A security no-brainer: Analyze default passwords

Dan Riehl

The iSeries system administrator has plenty to do without looking for new ways to spend the day. But I want to encourage you to take just a few minutes out of your week to check on something that is critical to maintaining the security of the system.

IBM has provided a nice set of system security tools within the SECTOOLS Menu. You can access this menu using the command GO SECTOOLS. With this menu you can do the following:

• Analyze default passwords
• Display active profile list
• Change active profile list
• Analyze profile activity
• Display activation schedule
• Change activation schedule entry
• Display expiration schedule
• Change expiration schedule entry

The menu has many more pages of options than those. If you're not familiar with the SECTOOLS menu, you should check it out. It is full of functions and features to help secure your system. When you reach the menu, you can press F1(Help) to see an overview of all the features.

The checkup that should be performed regularly is Option 1 from the SECTOOLS Menu (Analyze default passwords). Selecting this option will print a list of all User Profiles in which the Password exactly matches the name of the user profile. For example, a user profile JSMITH that is listed on this report has a matching password of JSMITH. This is truly an unacceptable situation.

After you initially install an iSeries machine, a user Profile name should never match the password. The danger in having a password that matches the user profile name is that the password is too easy to guess. And that leaves your system open to intruders.

Shown in figure 2 is a sample report generated by selecting this option.

Figure 2: ANZDFTPWD Report

                User profiles with default passwords         Page     1
5769SS1 V4R5M0  000526                         MYSYSTEM   01/17/02  06:53:13
Action taken against profiles  . . . . . . :   *NONE
User
Profile        STATUS         PWDEXP     Text
DCXCADM        *ENABLED        *NO       Billy Singer
DCXCCAO        *DISABLED       *NO       Barrel Butcher
DCXCCAS        *ENABLED        *NO       Charly Stanley
DCXCCMK        *DISABLED       *NO       Frank N. Stein
DCYCCTM        *ENABLED        *NO       T. Fortoo
DCYCDKK        *DISABLED       *NO       D.B. Cooper
EFFCDMB        *ENABLED        *NO       Busy Bees
EFFCGIM        *DISABLED       *NO       Chip N. Dip
EFFCJJD        *ENABLED        *NO       Cheese Man
FHHCJJW        *DISABLED       *NO       Noel Inhere
FHHCJMG        *DISABLED       *NO       K. Salmon
FHHCKMG        *DISABLED       *NO       A. Lincoln
QSYSOPR        *ENABLED        *NO       System Operator 
QUSER          *ENABLED        *NO       QUSER  
                                                                   More...

In the report, the profile name, status and password expiration information is provided for each profile that has a matching password. This can be a really scary list, as in this case. We see that several profile names match the password, and further that several of these profiles are enabled for use. Another area of great concern is that two of the IBM-supplied user profiles QSYSOPR and QUSER have matching passwords, and they are enabled for use. The names of the IBM-supplied user profiles are well known, and they are among the first to be tried by those who would intend to break in to your system.

The ANZFTPPWD command When you select option 1 from the SECTOOLS menu, the system runs the CL command ANZDFTPWD (Analyze default passwords). Using the command you can specify an action to be taken against offending profiles. For example, you can specify that the profiles are to be disabled (i.e. the user cannot sign on) or that you want to set the password to an expired state (i.e. the user must assign a new password next time they sign on).

If you want to schedule this report to run automatically each week, you can add an entry to your job scheduler to run the command ANZDFTPWD with the selected options. As in ANZDFTPWD ACTION(*PWDEXP). This will run the report for you and will set all default passwords to an expired state.

So, it's really easy. Make a resolution that every week you will take a few minutes to run or view the Default Password report.

----------------------------------
About the author: Dan Riehl is president of The 400 School, the popular iSeries training company, and co-founder of The Powertech Group, one of the leading providers of iSeries security software.

==================================
MORE INFORMATION
==================================

• Business security begins with a strong password policy
  A sound password policy alone won't guarantee your company's security, but you have little chance without one.
• Is it possible to have a bulletproof password?
  Probably not, but there are certain steps you can take to improve use of them and better prevent intrusions.
• Secure powerful profiles
  Search400.com member Kim Kuras provides some tips and hints for creating secure passwords in this Tip of the Month winner.