If you're looking around for a security consultant who won't cost you too much, you might just already have one at your disposal hidden away in Operations Navigator (or iSeries Navigator, depending on your version of OS). This is in the form of a Security Wizard and the amount of analysis and information provided is pretty good, especially at the price.
The iSeries Security Wizard is a typical "wizard" function. It asks you a series of simple questions about the specific environment for your system. Then, based on your answers (and remember, as with any consultant, you have to be honest for the wizard to be effective), it will give you a series of recommendations. If you want, the Wizard will even implement the changes for you. If you have a version of OS/400 that is earlier than V5R1, the Wizard may not be available to you.
To get started with the Wizard, start up your copy of the Navigator. First, find your system and click on it to display the functions that are available to you. You should see an item called "Security". If you don't see this, then the necessary component of the Navigator is not installed on your PC and you'll need to do an update install to add the feature. You'll need your Client Access (or iSeries Access) install CD to do this.
Once you have the Security item displayed, just right click on it and select the "Configure" option. Depending on whether or not the Wizard has been run before, different options can be displayed at this point. If you have never run it before, it will take you through a series of simple questions about your system and how it is used. If you have already done this, it would be good to review your answers before continuing.
Once the basic set of questions have been answered, you can have the Wizard analyze your answers and check them against the way security is already configured on your iSeries-AS/400 box. A series of recommendations is then prepared for you. Your first time through, I'd advise against making any changes. In fact, the Wizard specifically will not make any changes to your QSECURITY setting since that can make a significant difference to how your system works and could be very disruptive if changed without proper planning and preparation.
The Wizard will bring up a series of screens with check boxes. Each item represents a security setting. Your current setting and IBM's recommended setting are shown side by side. To accept IBM's proposed change, just leave the check box in place. To cancel any change that has been set up, remove the check mark. If you're going to have the Wizard implement the changes, then make sure you check everything closely. You don't want any surprises when you're all done. Remember, you don't have to implement the changes right away.
As the Wizard continues, you will see a place where text reports can be generated and viewed. When I did this on my test/development system here, I was handed 17 pages of recommendations. I don't think I produce that much paper on a normal security audit for a paying customer. I saved the TXT files and then printed them after I was done. I found some things that are apparently fairly new in OS/400 security that I might actually want to implement now.
When I was done, I chose to put off implementing any changes automatically. Your first time through this process, I'd strongly recommend that you do the same. Study the printouts and see what changes you do want to consider. You may see several surprises, but then that's what a consultant is paid to do anyway.
If you don't have access to this feature in your Navigator, there is an on-line version of this Wizard available. This won't give you feedback on how your system is currently configured, but it will give you a lengthy report of recommended security setup information. Just point your browser to the following URL: http://www.redbooks.ibm.com/tstudio/secure1/advisor/secwiz.htm This will step you through the same series of questions as the Wizard and produce a printable Web page of recommendations.
If you have any questions about this tip, send me an e-mail and I'll do my best to answer. All e-mail messages will be responded to.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the AS/400 market.
================================== MORE INFORMATION ON THIS TOPIC ==================================
Standardized security setup across multiple systems
Nothing supports the popularity of the iSeries as much as the number of customers with multiple systems installed. For security officers, it can easily mean a lot of extra work keeping each system configured and setup for company security policies. While this can be a complex task, IBM has provided a little known capability in OS/400 for quite a while now that can help you to enforce standard security configuration setup rules across separate systems.
Securing users within OpsNav
One Search400.com member asks, "How do I secure users with what access they have within Operations Navigator?" Security expert Carol Woodbury talks about the options, and how it may be best to use a combination of three of these options.
Learning Guide: Simple steps to a secure iSeries
If you're a systems manager, chances are security is your top priority. With new security issues emerging on a daily basis, it can seem like you're swimming against the tide when trying to secure your system from both intentional and unintentional security breaches and threats. We've gathered some good security information in this to help you along your way. Consider it a security life preserver of sorts.
Top advice on securing your iSeries
Security expert Carol Woodbury answers questions on granting special authority, changing user authority, Sarbanes-Oxley regulations and more in these top expert Q&As.
This was first published in October 2004