration Best Practices

This section provides best practice guidelines and recommended procedures to assist you in optimizing the security of your MCP environment.

Configuring a High-Security System

It is important to protect system security as the system is being configured. Perform the following steps before and during system configuration:

  1. Establish a system security policy. See Security Policy Management for information about developing policy.

  2. Establish physical security for the system. Follow the recommendations presented in Controlling Access to the Physical System.

  3. Following the procedures of the system software installation guide appropriate for your system, use the Simple Installation (SI) program to install the system software. Do not initialize data comm.

  4. If you are migrating from another MCP system, continue with step 4 to locate the USERDATAFILE. If you did not migrate from another MCP system, skip step 4 and continue with step 5.

    Use the following procedure to determine the name of the disk family name on which the USERDATAFILE should reside and determine if it exists on that disk family:

    1. To determine where the USERDATAFILE is currently located, type 

      DL USERDATA

      Note the name of the family that appears to the right of USERDATA.

    2. To determine if a USERDATAFILE exists on the disk family with the family name identified in the DL display, type 

      PD SYSTEM/USERDATAFILE ON <DL user family>

    3. The previous steps should have located your existing USERDATAFILE. If not, install the version of your USERDATAFILE that you previously copied to tape or CD as follows:

      From the ODT, copy the file from tape or CD using one of the following commands: 

      COPY *USERDATAFILE/<MMDDHHMM> FROM
USERDATATAPE TO <DL user family> (PACK)
      COPY *USERDATAFILE/<MMDDHHMM> FROM
USERDATACD (CD) TO <DL user family> (PACK)

    Use Security Center to install this file as follows:

    1. From the MCP Account Management snap-in of Security Center, right-click USERDATAFILE Management from the Root Node in MCP User Account Management.

      The USERDATA Management dialog box displays.

    2. Select the Recall tab.

    3. Enter the name of the USERDATAFILE you copied from tape or CD in the Recall USERDATAFILE box.

    4. Click Rename the Current USERDATAFILE as *USERDATAFILE/<MMDDHHMM> and choose OK.

      This action installs the USERDATAFILE you copied from tape or CD as the current SYSTEM/USERDATAFILE and renames the current USERDATAFILE as *USERDATAFILE/<MMDDHHMM>.

  5. If you did not migrate from another MCP system, continue with step 5.

    Note: The USERDATAFILE contains usercode attribute information such as usercodes, passwords, chargecodes, remote host access indicator, and security information for each usercode. The USERDATAFILE that is preinstalled in your MCP environment does not contains usercodes; however, you can create usercodes.

    Establishing a Privileged Usercode

    From the ODT, use the following command to establish a privileged usercode for the system administration:

    Note: The following procedure establishes a usercode named ADMINISTRATOR as an example. You can create a usercode with a name appropriate for your system administrator. 
    MU ADMINISTRATOR/<password> PRIVILEGED

    The message ADMINISTRATOR PRIVILEGED appears.

    Deleting the Model Usercode

    The model usercode enables an operator to create other usercodes. To delete the model usercode, do the following:

    1. Log on to MARC using the administrator usercode created in the “Establishing a Privileged Usercode” procedure.

    2. In the Choice field, type user and press Enter.

      The Usercodes and Passwords menu appears.

    3. In the Choice field, type RUN and press Enter.

      The Task Window appears.

    4. Type MU; and press Enter.

      The Task Window displays the following message: 

      << Deleted

    5. On the Task Window, type BYE and press Enter.

    6. Press SPCFY to return to MARC.

    Use the following procedure to secure your system:

    1. Set up at least one privileged usercode for administration of the system.

      Run Security Center and use the MCP Account Management snap-in. You might need to enter a usercode and password; if so, you need a privileged usercode.

    2. Using Security Center, expand the Usercodes node and right-click Usercode List. Use the procedures documented in the application help to add and delete usercodes.

    Since your USERDATAFILE is a system database that might be in use, you must perform the following procedure to ensure that a copy is made of the USERDATAFILE while it is in a consistent state between transaction updates.

    Perform the following steps from the MCP Account Management snap-in of Security Center:

    1. Select the Copy tab and right-click USERDATAFILE Management from the Root Node in MCP User Account Management.

      The USERDATA Management dialog box displays.

    2. Click Rename the Current USERDATAFILE as *USERDATAFILE/<MMDDHHMM> and choose OK.

      This action makes a copy of the current USERDATAFILE and assigns it the name *USERDATAFILE/<MMDDHHMM>. The file is stored in the DL USERDATA family.

    3. From the ODT, copy the file to tape or CD using one of the following command: 

      COPY *USERDATAFILE/<MMDDHHMM>
FROM <DL user family> (PACK) to USERDATATAPE
      COPY *USERDATAFILE/<MMDDHHMM>
FROM <DL user family> (PACK) TO USERDATACD (CD)

  6. Authorize security-administrator status for the system by entering the following command from an ODT: 

    ??SECAD +

    This command makes the system SECADMIN option TRUE, authorizing security-administrator status. The command also returns the number of usercodes designated SECADMIN in the USERDATAFILE. If this number does not match the number of SECADMIN users that are supposed to be designated for your system—at this point, that number might be zero—do not proceed until the discrepancy has been explained and resolved.

  7. Next, establish MARC on your system. To establish MARC without automatically initializing data comm, use the OP (Options) system command as follows: 

    OP - AUTODC

    Initialize MARC at the ODT by entering 

    ??MARC

    This primitive command directs control of the ODT terminal to COMS/ODT/DRIVER. To restart standard system operations, enter the following command on the Action line of a MARC screen: 

    ??ODT

    The only primitive commands that are available when an ODT is running under MARC are ??ODT and ??MEMDP (to force a system dump). If the ODT is restricted, the ??RESTRICT– (<security key>) form of the RESTRICT system command also is available.

    When the MARC log-on screen appears, enter the usercode and password that you defined for yourself.

  8. Your first step now that MARC is running is to fully define your usercode. In order for you to have MARC access to system commands, your usercode must have SYSTEMUSER or SYSADMIN status. To enable you to access security functions, the usercode must also have SECADMIN status.

    Run MAKEUSER by choosing the UTILITIES selection on the MARC home screen and then selecting MU on the MARC Utilities screen.

    1. Assign SECADMIN and SYSTEMUSER status to your usercode with the following MAKEUSER statement: 

      USER <usercode> SECADMIN SYSTEMUSER;

      To assign SECADMIN and SYSADMIN status to your usercode, use the following MAKEUSER statement: 

      USER <usercode> SECADMIN SYSADMIN;

      Enter your usercode in place of <usercode>. The SECADMIN designation grants your usercode exclusive ability to change the USERDATAFILE. In using the SECADMIN designation, follow the suggestions given in the SECADMIN description in “Security Function Access (SECADMIN)” in Controlling System Access.

      If you later forget your usercode/password combination, you will need to cold-start your system to regain control of security-administrator functions.

      Enable the password-aging feature for your password. To add this feature use the following MAKEUSER statements: 

      USER <usercode> MINPW = 1 MAXPW = 1 PASSWORDAGING
DAYSACTIVE = 30 DAYSWARNING = 15;

    2. Define users and their access rights on the system, as needed. Each usercode must be unique. If you choose, you can defer defining usercodes until later. Would-be users cannot access the system until they have usercodes defined in the USERDATAFILE.

      For a detailed description of defining usercodes, refer to the System Software Utilities Operations Reference Manual and the Security Center Help.

The following access rights are appropriate to the indicated classes of users. For information about these items, see Standard Usercode Attributes.

End Users and Application Programmers

Systems Programmers and Database Administrators

MAXPW = 1

MAXPW = 1

MINPW = 1

MINPW = 1

PASSWORDAGING

PASSWORDAGING

DAYSACTIVE = 30

DAYSACTIVE = 30

DAYSWARNING = 15

DAYSWARNING = 15

SHOWFILES (optional)

PU (when required for a trusted user)

Transaction Server Administrators

Security Administrators

MAXPW = 1

MAXPW = 1

MINPW = 1

MINPW = 1

PASSWORDAGING

PASSWORDAGING

DAYSACTIVE = 30

DAYSACTIVE = 30

DAYSWARNING = 15

DAYSWARNING = 15

SYSTEMUSER

PU

CANDECONTROL

SECADMIN

COMSCONTROL

SYSADMIN

SYSTEMUSER

 

NODEFAULTUSE

Use the following guidelines when defining users and their access rights:

  • Assign PU, SYSTEMUSER, SYSADMIN, CANDECONTROL, and COMSCONTROL only when needed and only to trusted users.

  • Assign each usercode to only one user. Multiple users cannot share a single usercode. If groups of users are to be granted access to common files, implement this access by assigning the users a commonly shared accesscode. See Accesscode Grouping Mechanisms.

  • Assign a user the status privileged-user, SYSTEMUSER, or SYSADMIN only when he or she is trusted with the resulting access privileges and requires such privileges to do his or her job. Use granulated privileges instead of assigning privileged user status whenever possible.

  • It is strongly recommended that all usercodes be specified as PASSWORDAGING and that DAYSACTIVE = 30 be specified also.

After you have finished defining usercodes, end the MAKEUSER session and return to the MARC home screen.

  1. Install system software by doing the following:

    1. From the home screen, select UTIL to access the System Utilities screen. On this screen, select SI to run the Simple Installation (SI) program.

    2. From the Simple Installation home screen, select INSTALL. When the Install screen appears, install the following files:

      • SYSTEM/INFOGUARDSUPPORT

      • SYSTEM/IGSDASUPPORT

      • SYSTEM/DCALGOL

      • SYSTEM/DMALGOL

      • SYSTEM/NEWP

    3. Install other system software, as required.

    4. On the Action line, enter QUIT. Doing so invokes the MARC System Utilities screen.

  2. Use the SL (Support Library) system command to determine whether or not SYSTEM/INFOGUARDSUPPORT and SYSTEM/IGSDASUPPORT are support libraries. If these files are not already support libraries, make them support libraries by entering the following on the Action line: 

    SL INFOGUARDSUPPORT = SYSTEM/INFOGUARDSUPPORT
SL SDASUPPORT = SYSTEM/IGSDASUPPORT

    Designate support-library status for other files where necessary.

  3. Set the system security options appropriate for a high-security environment by entering the following on the Action line of the MARC home screen: 

    SECOPT CLASS = S2

  4. Use the ??PHL (Programmatic Halt/Load) system primitive command to halt/load your system and cause initialization of the tape volume security subsystem and the options enforced by CANDE.

  5. Take suitable measures to protect sensitive files by assigning appropriate values to the SECURITYTYPE and SECURITYUSE file attributes, attaching guard files as needed:

    1. Because the following compilers have access to powerful system processes, assign for each of them a SECURITYTYPE value of GUARDED, and a SECURITYGUARD attribute that identifies guard files designating those trusted individuals permitted to use the compilers:

      • SYSTEM/DCALGOL

      • SYSTEM/DMALGOL

      • SYSTEM/NEWP

    2. Create guard files by first selecting UTIL on the MARC home screen and then selecting GUARD on the System Utilities screen.

    3. After guard files have been created, attach them to the appropriate files by selecting FILE on the MARC home screen and then selecting SEC on the FILE screen.

  6. The security administrator can limit file access to appropriate, trusted individuals or processes by making a nonexecutable file private or by attaching to it a suitable guard file. Only then should a nonexecutable file be made executable.

    For more information about nonexecutable files, see “Assigning Executable Status” in Controlling File Access.

  7. Use the OP (Options) system command to set the AUTODC option: 

    OP + AUTODC

  8. Following the procedures in your system software installation manual, define the data communications network with the following guideline:

    • Locate all ODTs and remote ODTs inside the physically secure area of the computer room or in a location with physical security equal to that of the computer room.

  9. Use the system command RESTRICT SC to define restricted status for all ODTs at the site. (To use a restricted ODT, a user must first log on to the system.) Restricting all the ODTs at your site enables you to audit operator actions. Follow the procedure outlined in Controlling File Access.

  10. Assign stations appropriate Transaction Server access privileges. Use the COMS Utility Station Activity screen to assign access rights to on-site and off-site stations as listed in Station Transaction Server Access Rights in a High-Security System. Doing so grants system access rights to usercodes defined in the USERDATAFILE with PU, SYSADMIN, or SYSTEMUSER attributes as follows:

    • The usercode can exercise privileged-user, SYSTEMUSER, or SYSADMIN access rights at on-site stations.

    • The usercode is denied privileged-user, SYSTEMUSER, or SYSADMIN access rights at off-site stations.

  11. Disable SNMP or change the community string from “public”.

  12. Set the values of the SMB Signing security options (SERVERSIGNING and CLIENTSIGNING) to agree with the site-specific security policy.

    Table 11. Station Transaction Server Access Rights in a High-Security System

    User/Station

    Control- Capable

    Privileged

    Super- User

    SYSTEMUSER

    Security Administrator

    N/A

    Yes

    N/A

    Yes

    Transaction Server Administrator

    Yes

    N/A

    N/A

    N/A

    On-Site Stations

    N/A

    Yes

    No

    Yes

    Dial-In Stations

    N/A

    No

    No

    No


Prev  Up  Next
Securing an Enterprise Database Server Database That Uses ADDS  Home  Controlling System Access