EMC Celerra Version 5.6 Technical Primer:
Control Station Password Complexity Policy
Technology Concepts and Business Considerations
Abstract
This white paper presents a high-level overview of the EMC® Celerra® version 5.6 feature that enables an administrator to specify the level of password complexity required for passwords set on local Control Station user accounts.
Copyright © 2008 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners.
Table of Contents
Executive summary ... 4
Business problem ... 4 Technical problem... 4 Feature introduction ... 4 What’s new... 4Introduction ... 4
Audience ... 5 Terminology ... 5Detailed overview... 5
Architecture ... 5 Limitations ... 5Compatibility with earlier releases ... 6
Conclusion ... 6
Executive summary
Efficient management of account passwords is a challenge for any organization. To maintain data security and integrity, organizations must enforce policies that require users to create complex passwords that are changed frequently. EMC® Celerra® Network Server version 5.6 addresses this need with the introduction of an administrator password complexity policy, which enhances Control Station security and prevents data misuse.
Business problem
Companies, governments, educational institutions, and other organizations are extremely concerned with maintaining the integrity of their data. This is a direct result of the increase in regulations affecting data and the ever-increasing public scrutiny, financial risk, and legal consequences caused by the loss of sensitive data.
Consequently, information security policies now dictate specific password complexity requirements in an effort to ensure password quality. Such policies are important to secure both IT infrastructure and end-user systems.
Technical problem
IT organizations demand that the products they purchase efficiently enforce password complexity policies and expiration periods. If products do not support this feature, these organizations have no other means to enforce secure passwords. The deeper the product fits into an organization’s infrastructure, the more critical it is to enforce secure passwords. Storage, of course, is a core infrastructure component.
Feature introduction
Celerra version 5.6 allows administrators to enforce password complexity policies for Control Station local administrative user accounts. A standard Linux mechanism is used to enforce the policy, and new tools have been implemented to manage policy configuration.
What’s new
The Control Station password complexity feature is entirely new. Previous releases required Linux expertise to implement password complexity policies. Rather than attempt to document the complex sequence of steps required to set up these policies, the Control Station code was enhanced to introduce the
nas_config CLI command, which enables administrators to set Control Station account password complexity policies.
There is now a stricter default password quality policy in place. Unless the default Linux configuration has been modified, this new default password policy will be applied when you upgrade to version 5.6. The
Celerra Security Configuration Guide provides more details about this policy.
Introduction
This paper details the new password complexity policy feature introduced in Celerra version 5.6. Topics covered include:
• Architecture, including default values • Limitations
Audience
This white paper is intended for customers, including IT planners, storage architects, administrators, and any others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment.
Terminology
command line interface (CLI) — Interface for entering commands through the Control Station to perform
tasks that include the management and configuration of the database and Data Movers and the monitoring of statistics for the Celerra cabinet components.
Common Interface File System (CIFS) — File-sharing protocol based on the Microsoft Server Message
Block (SMB). It allows users to share file systems over the Internet and intranets.
Control Station — Hardware and software component of the Celerra Network Server that manages the
system and provides the user interface to all Celerra components.
Data Mover — In a Celerra Network Server, a cabinet component running its own operating system that
retrieves files from a storage device and makes them available to a network client. This is also referred to as a blade. A Data Mover is sometimes internally referred to as “DART” because DART is the software running on the platform.
Network Information Service (NIS) — Distributed data lookup service that shares user and system
information across a network, including usernames, passwords, home directories, groups, hostnames, IP addresses, and netgroup definitions.
Detailed overview
Architecture
You can configure Control Station password complexity requirements with the /nas/sbin/nas_config
CLI command. To do this, you must use either an interactive prompt or command line options. The Celerra
Security Configuration Guide provides more details about this feature.
The password complexity policy is enforced through standard Linux pluggable authentication module (PAM) mechanisms. This feature uses widely available open-source PAM modules, and not custom modules. Password changes are logged to /var/log/secure on the Control Station.
The default values enforced in the new password policy are as follows: • Minimum password length: Eight
• Minimum number of new characters (that is, those not in the previous password): Three • Minimum number of digits: One
• Minimum number of special characters: Zero • Minimum number of uppercase characters: Zero • Minimum number of lowercase characters: Zero
• Number of attempts at setting the password before the operation fails: Three
Limitations
• The password complexity policy does not apply to Data Mover CIFS server local accounts or Control Station NIS/yp accounts. (The use of NIS/yp on the Control Station is not recommended.)
• The password complexity policy does not apply to a root user.
• The password complexity policy comes into effect only when a password is changed; changes to the policy do not retroactively apply to existing passwords.
• Celerra Manager does not support management of the password complexity policy in version 5.6. However, password complexity requirements apply to passwords set through Celerra Manager.
Compatibility with earlier releases
This functionality is contained within the Celerra on which it is configured, and it does not interact with other Celerras. Therefore, no compatibility concerns exist. Earlier releases use the authentication mechanisms supported in those releases.
Conclusion
The password complexity policy feature addresses a key business concern and significantly enhances Celerra security. It provides administrators with the tools required to protect their systems from unauthorized access.
References
Name: Celerra Security Configuration Guide
Type: Technical Publication
URL: See the Celerra Network Server Documentation CD Version 5.6 Audience: Customer
Technical Depth: High
Name: Celerra Network Server Command Reference Manual
Type: Technical Publication
URL: See the Celerra Network Server Documentation CD Version 5.6 Audience: Customer
Technical Depth: High
Name: nas_config man page
Type: Technical Publication (Help System) URL: Run man nas_config on the CLI Audience: Customer
