IBM's Distributed Data Management (DDM) communications architecture has been around for a long time. Even if you've never heard of DDM, you DO have it installed on your iSeries, and you have probably used it. DDM runs over both SNA and TCP/IP connection protocols to provide record level access to the iSeries database files. It even allows the execution of remote commands to be executed on your iSeries.
When iSeries Access (Client Access) is installed on your PC, you are also installing the IBM DDM command set and configuration.
Let's consider an example. I installed iSeries Access, and now I go to a DOS prompt and type the command RMTCMD CRTLIB(MYLIBRARY). Depending on my security settings, I may be prompted to enter a UserID and Password. I enter that information, then DDM tells me that the "Library MYLIBRARY Created". Great. I can run remote commands from my PC to the iSeries. DDM is cool!
Now let's walk a few step farther. I am an end user of my company's accounting application. My user ID specifies LMTCPB(*YES). That means that my user profile has severe restrictions on commands I can run from an OS/400 command line, I can display my job using the DSPJOB command, and I can send messages using the SNDMSG command, but not much more. User profiles are configured this way for the purpose of limiting what commands can be entered on a command line, so end users can't just go wherever they want on the system. It's a very good plan for end-user profiles.
But watch out. As soon as you load iSeries Access on an end-user's desktop, DDM is there, too. Since this end user works on the accounting applications, the authority to update accounting data files is presumed. That unrestricted authority to the accounting database files when tied to DDM has DANGER written all over it.
DDM, as implemented on the iSeries, DOES NOT evaluate or respect the LMTCPB value specified in a user profile. So, even though OS/400 security says I cannot run commands from a command line, DDM says, "You can run whatever commands you're authorized to run."
So, as the accounting end user, I go to a DOS prompt and type "RMTCMD CLRPFM (GLLIB/GLMASTER)". I have just wiped out the GL Master file. DDM doesn't care.
To protect your system from this risk, you would be wise to implement a DDM access exit program that can scrutinize any DDM request coming into your iSeries and accept or reject the requested action. The capability to control DDM in this manner is not new; it has been there since day one of the AS/400, and before that on the System/38.
There are several exit program vendors that can supply this DDM control capability, as well as control other network access backdoors such as FTP and ODBC. I strongly suggest you evaluate the threats and make the best technical, and business, decision to control all these existing network backdoors. DDM is just one.
Security exit program vendors:
IBM's Systems Management Partner Group (Endorsed by IBM)
The Powertech Group (PowerLock Network Security)
About the author: Dan Riehl is president of The 400 School, the popular iSeries training company, and co-founder of The Powertech Group, one of the leading providers of iSeries security software.
- Limit files for DDM access
What should you do if you have a customer that uses DDM to read your files and they need to DDM orders to you, but you need to limit some files for DDM access? Security expert Carol Woodbury has some advice.
- Performing transfers between iSeries' using DDM files
Are you new to DDM and looking for help getting started using it? Search400.com expert Tim Granatir has some resources for you.
- Run queries over DDM files
Is it possible to create and run queries over DDM files? Search400.com expert John Brandt says no, but he offers an alternative.
This was first published in March 2003