Every iSeries shop has the potential to have active user profiles on the system for users who have left the company. Unless your personnel department is extra careful about global notifications when people leave, then you may have a security exposure that you don't even know about.
You can, if you're careful about setting up user profiles, take care of this problem when new profiles are created. The "Password Expiration Interval" (PWDEXPITV) parameter on the Create User Profile (CRTUSRPRF) command lets you set up a separate expiration day interval for each user. On a system-wide basis, you can also enforce a default expiration interval with the system value QPWDEXPITV. Using the system value, you just have to use the default *SYSVAL setting for the PWDEXPITV parameter for each user profile. I suspect that a lot of shops use this arrangement.
However, in every shop there are users who have passwords that are set never to expire. That makes sense for some people who can closely guard their password and use the system heavily. (I know many programmers and system operators who enjoy this luxury.) For those people, simply relying on the password expiration interval won't work, leaving you an even more serious exposure because the type of people who want permanent passwords also tend to have the keys to the kingdom on your system.
The good news is that OS/400 contains a way for you to enforce periodic expiration on user profiles that have not been used for a specified period of time. There are several OS/400 commands that will help you to enforce a policy of automatically forcing unused profiles to inactive status by disabling them.
The "Analyze Profile Activity" (ANZPRFACT) command will let you set up and control the number of days that the system should use to check for unused profiles. After this has been set, the system will scan the active profiles on your system once a day and disable those that have not been used for the specific period of time. Before you start to use this, however, be sure to read on. (Note, you can disable this check by running this command again and changing the setting to *NOMAX.)
The "Display Active Profile List" (DSPACTPRFL) command will let you display a list of specific profiles that the ANZPRFACT command will ignore when it is checking for unused profile activity. Those might be certain profiles that own object code on your system but are not actually used for sign-on purposes. Some applications may require that those owner profiles remain active on your system. That may be particularly true of third-party software.
The "Change Active Profile List" (CHGACTPRFL) command lets you modify the list of profiles on your system. You can use the command to add or remove entries from the list. It is important to note that most Q profiles (IBM profiles) are automatically excluded from ANZPRFACT processing. If you prompt the ANZPRFACT command and use the HELP facility, you can access a quick list of the Q profiles that are excluded.
It is important for you to check the list (DSPACTPRFL) and update the list (CHGACTPRFL) before any regularly scheduled analysis processing takes place. This will make sure that you don't shoot yourself in the foot by disabling a user profile that needs to remain active. If you use third-party software on your system, check with each vendor.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the AS/400 market.
- Enable QSECOFR and QSYSOPR accounts
One user writes, "Someone has disabled the QSECOFR and the QSYSOPR accounts by trying to log in. How can I re-enable them? I'm not sure if we have any other accounts to log in with. We rarely use the iSeries, and we think someone tried to log in but couldn't and ended up disabling the account." Security expert Dan Riehl offers some advice.
- Business security begins with a strong password policy
A sound password policy alone won't guarantee your company's security, but you have little chance without one. Check out this tip for advice on creating sound passwords.
- A security no-brainer: Analyze default passwords
A checkup that should be performed regularly is Option 1 from the SECTOOLS Menu (Analyze default passwords). Selecting this option will print a list of all user profiles in which the password exactly matches the name of the user profile. It's unacceptable for a password to match a user profile. If they do match, your system is open to intrusion.
- Checking up on a specific user
If you just want to check up on someone, OS/400 has very good auditing capabilities that you can use down to the individual user level. And you can do this without a major headache.