Home > AS/400 Tips > iSeries security tips > Are all of your System i (iSeries) doors closed? -- part 1

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Are all of your System i (iSeries) doors closed? -- part 1 Rich Loeber 10.03.2006 Rating: -4.33- (out of 5) Digg This!     StumbleUpon     Del.icio.us    [TABLE]Living in a remote area, a lot of people near us like to leave their doors unlocked for convenience sake. Most of the time this is OK, but occasionally it gets someone into trouble. A recent local incident got me thinking about all the doors that can be used to enter the System i and I wanted to take some time to explore this today. My wife and I live in the middle of the Adirondack Park, a six million acre state park in upstate New York (think "about the size of Massachusetts"). This area houses a year round population of just over 130,000 people. As you might imagine, with that population density, security is not a big issue. Recently, there was a burglary in the town where my office is located. Someone walked into the back door of a shop and helped themselves to money in the cash register and then slipped back out without being seen. This got me to thinking about security on the System i and how a similar situation might easily exist at many shops where doors are left open. [TABLE]			[IMAGE]

In the "old" days, the only door you had to be concerned about was the computer terminal. These terminal were placed in public places and protected by user profiles and passwords. In order for someone to sneak in, they'd have to be pretty bold and they'd have to know a profile/password pair. Today, the user profile/password continues to be a primary locking mechanism for your system. That said, this continues to be your first line of defense.

Keeping your user profile list current is probably one of the most important tasks you can do. Some critical things to remember include enforcing periodic and regular password changes, deactivating and even deleting old profiles for people who are no longer employed there and only providing the level of access permissions t

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions iSeries physical security Time for a security checkup for your i Recovering your AS/400 security configuration A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Learning guide: Steps to a secure System i Securing printed output 12 security tips in 12 minutes Can you trust all those trigger programs? Learning guide: Simple steps to a secure iSeries Creating your iSeries security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

hat a profile needs. That's pretty simplistic, but remember that you're handing out keys to the doors of your system. You want to limit the number of keys in circulation, and you don't want everyone to have a master key. Also, you need to make sure that there are no default passwords active on your system, including passwords for well-known third-party software packages. The system will watch the doors for you, but if there is no control over the keys, what's the use?

Assuming that you have your keys under control, then you need to also take a look at all of the doors that are on a modern System i server these days. The days of only needing to control terminals is long gone. Today, you need to be concerned about the FTP door, the Telnet door, the Remote Execution door, the ODBC door, the SQL door, the iSeries Access door and on and on.

For some of these doors, you can easily control access by removing the door altogether. If your shop does not use FTP on a regular basis, then don't leave the FTP door in place. On most systems that I work on, I find the FTP server up and running by default. It is a simple matter to turn it off with the command: ENDTCPSVR *FTP, and to use the Change FTP Attributes (CHGFTPA) command to set the AUTOSTART parameter to *NO so that it doesn't restart with every IPL. If you occasionally use FTP, you can start and stop it as needed using the STRTCPSVR and ENDTCPSVR commands. With this approach, you not only lock the FTP door, you remove it from your system. If the door isn't there, it can't be opened.

Other servers can be handled this way too. These include the Trivial FTP server, the TCP/IP DDM server and the Remote Execution server to name a few. If your system has these servers active, each one represents another door that can be used to access your system. If you're not using these server functions, then remove the doors.

The easy way to check on these is to go to the operating system Configure TCP/IP menu (CFGTCP) and run option #20. Check each of the displayed server functions and see how the AUTOSTART parameter is set. If you don't have any applications using these servers, then remove these doors to your system. The fewer doors that are on your system the tighter your security will be.

This covers only some of the doors into your system. Next time around, I'll address some of the doors that are a little more difficult to keep locked.

If you have specific questions about this topic, email me at rich@kisco.com. All email messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.