Home > AS/400 Tips > iSeries security tips > Command line security considerations -- Part 1

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Command line security considerations -- Part 1 Rich Loeber 06.14.2005 Rating: -4.20- (out of 5) Digg This!     StumbleUpon     Del.icio.us    When a user on your iSeries system signs on to a terminal session, he will be presented with a command line. Given enough security permissions, a user can do just about anything from that command line -- if he is inquisitive enough. This tip discusses several options for controlling what a user can do, and more importantly what he cannot do, when he is presented with a command line. [TABLE]			[IMAGE]

Controlling use of the command line begins with the way your user profile is set up -- specifically, the option to "Limit capabilities" (LMTCPB). That will define what, if any, controls the system imposes over use of the command line. Unfortunately, many systems just use the default "*NO" setting for this value and that leaves the command line wide open for use -- and abuse.

There are three possibilities for the LMTCPB parameter in the user profile:

But, your user says, "I need to be able to check my output reports using the WRKSPLF or WRKOUTQ command!" This is a common issue in some shops, but setting the LMTCPB for the user profile to *NO or *PARTIAL is not the answer. If a user needs to use a very limited set of OS/400 commands, the best w

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ay to solve that issue is by creating menu options for them to use. The user can continue to run the commands from the menu option with no problem.

One thing to also be careful about is the starting menu you present to your user. Again, the default that comes from IBM is to give your users access to the OS/400 MAIN menu in QSYS. This menu can easily lead an inquisitive user to options and capabilities that you don't want them seeing or using. Even by following the menu options, a user can easily get into areas where they just don't belong. Make sure you specify a starting menu that strictly limits where the user can go. Spend some time testing your menu structures to make sure they do not lead a user to capabilities that they should not be granted.

In Part II of this article, we'll take a look at how to effectively limit use of commands in OS/400 when you absolutely have to let users have access to the OS/400 command line.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.