EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations Abstract This white paper presents a high-level overview of the EMC Celerra version 5.6 feature that enables an administrator to specify the level of password complexity required for passwords set on local Control Station user accounts. September 2008
Copyright 2008 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number H5774 Technology Concepts and Business Considerations 2
Table of Contents Executive summary...4 Business problem... 4 Technical problem... 4 Feature introduction... 4 What s new... 4 Introduction...4 Audience... 5 Terminology... 5 Detailed overview...5 Architecture... 5 Limitations... 5 Compatibility with earlier releases... 6 Conclusion...6 References...6 Technology Concepts and Business Considerations 3
Executive summary Efficient management of account passwords is a challenge for any organization. To maintain data security and integrity, organizations must enforce policies that require users to create complex passwords that are changed frequently. EMC Celerra Network Server version 5.6 addresses this need with the introduction of an administrator password complexity policy, which enhances Control Station security and prevents data misuse. Business problem Companies, governments, educational institutions, and other organizations are extremely concerned with maintaining the integrity of their data. This is a direct result of the increase in regulations affecting data and the ever-increasing public scrutiny, financial risk, and legal consequences caused by the loss of sensitive data. Consequently, information security policies now dictate specific password complexity requirements in an effort to ensure password quality. Such policies are important to secure both IT infrastructure and end-user systems. Technical problem IT organizations demand that the products they purchase efficiently enforce password complexity policies and expiration periods. If products do not support this feature, these organizations have no other means to enforce secure passwords. The deeper the product fits into an organization s infrastructure, the more critical it is to enforce secure passwords. Storage, of course, is a core infrastructure component. Feature introduction Celerra version 5.6 allows administrators to enforce password complexity policies for Control Station local administrative user accounts. A standard Linux mechanism is used to enforce the policy, and new tools have been implemented to manage policy configuration. What s new The Control Station password complexity feature is entirely new. Previous releases required Linux expertise to implement password complexity policies. Rather than attempt to document the complex sequence of steps required to set up these policies, the Control Station code was enhanced to introduce the nas_config CLI command, which enables administrators to set Control Station account password complexity policies. There is now a stricter default password quality policy in place. Unless the default Linux configuration has been modified, this new default password policy will be applied when you upgrade to version 5.6. The Celerra Security Configuration Guide provides more details about this policy. Introduction This paper details the new password complexity policy feature introduced in Celerra version 5.6. Topics covered include: Architecture, including default values Limitations Compatibility with older releases Technology Concepts and Business Considerations 4
Audience This white paper is intended for customers, including IT planners, storage architects, administrators, and any others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment. Terminology command line interface (CLI) Interface for entering commands through the Control Station to perform tasks that include the management and configuration of the database and Data Movers and the monitoring of statistics for the Celerra cabinet components. Common Interface File System (CIFS) File-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. Control Station Hardware and software component of the Celerra Network Server that manages the system and provides the user interface to all Celerra components. Data Mover In a Celerra Network Server, a cabinet component running its own operating system that retrieves files from a storage device and makes them available to a network client. This is also referred to as a blade. A Data Mover is sometimes internally referred to as DART because DART is the software running on the platform. Network Information Service (NIS) Distributed data lookup service that shares user and system information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions. Detailed overview Architecture You can configure Control Station password complexity requirements with the /nas/sbin/nas_config CLI command. To do this, you must use either an interactive prompt or command line options. The Celerra Security Configuration Guide provides more details about this feature. The password complexity policy is enforced through standard Linux pluggable authentication module (PAM) mechanisms. This feature uses widely available open-source PAM modules, and not custom modules. Password changes are logged to /var/log/secure on the Control Station. The default values enforced in the new password policy are as follows: Minimum password length: Eight Minimum number of new characters (that is, those not in the previous password): Three Minimum number of digits: One Minimum number of special characters: Zero Minimum number of uppercase characters: Zero Minimum number of lowercase characters: Zero Number of attempts at setting the password before the operation fails: Three Limitations The password complexity policy does not apply to Data Mover CIFS server local accounts or Control Station NIS/yp accounts. (The use of NIS/yp on the Control Station is not recommended.) You must be logged in as the root user to set the password complexity policy. Technology Concepts and Business Considerations 5
The password complexity policy does not apply to a root user. The password complexity policy comes into effect only when a password is changed; changes to the policy do not retroactively apply to existing passwords. Celerra Manager does not support management of the password complexity policy in version 5.6. However, password complexity requirements apply to passwords set through Celerra Manager. Compatibility with earlier releases This functionality is contained within the Celerra on which it is configured, and it does not interact with other Celerras. Therefore, no compatibility concerns exist. Earlier releases use the authentication mechanisms supported in those releases. Conclusion The password complexity policy feature addresses a key business concern and significantly enhances Celerra security. It provides administrators with the tools required to protect their systems from unauthorized access. References Name: Celerra Security Configuration Guide Type: Technical Publication URL: See the Celerra Network Server Documentation CD Version 5.6 Audience: Customer Technical Depth: High Name: Celerra Network Server Command Reference Manual Type: Technical Publication URL: See the Celerra Network Server Documentation CD Version 5.6 Audience: Customer Technical Depth: High Name: nas_config man page Type: Technical Publication (Help System) URL: Run man nas_config on the CLI Audience: Customer Technical Depth: High Technology Concepts and Business Considerations 6