| DESCRIPTION OF ENHANCEMENTS |
NOIS: DAY-1000-42520 Vista Security (Verify Code)
letters (upper case and lower), numbers, and, characters
3. The patch has now been loaded into a Transport global on your
system. You now need to use KIDS to install the Transport global.
On the KIDS menu, under the 'Installation' menu, use the following
options:
Verify Checksums in Transport Global
Print Transport Global
Compare Transport Global to Current System
Backup a Transport Global
that are neither letters nor numbers (like "#", "@" or "$").
4. Users can remain on the system if installed at non-peak hours.
There is a small chance that a user could get a CLOBER error if they
are signing on at the time the routines change.
This patch can be queued and installed at non-peak time.
TASKMAN can remain running.
5. On the KIDS menu, under the 'Installation' menu, use the following
option:
Install Package(s) 'XU*8.0*180'
==========
Want KIDS to INHIBIT LOGONs during the install? YES// NO
No Options or Protocols need to be placed out-of-order.
Want to DISABLE Scheduled Options, Menu Options, and Protocols? NO
==
6. DSM Sites, after patch has installed, rebuild your map set.
=========================================================================
b. Passwords shall be changed no less frequently than every 90 days.
Information systems shall not permit re-assignment of the last
three passwords used.
c. Accounts that have been inactive for 90 days shall be disabled.
d. To preclude password guessing, an intruder lock out feature
These changes are required to meet VHA DIRECTIVE 6210
shall suspend accounts after five invalid attempts to log on.
Where round-the-clock system administration service is available,
system administrator intervention shall be required to clear a
locked account. Where round-the-clock system administration
service is not available, accounts shall remained locked out
for at least ten minutes.
Here is what was done based on the requirement from VHA POLICY:
Item a. Because VistA has been case-insensitive for many years, we chose
to retain this characteristic. This means that VistA only has three
Available at http://vaww.domain.ext/publ/direc/health/direct/vha6210d.pdf
sets of characters to build a password from: alpha, numeric and
punctuation. The change from the past requirements is the new
requirement for punctuation characters and an increase in length
from 6 to 8 characters.
The Kernel XUS2 routine was changed to require that
verify codes be composed of the following three groups of
characters: alpha, numeric, and punctuation.
Item b. This rule was implemented by changing the valid range in the data
The rules listed below are from the Document "VA Account and Password
dictionary and then checking the value in the KERNEL SYSTEM
PARAMETERS file (#8989.3) and resetting the value if it is found
to be greater than 90. Kernel has long kept old verify codes based
on the date they were changed. A change has been made to limit the
time frame for removal in option "Purge Log of Old Access and Verify
Codes" [XUSERAOLD].
Item c. This rule was implemented by making changes to the scheduled Kernel
option 'Automatic Deactivation of Users' [XUAUTODEACTIVEATE] routine
XUSTERM1. This option has been changed to check each user's last
Management Interim Policy"
sign-on date and if it is more than 90 days old, sets the DISUSER
field for that user. If this happens the user will get a "No Access
Allowed for this User." message when they trying to logon.
Note: The DISUSER field is shown on the 'User Inquiry' and is on the
second page of the Kernel option "Edit an Existing User" [XUSEREDIT].
Item d. Kernel has always implemented a form of 'lockout'. Changes where made
to the Kernel System parameters file DEFAULT # OF ATTEMPTS and DEFAULT
LOCK-OUT TIME field's. The values in the KSP were checked and changed
to meet the new limits for these fields.
Note: In addition, the sign-on code was changed to echo
an asterisk (*) for each character entered. This
follows the Microsoft Windows login style, which is
a change from the VMS login style.
Routine Summary
The following routines are included in this patch. The second line of each
a. Controls shall be implemented to require strong passwords.
of these routines now looks like:
;;8.0;KERNEL;<patchlist>;Jul 10, 1995
Checksum
Routine Old New 2nd Line
XUINPCH4 n/a 786391 **180**
XUS 8139177 8362765 **16,26,49,59,149,180**
XUS2 14055468 15802718 **59,180**
XUS4 3275391 3759854 **180**
XUSPURGE 6034721 4746135 **180**
Passwords shall be at least eight characters in length, and
XUSRB 6139976 6227685 **11,16,28,32,59,70,82,109,115,165,150,180**
XUSTERM1 12539120 11515045 **102,180**
XUSTZ 3010944 3161912 **36,180**
List of preceding patches: 36, 102, 149, 150
Sites should use CHECK^XTSUMBLD to verify checksums.
=========================================================================
Installation:
contain three of the following four kinds of characters:
>>>Users may remain on the system.
>>>Taskman does not need to be stopped.
1. DSM sites - Some of these routines are usually mapped,
so you will need to disable mapping for the affected routines.
2. Use the 'INSTALL/CHECK MESSAGE' option on the PackMan menu. This
option will load the KIDS package onto your system.
|
