Limiting the Number of Logon Attempts |
 |
The Maximum Invalid Logon Attempts security option limits password guessing by disabling user entries and terminal devices in response to repeated erroneous logon attempts.
This option works by keeping track of invalid logon attempts for specified user ID's and devices and compares them to the maximum allowable logon attempts established by the System Manager. When the maximum is exceeded, the user or device is disabled, usually for a specified period of time referred to as a "down-time interval".
|
| |
|
 | NOTE: See your System Manager if your device fails to return after going down from too many invalid logon attempts.
|
|
| |
|
Attempts to log on using a disabled user ID will be aborted with the exception of the MANAGER.SYS who can still logon from the physical system console even when this user entry has been disabled.
This exception is intended to prevent situations where a system is inaccessible because all user ID's have been disabled.
Batch data and jobs cannot be submitted using user ID's associated with disabled user entries. Attempts to submit batch data or jobs using disabled user ID's will be aborted.
User ID's with non-zero down-time intervals are automatically enabled after their downtime intervals have elapsed. When the user entry becomes available to the sytem, the invalid logon attempt count will be reset to 0. Upon successful logon to the sytem, the count is also reset to 0.
The :LISTUSER command shows which user ID's are currently disabled. User ID's with zero down-time intervals, must be manually re-enabled using the Security Configuratation Utility's User Security Options. The User Security Opions may also be used to enable a disbaled user ID with a non-zero down-time interval before it has elapsed. After the entry is re-enabled, the down-time interval count is reset to zero.
Only interactive logon devices (terminals) are affected by the maximum invalid logon attempts feature; tape drives and the STREAM device are not included.
When a user exceeds the maximum number of logon attempts for a particular terminal, the system removes the terminal from use just as if
you had entered the
:DOWN command for that device at the System Console. After such
an occurrence, the system displays the following message on the System
Console:
LDEV #nn IS DOWNED, FAILED LOGON ATTEMPTS EXCEED LIMIT.
|
(where nn is the ldev number of the downed device).
The system security may be configured so that devices that have been set
:DOWN for security reasons will automatically return to user
availability after a specified amount of time. The device may also be set to stay down until it is manualy reset by the System Manager.
Providing Minimal Logon Assistance |
|
Normally, when users make a mistake while logging on, the system helps by
identifying the mistake. For example, when a user enters an invalid logon
command, the system displays one or more of the following messages:
EXPECTED [SESSION NAME,] USER.ACCT[,GROUP] (CIERR 1424)
EXPECTED ACCOUNT NAME. (CIERR 1426)
EXPECTED GROUP NAME. (CIERR 1429)
|
If your system configured for minimal logon assistance, such messages
will not be displayed. This helps prevent users who are not familiar with
your logon procedures from accessing the system. With minimal logon help, a
user entering an invalid logon command sees only the message:
