Warnings and the weather
I sit here in the study of my palatial estate (yeah, right!) in Maryland, and as I look out the window, all I see is white. <Insert Trent Lott joke here.> Actually, it is a blanket of snow over two feet deep. We are recovering from the what the newscasters here are calling the Storm of the Century. Now correct me if I am wrong, but the century is 26 months old, so it doesnt have much competition for the title. Now if youre talking Storm of the Last 100 Years, then we can talk.
Those of you living in regions that regularly get significant snowfalls need to understand that we dont get much here. A three- to four-inch snowfall can cripple our area. A couple of years ago, we had a half-inch of snow fall in the middle of the afternoon and it shut down the DC evening rush hour (basically because there was no time to remove it. and the cars packed it down into ice.)
During these 60-plus hours of snowfall, I, like so many others, regularly checked The Weather Channel. And every time winter weather expert Paul Kocin came on, I would stop and pay close attention. Paul has never done me wrong. He has accurately predicted things like the rain/snow line and correctly advised not to venture out because we would be getting freezing rain. I put my full faith in Paul telling me what to expect when it comes to winter weather. He is the man.
And hes a bit like Security/3000 and your passwords. Like Paul, Security watches over you and gives you warnings and error messages. Did you even know that Security can watch your MPE passwords? No, were not talking about the personal passwords we discussed last month Security can keep tabs on your MPE passwords if you configure it for that. Any system security expert will tell you passwords should be changed regularly to maintain a secure system. Now some of you will tell me that you have too many job streams with embedded passwords to change passwords and I have one word for you STREAMX but thats another column.
Again, what drives all this is the file that we have discussed often in the past SECURCON.DATA.VESOFT. You can add entries or to be precise, keyworded entries, to this file to have Security monitor all sorts of things, including password obsolescence. And it will make your users change their passwords at specific intervals. By adding the line $MPE-OBSOL [user sets] to the file, Security will monitor the aging of MPE passwords.
If you use: $MPE-OBSOL @.@ then everybodys passwords will be monitored. You can limit it with $MPE-OBSOL @.DEV @.FINANCE or $MPE-OBSOL @.FINANCE-BATCH.FINANCE. The former will only monitor the DEV and FINANCE accounts, while the latter will monitor everything in FINANCE except BATCH alleviating changing the passwords for the jobs running as the BATCH user.
This is fine except how often do the users have to change their passwords? If you add the line $MPE-U-OBS-DAYS 20 then the passwords must be changed every 20 days. Note there is a U in that keyword. That indicates that the command is for users, as opposed to groups or accounts which we will address shortly.
The default for expiring passwords is 30 days, but you can vary that as above, or you can again define it about user sets:
$MPE-U-OBS-DAYS 45 @.DEV
$MPE-U-OBS-DAYS 20 @.FINANCE.
Its nice to give your users adequate warning that they need to change their passwords and, of course, there is a keyword to define that. $MPE-U-WARN-DAYS 7 says that the users will get warnings to change their password for the seven days prior to the expirations.
Just as above, you can alter that variable by user set in the same way as for the obsolescence days:
$MPE-U-WARN-DAYS 7 @.DEV
$MPE-U-WARN-DAYS 14 @.FINANCE.
Theres one little more issue you need to understand when the passwords are changed. By default, a password cannot be changed until it expires. If you want to give the user the option of changing the password during the warning period prior to its expiration, you add the entry $MPE-WARN-PASSCHG. The default is @.@ but you can again set user sets with this keyword.
In conjunction with this keyword is: $MPE-OBS-PASSCHG OFF (or a user set). If this is set to OFF, then once a password expires, the user cannot change it. Instead the users must go to their account or system manager to get it reset. Word to the already busy system manager, set both of those @.@ to save yourself time. There are valid reasons not to do as I just said, Im just telling you to think about it!
When a password expires, a user gets a dialogue to allow them to change the password. Nothing fancy, just enter the old password followed by entering the new password twice. But what if they change it to the same password nothing in MPE prevents that! Security also gives us this nasty little thing called a password history file. It tracks passwords used by users and prevents them from using the same password over a specified period of time. To get that running, add the following entry:
$MPE-PASSHIST-DAYS nnn (where nnn is a number of days).
If you set nnn to be 180, then a user may not use the same password for 180 days. Pretty sneaky.
You can also set Security to monitor account or group passwords by substituting an A or a G for the U in keywords listed earlier.
Of course, to get everything to work, you need to have the Vesoft BACKG process executes the OBSFILL task every night. To do this, from an MPEX prompt type %SEC BACKG START, OBSFILL which will start OBSFILL running every night.
Well address other password issues next month, such as masks and length. Now you can truly say, Damn the Security Audit! We control our passwords.
Steve Hammond, who works for a trade association in Washington, DC, can weather any blizzard, as long as he has the essentials of life cable television, a remote and a broadband connection.
Copyright The 3000 NewsWire. All rights reserved.