Home > AS/400 Tips > iSeries security tips > Default Sign-on a hidden security risk for your iSeries

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Default Sign-on a hidden security risk for your iSeries Rich Loeber 09.06.2005 Rating: -4.00- (out of 5) Digg This!     StumbleUpon     Del.icio.us    If you are running your i5-iSeries-AS/400 system at security level 30 or lower, think again. You could be at greater risk than you think. Your system could be compromised through the use of something called "Default Sign-on." When the AS/400 was first shipped back in 1988, all systems were delivered with the system security level set to 10. At that level, no passwords were required and anyone could do anything on the system. IBM figured out pretty quickly that was not the best way to secure the system, and they changed the default level to 20. Over the years, the default has moved up to where it is now shipped at level 40. For customers who have grown up with the system, however, you may find yourself still set at the lower levels. While looking through my latest copy of the OS/400 security resource manual (I know, I need to get a life), I came upon a description of "Default Sign-on." Apparently, it is possible through the use of the subsystem description, job description and workstation entry to create an environment where you can sign on to your system under a default user profile without having to provide a password. If your system is at security level 20, there is no trace at all when this happens. If it's at level 30 and security auditing is active, then at least an AF entry is left in the security journal to advise you that this is going on. [TABLE]			[IMAGE]

At security level 40, this kind of configuration is not allowed. So, the easiest way to make sure this is not going on at your

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions iSeries security tips Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

system is to check and make sure that your QSECURITY system value is at level 40 or higher. If you're going to make a change, do your homework first to make sure you don't shoot yourself in the foot. The OS/400 security manual has a section in it about tasks that need to be considered when moving to a higher security level.

Since using Default Sign-on is such a bad idea, I am not going to describe to you how to set it up. If you want to check on it, however, examine the job descriptions on your system and make sure that the active job descriptions all have the User Profile (USER) parameter set to *RQD. That will guarantee that Default Sign-on is not active on your system.

This situation is not only a poster child for security level 40 and higher, it also reinforces the idea that only a limited number of user profiles should have access to the commands to create and maintain subsystem descriptions, job descriptions and workstation entries. There is a fairly small set of OS/400 commands used for this purpose. It would be a very good idea for you to make sure that the *PUBLIC authority for these are all set to *EXCLUDE. They are shipped from the factory with *USE. Make sure, however, you leave room for your security officer(s) to have access to those commands.

If you have any specific questions about this topic, you can reach me at rich@kisco.com, I'll try to answer your questions. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.