No matter how good your office procedures are for setting up, enabling, disabling and removing users from your system, there is always room for error. There is nothing like a quick check of your user profile base to help keep your user profiles in good order. The user profile is a key that lets people into your system and keeping the keys in order is, or should be, a primary obligation of your security controls.
For many of us who have been doing this for a while, the quick review takes the form of a session with the WRKUSRPRF command using the *ALL option. But this is a tedious process at best, and you can easily miss something important this way. The ideal would be to get the user profile information organized into various views to focus in on the myriad aspects of security that exist in today's iSeries-AS/400 world.
Fortunately, OS/400 contains a facility to help you with this. The command "Print User Profile" (PRTUSRPRF) has the ability to generate up to four different format reports that will organize your user profile information base to give you a good overview. The report information for the four different reports concentrate on the following:
- Authority type information
- Environment type information
- Password type information
- Password level type information (V5R1 and higher only)
The command has up to four parameters to control the information presented on the listings. Some of these parameters are context-sensitive and will not always be prompted depending on other values you enter. In addition to indicating which of the four report formats you want, you can also narrow your selection of the specific user profiles to be included, thereby letting you analyze like profiles together. These selection options let you limit the reports to only users with specific special authority settings and users for specific user classes. You will probably want to start by specifying all users, but if you're in a very large shop, that may produce too much information for you to be able to focus in on.
The four reports, however, are the key to using this tool effectively. The report on authority type information shows each selected profile along with a reference to any group profile or supplemental groups to which the profile belongs. Then the special authorities in effect for the user are shown along with their user class, the user profile object ownership setting and other object ownership related information. A quick scan of this report can quickly show you users that are categorized in an incorrect group, users who are in a group that gives them more access rights than you really intend and many other options.
The report on environment type information presents a different report format. This report focuses in on the job execution environment in place for each user profile. These things include the current library, initial menu/library, default job description and other settings that control how jobs run by each user profile will be setup by your system. This report lets you do a quick audit of user profiles to make sure that they are set up for just the work they should be doing and no more.
The third report produces password type information. This report lists the current enabled/disabled status of each profile, the current number of invalid sign-on attempts, the last sign-on, when their password was last changed and more information that will help with administration of password controls. In preparing this article, I discovered some unusual values on this report that seemed to indicate someone attempting to gain access to our test system via Telnet using the QSRV and QSYSOPR user profiles. Both profiles were disabled and the not-valid sign-on attempts were at the maximum. Since nobody uses these profiles in our shop, I can only conclude that an illegal sign-on attempt was made for both of these. Fortunately, it appears that these attempts failed, since we do not have the default passwords still active for any of the IBM supplied 'Q' user profiles. Using this report, you can perform a very quick scan of the setup for each user and quickly spot anomalies -- like I did.
The fourth report prints a report on password level information and is available only if you are running OS/400 V5R1 or higher. Under the more recent versions of OS/400, you can optionally use longer passwords (up to 128 bytes long) and you can specify a controlled switch over from one setup to another. This fourth report supplies you with information on how this extended password level is configured for each user on your system. You can see additional information about this on the system value QPWDLVL and by using the DSPSECA command on these systems.
These four reports, and their various mutations when you use the filtering options, will give you a new tool in keeping current on the status of the user profile pool on your system. A monthly review of the first three reports would be in order and you can simplify this by just loading these commands into your system job scheduler to automatically run on a monthly basis.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
- Get better control over user profiles
Every iSeries shop has the potential to have active user profiles on the system for users who have left the company. Unless your personnel department is extra careful about global notifications when people leave, you may have a security exposure that you don't even know about. But you can, if you're careful about setting up user profiles, take care of this problem when new profiles are created.
- Use group profiles for easier security admin
Administering security on your iSeries system can be a daunting challenge. If you're a small shop with just a dozen users and one or two critical applications, then it is a manageable task. But if you're in a large shop with hundreds (or thousands) of user profiles, managing the security considerations can quickly become a mind-boggling task. Fortunately, for those who have thousands of profiles to consider, OS/400 includes some very nice tools that let you group your users together in homogeneous work-related groups.
- Unique user profiles critical to OS/400 security
Auditing success requires that you are able to identify system actions and accesses down to the individual object and user level, and OS/400 is very successful at tracking system activity and maintaining the proper audit trail for both users and objects. The level of success for gathering and reporting this information depends greatly on whether the user data or user naming convention bears meaning. If user profiles are not traceable to a specific individual because they are, then it's going to be more difficult to get the required information.