If you are running your i5-iSeries-AS/400 system at security level 30 or lower, think again. You could be at greater risk than you think. Your system could be compromised through the use of something called "Default Sign-on."
When the AS/400 was first shipped back in 1988, all systems were delivered with the system security level set to 10. At that level, no passwords were required and anyone could do anything on the system. IBM figured out pretty quickly that was not the best way to secure the system, and they changed the default level to 20. Over the years, the default has moved up to where it is now shipped at level 40. For customers who have grown up with the system, however, you may find yourself still set at the lower levels.
While looking through my latest copy of the OS/400 security resource manual (I know, I need to get a life), I came upon a description of "Default Sign-on." Apparently, it is possible through the use of the subsystem description, job description and workstation entry to create an environment where you can sign on to your system under a default user profile without having to provide a password. If your system is at security level 20, there is no trace at all when this happens. If it's at level 30 and security auditing is active, then at least an AF entry is left in the security journal to advise you that this is going on.
At security level 40, this kind of configuration is not allowed. So, the easiest way to make sure this is not going on at your system is to check and make sure that your QSECURITY system value is at level 40 or higher. If you're going to make a change, do your homework first to make sure you don't shoot yourself in the foot. The OS/400 security manual has a section in it about tasks that need to be considered when moving to a higher security level.
Since using Default Sign-on is such a bad idea, I am not going to describe to you how to set it up. If you want to check on it, however, examine the job descriptions on your system and make sure that the active job descriptions all have the User Profile (USER) parameter set to *RQD. That will guarantee that Default Sign-on is not active on your system.
This situation is not only a poster child for security level 40 and higher, it also reinforces the idea that only a limited number of user profiles should have access to the commands to create and maintain subsystem descriptions, job descriptions and workstation entries. There is a fairly small set of OS/400 commands used for this purpose. It would be a very good idea for you to make sure that the *PUBLIC authority for these are all set to *EXCLUDE. They are shipped from the factory with *USE. Make sure, however, you leave room for your security officer(s) to have access to those commands.
If you have any specific questions about this topic, you can reach me at firstname.lastname@example.org, I'll try to answer your questions. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.