When you install Client Access, you can choose not to load the data transfer function to certain PC's. This would be safer than deleting individual executable files as it is supported by IBM. However, if your goal is to prevent PC users from transferring data to and from the AS/400 or iSeries, disabling Client Access on the PC is not nearly a complete solution. Our experience is that PC's can and do contain lots of software that is not loaded or sanctioned by the IT folks. In addition to Client Access's file transfer, there is also the default FTP client that comes shipped with Windows, as well as a host of ODBC drivers that can be loaded from any number of software packages (or directly downloaded from the Internet). For these reasons alone it is better to secure access at the host, instead of trying to secure 300 far-flung PC's. You can secure at the host either through the detailed use of Object Level Security (Where User and Group Profiles are regulated by strict access rules for each object on the system), or through the use of Exit Programs (where access to Client Access's data transfer and other servers are regulated on the AS/400 or iSeries), or better still through a sensible combination of both of these methods. But before set out to write exit programs, investigate the packages that are on the market already, they are not trivial to write, and there are a number of pre-packaged solutions that you can take advantage of.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: tips, tutorials and more.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Search400's targeted search engine: Get relevant information on security.
This was first published in December 2001