Securing printed output

There are several things you can do to control spool viewing. For starters, review your user profiles to see which users have the special authority of *SPLCTL or *JOBCTL. Both of these special authorities can give a user access to spool files. Only security officers and system operators should have these authorities. In a smaller shop, this might also extend to your programmers but not always. Generally speaking, most users should not be given these authorities unless they absolutely must manage their own print spool files and job controls. As a first step, these authorities should be limited as much as possible, especially the *SPLCTL authority because it is not subject to any restrictions and allows the user access to all spool files on your system.

Output spool files are special objects on your system and are not, per se, created with standard OS security controls. The way you can control security on spool files is through the way your output queues are set up and authorized. If you have output reports with sensitive information, you can control who can see them by the output queue where the report is stored. Output queues are created using the CRTOUTQ (Create Output Queue) com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions iSeries physical security Time for a security checkup for your i Recovering your AS/400 security configuration A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Learning guide: Steps to a secure System i 12 security tips in 12 minutes Are all of your System i (iSeries) doors closed? -- part 1 Can you trust all those trigger programs? Learning guide: Simple steps to a secure iSeries Creating your iSeries security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

mand and they can be changed using the CHGOUTQ (Change Output Queue) command. You can view the way and output queue is configured with the WRKOUTQD (Work with Output Queue Description) command.

The user profile that creates the report can always view it and control it. Sensitive reports should be created using a restrictive user profile to prevent widespread use of the spool file. To impose even stricter security, there are several parameters you can set when you create an output queue that will provide more control:

DSPDTA: Helps to protect the contents of spool files be defining who can display, copy, move or send a spool file in the output queue

AUTCHK: Defines what authority is needed to change or delete a spool file

OPRCTL: Defines whether a user profile with *JOBCTL authority can work with spool files in the output queue.

Using these three parameters, you can impose very restrictive access controls to spool files associated with an output queue. There is a good chart in the Security Reference guide that shows how the three parameters work together. If you have never given this concept much thought, you should conduct a thorough review of how your current output queues are set up to make sure that they conform to your company's security policies already in place.

If you have specific questions about this topic, email me at rich@kisco.com. All email messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.