23-Nov-2004

Why LGI_BRK_DISUSER = 1 is a dumb idea

OpenVMS has the ability to disable user accounts after a certain number of failed login attempts have been made against that account. This can be accomplished by setting the SYSGEN parameter LGI_BRK_DISUSER to 1 rather than its default value 0.

The number of failed logins that have to be exceeded before the account is disusered is controlled by the LGI_BRK_LIM parameter.

Setting the LGI_BRK_DISUSER parameter to 1 is not such a good idea in my humble opinion.

The reason being that by setting the system up to disable the account when a specific number of failed logins occurs is to my mind a perfect invitation to a denial of service attack.

How would this be done, you ask? It's trivial to find a list of valid users on the system. $ SHOW USERS will work, for example. Armed with this knowlege, a malicious user can construct a small command procedure to attempt logins with an invalid password, and the system will happily disuser all the accounts. No privilege required.

Under normal circumstances, there is no need to enable the account disable function. Password evasion will accomplish what you want.

Posted at November 23, 2004 2:58 PM
Tag Set:

Comments are closed