V5R1's new way of locking down FTP

OS/400 FTP has always been both a blessing and a curse on the iSeries. It's a blessing because it enables you to easily move files between OS/400 and other operating systems, such as Microsoft Windows, Unix and Linux. It's a curse because -- in the wrong hands (i.e., hackers or irresponsible people who sign on with OS/400 administrative authority) -- FTP can also allow users to delete file members or libraries and to launch commands on your iSeries or AS/400 box.

With OS/400 V5R1 and Client Access Express for Windows V5R1, IBM has provided new Operations Navigator-based FTP application settings that help fill those holes. These settings work by creating lists to allow or deny FTP access for specific OS/400 users or groups. You can find these new settings inside the Application Administration dialogue in the OpsNav program that comes with Express client V5R1. Here's how to use it to lock down V5R1 FTP users.

1. Open OpsNav V5R1 and right-click on the icon representing your OS/400 V5R1 machine. On the pop-up menu that appears, select the Application Administration option. (You must be signed on as a user with *IOSYSCFG authority to alter application settings.)
2. On the Application administration dialogue that displays, click on the Host Applications tab. This displays several OS/400 V5R1 functions that you can limit or allow users to access, including an option for controlling certain features of the AS/400 TCP/IP utilities.
3. Open the AS/400 TCP/IP Utilities node, and you'll see that IBM has added a sub-tree of options for the File Transfer Protocol (FTP). Access these options by opening the FTP Client or FTP Server nodes.
4. For OS/400 FTP client sessions, you can allow or restrict signed-on users from doing the following: initiating an FTP session with an FTP server (initiate session); using the Local Change Directory (LCD) subcommand to change the default FTP directory location; running CL commands using the System Command (SYSCMD) sub-command; receiving files to your iSeries by using the FTP GET and MGET sub-commands; or sending OS/400 files to another host by using the FTP PUT, MPUT, or APPEND sub-commands. By default, those options are enabled for Default Users (those whose user authorities are not explicitly covered under another setting) and for users with all object system privileges. However, you can customize your list by highlighting one of the FTP capabilities you want to change on the Application Administration dialogue and pressing the Customize button.
5. Pressing the Customize button brings up a Customize Access screen for that particular OS/400 function. On this screen, you can add specific user profiles or user groups to an Access Allowed list or an Access Denied list and save your changes. OS/400 will then consult those lists when a user requests the specified function and allow or deny access based on the settings you entered.

   The functions on this screen are fairly self-explanatory, but there is a catch. User access validation is modified if you have checked the 'Users with all system privilege' check box in the dialogue. This check box enables user profiles with All Object (*ALLOBJ) authority to continue using the function -- even if an OS/400 system administrator has explicitly added them to the Access Denied list. In other words, *ALLOBJ authority trumps individual settings in controlling FTP capabilities. Also, if you haven't explicitly listed a user in the Access Allowed or Access Denied list, they will still be able to use a specific FTP function if the Default Access checkbox is checked on this screen. So check those two settings in addition to your Access Allowed or Access Denied lists for an FTP function.

6. Once you save your settings for an FTP function, OS/400 immediately starts using your lists to verify FTP capabilities by user profile or user group.
7. In addition to setting capabilities for FTP client functions (where an OS/400 user or program initiates an FTP session with another machine, i.e., your iSeries is the FTP client), the Application Administration dialogue allows you to limit what outside FTP client users can do when they initiate an FTP session using your OS/400 machine as an FTP server.

   OS/400 FTP server capabilities can also be limited through the Application Administration and Customize Access dialogues. And you can restrict the following capabilities: logging on to an iSeries as an FTP server (logon server); using the Change Working Directory (CWD or CD) sub-command to transfer files out of OS/400 directories other than the default directory; enabling or disabling the Remote Command (RCMD) sub-command to launch OS/400 commands on your server; creating or deleting directories or libraries (the MKDIR and RMDIR sub-commands); and deleting, listing, receiving, renaming, or sending files through various FTP commands.

So if you're on OS/400 V5R1 and you're using Express client V5R1, IBM has given you an easy way to further lock down your OS/400 FTP capabilities.

-------------------------------------
About the author: Joe Hertvik is an IT consultant and freelance writer who specializes in middleware, network infrastructure, and iSeries issues. Joe can be reached at hertvik@home.com.

========================
MORE INFORMATION
========================

• OS/400 Discussion Forum: Post your questions, and get answers from other iSeries users as well as search400 experts.
• V5R1: Ready to upgrade?
  Check out these resources to help you plan your upgrade.
• Best Web Links on V5R1