Password Management

Integrity Services is offering a password management system that includes password aging. The package enforces password aging for MARC users as well as CANDE users. Packages that do not address both MCSs have a severe hole in them.

This package also, addresses the issue of usercode passwords and accesscode passwords. Where there is any sharing of usercodes and files under the same usercode, accesscodes are necessary to ensure security. If password aging is desirable or mandated by auditors, then it must include accesscode passwords. If you have attempted to find such a product, you probably have been unsuccessful until now.



Password Aging From Integrity Services
In this day of more sophisticated security enforcement and those who desire to break security systems, password aging is becoming more desirable. Many auditors are making it mandatory for their computer systems. This feature is now affordable and installation is flexible, easy, and maintainable.

What exactly is password aging? It is the ability on a computer to allow passwords to age in time to the place where usercodes are prevented from use if the password is not changed. In other words, once a usercode's password has exceeded a pre-determined length of days, it must be changed or no one will be able to use it. When the password is changed, the usercode is made usable for the specified number of days.

The password management system from Integrity Services has been expanded to include passwords for usercodes and passwords for accesscodes. Accescodes are the only convenient way to share usercodes on the ClearPath and A Series computers and retain individual identity for each and every log-on. In addition, the password management system will give warnings to users a specified number of days before the password will expire, allowing one to work without stoppage when the password expires.

The Integrity Services password management system will operate with COMS (MARC) or CANDE. In fact, it is the only password management system that I know of that will operate with COMS (MARC) and CANDE for passwords of both usercodes and accesscodes. Usercode and accesscode information is maintained in the userdatafile along with the other security attributes. Extensions have been made to the userdatafile to allow accesscode attributes. A security support library is at the center of the password management system. This is the standard Unisys mechanism for extended security on NX and A Series computers. By using the standard security support library, there is an interface for other MCSs.

Additionally, the Integrity Services password management system allows for a minimum password length and limited password re-use. It uses a COMS processing item and a new MARC menu for user password changes.

You may question why both MARC and CANDE log-ons must be protected with password management. It is because once a person has logged on to MARC, that is not the end of log-on possibilities. This same user may go to the CANDE window and change usercodes. It is this changing of usercodes that must have password protection to preserve the integrity of the password management system.



Sentry Support
Sentry Support is a library that may be assigned as the system security support library. CANDE must be modified to allow the calling sequences for the functions 1 - 4 below. MARC uses a processing item. There is also an interface for other MCSs. Secured station (terminal) restrictions require a security supervisor to function.

Functions Supported:

1. Password aging for usercodes.

A password for a usercode must be changed within a given time-frame designated by DAYSACTIVE or the usercode will be made inactive. DAYSWARNING allows a warning message to be given to users (at the time that they sign on) a specified number of days before the usercode will be made inactive.

2. Password aging for accesscodes.

A password for an accesscode must be changed within a given time-frame designated by ADAYSACTIVE or the accesscode will be made inactive. ADAYSWARNING allows a warning message to be given to users (at the time that they sign on) a specified number of days before the accesscode will be made inactive.

3. Limiting password re-use for a specified number of changes.

A password may not be re-used when a password change is attempted. The default number is 8.

4. Minimum password length is enforced for password changes.

A minimum character length for a password may be enforced.

5. Secured station (terminal) restricted use.

Only designated usercodes may be permitted to use stations (terminals) specified in a database (list) for specific timeframes of the day. All other usercodes will be denied access to these terminals. These designated usercodes will also be denied access at other times of the day. The database of stations may be changed by time-of-day. The designated usercodes may be changed by time-of-day.
Note 1: For options 1-5 userdatafile additions must be made to the generalsupport library.

Note 2: For option 5, System/Supervisor from Integrity Services is required.

Copyright 2003© Integrity Services, Inc. All rights reserved