Are your terminal sessions secure?

Like most modern systems, the iSeries-AS/400 requires a user profile and password before you can log on and use the system. You might think that this simple requirement would always ensure that only authorized users will have access to your system. But, with the proliferation of PCs, it is not always that simple.

In the old days, we used to have devices that are now called "dumb terminals". To use the system, you'd log on to the sign-on screen and when you were done, you'd log off. You could tell by looking at the screen whether the session was active or not. If the sign-on screen was displayed, then the session was inactive.

With PCs and Client Access/400 or iSeries Access installed, it is not always that clear (I'll refer to theses collectively as Client Access for this article). The first time you log into the system for the day, there is a Client Access logon that establishes connection from the PC to your host system. Then, there may or may not be another logon for your terminal session. If you have your PC set up to bypass terminal sign on to the host, then there will be no second signon process. Once your connection to the host system has been established, the only way to break it is to either log off from Windows altogether or reboot your system.

There are a couple of potential problems with this configuration. It makes working with your system a lot easier just like leaving the keys in your car makes getting going a lot easier, but you wouldn't want to do it on a regular basis.

If you are using bypass signon, once your initial connection has been established, anyone can come by and start up your terminal emulation session and gain access to your system without knowing either your user profile or your password. If you're a programmer or a systems administrator that could be a significant exposure to your system as you will probably have very generous access rights to objects on your system. If your PC is located in a public or semi-public setting, you should think twice about having this setup.

Another exposure, which can happen when you leave a terminal session active, is that anyone can come along and use the Client Access upload or download functions to gain access to your system, again without knowing your user profile or password. If you have any virtual drives mapped to your host, those could also be compromised by someone using your PC without your knowledge or approval.

One simple solution is to activate your PC's screen saver with a password requirement to unlock the keyboard when it goes into screen saver mode. That way, if you go for coffee and get delayed by a dumb question from the boss, the screen saver will kick in and protect your system in your absence. The problem comes from user systems that you, as security officer, are responsible for. Each user can probably reset their screen saver settings on their own, thereby defeating this important additional security measure. A periodic inspection of all PCs installed in public and semi-public settings for these exposures would probably be a good idea.

If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is rich@kisco.com.

Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

Four tools for controlling user profiles
Even if you put procedures in place to control the users who are coming and going in your organization, chances are something will go wrong. How can you tell if all your profiles are what you want them to be? This tip discusses four command line tools that will give you as much information as you can digest about the security situation on your iSeries.

The importance of testing user profiles
When you first started working as a security officer or working in the security group in your iSeries shop you most learned a lot of principals about testing. Don't forget about all those principals in your current position. Security testing is just as important as application testing. In this tip we'll take a look at testing your user profiles.

Get better control over user profiles
Every iSeries shop has the potential to have active user profiles on the system for users who have left the company. Unless your personnel department is extra careful about global notifications when people leave, you may have a security exposure that you don't even know about. But you can, if you're careful about setting up user profiles, take care of this problem when new profiles are created.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file iSeries physical security Time for a security checkup for your i Recovering your AS/400 security configuration A guide to System i security, part 2: Landing and establishing access A guide to System i security: Descending into the heart of darkness of IT security Learning guide: Steps to a secure System i Securing printed output 12 security tips in 12 minutes Are all of your System i (iSeries) doors closed? -- part 1 Can you trust all those trigger programs? Learning guide: Simple steps to a secure iSeries PC/Windows Connectivity CA Express utility helps you manage SSL certificates Windows XP SP2 causes problem for iSeries Access Top 10 tips from our experts The registration facility helps you tailor your system -- Part II 20 FTP tips in 20 minutes Top advice on connecting to the iSeries Fast guide to PC/Windows connectivity resources The Lazy Coder: Find your iSeries using a DNS or name server The Lazy Coder: Fun with TCP/IP Automatically check FTP process for errors RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.