Like most modern systems, the iSeries-AS/400 requires a user profile and password before you can log on and use the system. You might think that this simple requirement would always ensure that only authorized users will have access to your system. But, with the proliferation of PCs, it is not always that simple.
In the old days, we used to have devices that are now called "dumb terminals". To use the system, you'd log on to the sign-on screen and when you were done, you'd log off. You could tell by looking at the screen whether the session was active or not. If the sign-on screen was displayed, then the session was inactive.
With PCs and Client Access/400 or iSeries Access installed, it is not always that clear (I'll refer to theses collectively as Client Access for this article). The first time you log into the system for the day, there is a Client Access logon that establishes connection from the PC to your host system. Then, there may or may not be another logon for your terminal session. If you have your PC set up to bypass terminal sign on to the host, then there will be no second signon process. Once your connection to the host system has been established, the only way to break it is to either log off from Windows altogether or reboot your system.
There are a couple of potential problems with this configuration. It makes working with your system a lot easier just like leaving the keys in your car makes getting going a lot easier, but you wouldn't want to do it on a regular basis.
If you are using bypass signon, once your initial connection has been established, anyone can come by and start up your terminal emulation session and gain access to your system without knowing either your user profile or your password. If you're a programmer or a systems administrator that could be a significant exposure to your system as you will probably have very generous access rights to objects on your system. If your PC is located in a public or semi-public setting, you should think twice about having this setup.
Another exposure, which can happen when you leave a terminal session active, is that anyone can come along and use the Client Access upload or download functions to gain access to your system, again without knowing your user profile or password. If you have any virtual drives mapped to your host, those could also be compromised by someone using your PC without your knowledge or approval.
One simple solution is to activate your PC's screen saver with a password requirement to unlock the keyboard when it goes into screen saver mode. That way, if you go for coffee and get delayed by a dumb question from the boss, the screen saver will kick in and protect your system in your absence. The problem comes from user systems that you, as security officer, are responsible for. Each user can probably reset their screen saver settings on their own, thereby defeating this important additional security measure. A periodic inspection of all PCs installed in public and semi-public settings for these exposures would probably be a good idea.
If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is email@example.com.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.
================================== MORE INFORMATION ON THIS TOPIC ==================================Changing the password level
A user wanted to change password level (QPWDLVL) from level 0 to level 2, but he wasn't sure of the best way to do this. Security expert Carol Woodbury was on hand with some advice.
Four tools for controlling user profiles
Even if you put procedures in place to control the users who are coming and going in your organization, chances are something will go wrong. How can you tell if all your profiles are what you want them to be? This tip discusses four command line tools that will give you as much information as you can digest about the security situation on your iSeries.
The importance of testing user profiles
When you first started working as a security officer or working in the security group in your iSeries shop you most learned a lot of principals about testing. Don't forget about all those principals in your current position. Security testing is just as important as application testing. In this tip we'll take a look at testing your user profiles.
Get better control over user profiles
Every iSeries shop has the potential to have active user profiles on the system for users who have left the company. Unless your personnel department is extra careful about global notifications when people leave, you may have a security exposure that you don't even know about. But you can, if you're careful about setting up user profiles, take care of this problem when new profiles are created.
This was first published in August 2004