Tips for Enhancing Menu Access Control with. Object Security . . 59 98. Chapter 9. Tips for using AS/400. Operations Console. …

iSeries

Tips and Tools for Securing Your iSeries
Version 5
SC41-5300-05

iSeries

Tips and Tools for Securing Your iSeries
Version 5
SC41-5300-05

Note Before using this information and the product it supports, be sure to read the information in the Security Basic articles found on-line in the Information Center The Internet URL address is http://wwwibmcom/eserver/iseries/infocenter

Sixth Edition May 2001

| This edition replaces SC41-5300-04 This edition applies only to V4R1 of OS/400 and above
Copyright International Business Machines Corporation 1996, 2001 All rights reserved US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp

Contents
Figures vii Tables ix About Tips and Tools for Securing Your iSeries 400 SC41-5300 xi
|
Who should read this book How to Use This Book Prerequisite and related information Operations Navigator How to send your comments xi xii xii xiii xiii Changing Sign-On Error Messages Scheduling Availability of User Profiles Removing Inactive User Profiles Disabling User Profiles Automatically
Removing User Profiles Automatically Avoiding Default Passwords Monitoring Sign-On and Password Activity Tips for Storing Password Information 34 35 36 36 36 37 38 38

Chapter 5 How to Set Up Your System to Use the Security Tools 41
Getting Started with the Security Tools Securing the Security Tools Avoiding File Conflicts Saving the Security Tools Commands and Menus for Security Commands Options on the Security Tools Menu How to Use the Security Batch Menu Commands for Customizing Security Values That Are Set by the Configure System Security Command What the Revoke Public Authority Command Does 41 41 41 42 42 42 44 51

Summary of Changes xv

Part 1 Read this First 1
Chapter 1 Enhancements for iSeries 400 Security 3
| Security Enhancements for V5R1
Security Security Security Security Security Enhancements Enhancements Enhancements Enhancements Enhancements for for for for for V4R5 V4R4 V4R3 V4R2 V4R1 3 4 5 5 7 8

51 53

Part 3 Tips for Advanced System Security 55
Chapter 6 Using Object
Authority to Protect Information Assets 57
Does the System Always Enforce Object Authority? The Legacy of Menu Security Limitations of Menu Access Control Tips for Enhancing Menu Access Control with Object Security Setting Up a Transition EnvironmentExample Using Library Security to Complement Menu Security Tips for Setting Up Object Ownership Tips for Object Authority to System Commands and Programs Tips for Auditing Security Functions Security Auditing Analyzing User Profiles Tips for Analyzing Object Authorities Checking for Objects That Have Been Altered Analyzing Programs That Adopt Authority Checking for Objects That Have Been Altered Tips for Managing the Audit Journal and Journal Receivers 57 57 58 59 59 61 61 61 62 62 63 64 64 65 65 66

Part 2 Tips for Basic iSeries 400 System Security 11
Chapter 2 Basic Elements of iSeries Security 13
Security Levels Global Settings User Profiles Group Profiles Resource Security Limit Access to Program Function Security Auditing System
Security Attributes ReportExample 13 14 14 15 15 15 17 18

Chapter 3 iSeries 400 Security Wizard and Security Advisor 21
iSeries 400 Security Wizard iSeries 400 Security Advisor 21 23

Chapter 4 Tips for Controlling Interactive Sign-On 25
| |
Setting Password Rules Password Levels Planning Password Level Changes Changing Well-Known Passwords Setting Sign-On Values
Copyright IBM Corp 1996, 2001

25 26 27 31 33

Chapter 7 Tips for Managing and Monitoring Authority 71
Monitoring Public Authority to Objects Managing Authority for New Objects 71 72

iii

| | | | | |

Monitoring Authorization Lists Tips for using Authorization lists Audit policy tool Security policy tool Monitoring Private Authority to Objects Monitoring Access to Output Queues and Job Queues Monitoring Special Authorities Monitoring User Environments Managing Service Tools Service Tools Server STS Using Service Tools User Profiles Using Service Tools Device Profiles Using Service Security Data Signing on to
System Service Tools SST

72 73 75 76 78 78 79 80 81 82 84 88 91 94

Tips for Prestart Job Entries Tips for Jobs and Job Descriptions Tips for Architected Transaction Program Architected TPN Requests Methods for Monitoring Security Events

Names

119 119 120 121 122

Part 4 Tips for Applications and Network Communications 125
Chapter 12 Using the Integrated File System to secure your files 127
The Integrated File System Approach to Security Security Tips for the Root /, QOpenSys, and User-Defined File Systems How Authority Works for the Root /, QOpenSys, and User-Defined File Systems Print Private Authorities Objects PRTPVTAUT command Print Publicly Authorized Objects PRTPUBAUT command Restricting Access to the QSYSLIB File System Securing Directories Security for New Objects Using the iSeries 400 Create Directory Command Creating a Directory with an API Creating a Stream File with the open or creat API Creating an Object by Using a PC Interface Security Tips for the QLANSrv and QNetWare File Systems Security Tips
for the QFileSvr400 File System Security Tips for the Network File System 127 129 129 131 132 133 134 134 135 135 135 135 135 136 137

Chapter 8 Using Logical Partitions Security LPAR 97
Managing security for logical partitions 98

Chapter 9 Tips for using AS/400 Operations Console 99
| | | | | | | | | |
Operations Console Security Overview Console Device Authentication User Authentication Data Privacy Data Integrity Tips for Using Operations Console with LAN connectivity Tips for Protecting Operations Console with LAN connectivity Using the Operations Console Setup Wizard 100 100 100 100 100

101 101 101

Chapter 10 Detecting Suspicious Programs 103
Protecting Against Computer Viruses Monitoring the Use of Adopted Authority Limiting the Use of Adopted Authority Preventing New Programs from Using Adopted Authority Monitoring the Use of Trigger Programs Checking for Hidden Programs Evaluating Registered Exit Programs Checking Scheduled Programs Restricting Save and Restore Capability Checking for User Objects in
Protected Libraries 103 105 106 107 108 110 111 112 112 113

Chapter 13 Tips for Securing APPC Communications 139
APPC Terminology Basic Elements of APPC Communications The Basics of an APPC Session Tips for Restricting APPC Sessions How an APPC User Gains Entrance to the Target System Methods That the System Uses to Send Information about a User Options for Dividing Security Responsibility in a Network How the Target System Assigns a User Profile for the Job Options for Display Station Passthrough Tips for Avoiding Unexpected Device Assignments Tips for Controlling Remote Commands and Batch Jobs Security Tips for Evaluating Your APPC Configuration Security-Relevant Parameters for APPC Devices Security-Relevant Parameters for APPC Controllers Security-Relevant Parameters for Line Descriptions 139 140 140 140 141 141 142 143 144 146 146 146 147 149 150

Chapter 11 Tips for Preventing and Detecting Hacking Attempts 115
|
Tips for Physical Security Tips for Monitoring User Profile Activity Tips for Object Signing
Tips for Monitoring Subsystem Descriptions Tips for Autostart Job Entries Tips for Workstation Names and Workstation Types Tips for Job Queue Entries Tips for Routing Entries Tips for Communications Entries and Remote Location Names 115 115 116 117 118 118 118 118 119

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

APPC, APPN, and HPR security considerations Session-level security for APPN and HPR Protecting your system in an APPN and HPR environment

150 151 151

Chapter 14 Tips for Securing TCP/IP Communications 155
Tips for Preventing Any TCP/IP Processing TCP/IP Security Components Packet Security Features for Securing TCP/IP Traffic HTTP Proxy Server General Tips for Securing Your TCP/IP Environment Controlling Which TCP/IP Servers Start Automatically Tips for Controlling the Use of SLIP Controlling Dial-In SLIP Connections Controlling Dial-Out Sessions Security Considerations for Point-to-Point Protocol Security Tips for Telnet Tips for Preventing Telnet Access Tips for Controlling Telnet Access
Security Tips for File Transfer Protocol Tips for Preventing FTP Access Tips for Controlling FTP Access Security Tips for the Bootstrap Protocol Server Tips for Preventing BOOTP Access Tips for Securing the BOOTP Server Security Tips for the Dynamic Host Configuration Protocol Server Tips for Preventing DHCP Access Tips for Securing the DHCP Server Security Tips for the Trivial File Transfer Protocol Server Tips for Preventing TFTP Access Tips for Securing the TFTP Server Security Tips for the Remote EXECution Server Tips for Preventing REXEC Access Tips for Securing the REXEC Server Security Tips for the Route Daemon Security Tips for the Domain Name System Server Tips for Preventing DNS Access Tips for Securing the DNS Server Security Tips for Simple Mail Transfer Protocol Tips for Preventing SMTP Access Tips for Controlling SMTP Access Security Tips for Post Office Protocol Tips for Preventing POP Access Tips for Controlling POP Access Security Tips for Web Serving from iSeries 400 Tips for Preventing Access Tips for Controlling
Access Security Tips for Using SSL with IBM HTTP Server for iSeries 400 Lightweight Directory Access Protocol Security LDAP basics LDAP Security Features Security Tips for Workstation Gateway Server Tips for Preventing WSG Access Tips for Controlling WSG Access 155 155 156 157 157 158 160 161 162 163 165 165 166 169 169 170 172 172 173 173 173 174 175 175 176 176 176 177 178 178 178 179 179 180 180 183 183 184 185 185 186 190 192 192 196 196 197 197

Security Tips for Line Printer Daemon Tips for Preventing LPD Access Tips for Controlling LPD Access Security Tips for Simple Network Management Protocol Tips for Preventing SNMP Access Tips for Controlling SNMP Access Security Tips for the INETD Server Tips for Limiting TCP/IP Roaming Tips for Securing the TCP/IP File Server Support for OS/400 Licensed Program Using VPN to Secure TCP/IP Applications

198 198 199 199 200 200 201 202

203 204

Chapter 15 Tips for PC Security 205
Tips for Preventing PC Viruses Tips for Securing PC Data Access Object Authority with PC Access Client Access
application administration Using SSL with Client Access Express Security and Operations Navigator Tips for Open Database Connectivity Access Security Considerations for PC Session Passwords Tips for Protecting iSeries from Remote Commands and Procedures Tips for Protecting PCs from Remote Commands and Procedures Tips for Gateway Servers Tips for Wireless LAN Communications 205 205 206 207 208 208 209 210 212 212 213 213

Chapter 16 Tips for Using Security Exit Programs 215 Chapter 17 Security Considerations for Java 217
Java Applications Java Applets Java Servlets Java Authentication and Authorization 217 218 218 219

Chapter 18 Security Considerations for Browsers 221
Risk: Damaging the Local PC 221 Risk: Accessing iSeries Directories through Mapped Drives 221 Risk: Trusting Signed Applets 222

Chapter 19 Tips for DominoTM for iSeries Security 223

Part 5 Tips and Tools for Internet Security on iSeries 400 225 Part 6 Appendixes 227
Appendix IBM SecureWay: iSeries 400 and the Internet 229
C2 Security
229

Contents

Notices 231
Trademarks 233

About IBM SecureWay Service Offerings Related Publications

235 235 237

Where to Get More Information and Assistance 235

Index 239

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Figures
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Application Administration System Security Attributes Report-Sample Schedule Profile Activation DisplaySample User Information ReportPassword Information Example Sample Order Entry Menu Publicly Authorized Objects Report-Sample Private Authorities Report for Authorization Lists Display Authorization List Objects Report Private Authorities ReportSample Queue Authority ReportSample User Information ReportExample 1 User Information ReportExample 2 Print User Profile-User Environment Example Work with DST Environment Select Console Type screen Configure Service Tools Adapter screen Completed Add Service Table Entry ADDSRVTBLE screen Work with Service Tools User Profiles Work with Service Tools Device
Profiles Work with Service Tools Security Data Reset the operating system default password Confirm Reset of System Default Password Change operating system install security 16 18 35 38 58 72 73 73 78 79 79 80 81 81 82 83 84 86 89 91 92 92 92

| | |

24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

| | | | | | | | | | |

Start SST Signon 95 Passwords protect service device profile information 102 Adopted Objects by User Profile Report-Full Report 105 Adopted Objects by User Profile Report-Changed Report 106 Print Trigger Programs Report-Full Report Example 109 Print Trigger Programs Report-Changed Report Example 109 Work with Registration Information-Example 111 Print User Objects Report-Sample 114 Display Subsystem Description Display 117 Job Descriptions with Excess Authority Report-Example 120 APPC Device Description Parameters 140 APPC Device Descriptions-Sample Report 147 Configuration List Report-Example 147 APPC Controller Descriptions-Sample Report 149 APPC Line Descriptions-Sample Report 150 Two connected APPN networks 152 Two connected APPN networks 153
A basic LDAP directory structure 194 iSeries with a Gateway ServerExample 213

vii

viii

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Tables
1 2 3 4 5 6 7 8 9 10 11 12 System Values for Passwords 25 Passwords for IBM-Supplied Profiles 32 Passwords for Dedicated Service Tools 33 Sign-On System Values 33 Sign-On Error Messages 34 Tool Commands for User Profiles 43 Tool Commands for Security Auditing 44 Commands for Security Reports 47 Commands for Customizing Your System 51 Values Set by the CFGSYSSEC Command 51 Commands Whose Public Authority Is Set by the RVKPUBAUT Command 53 Programs Whose Public Authority Is Set by the RVKPUBAUT Command 54 Encryption results 99 Use Adopted Authority USEADPAUT Example 106 15 16 17 18 19 20 21 22 23 24 25 System-Provided Exit Programs Exit Points for User Profile Activity Programs and Users for TPN Requests Security Values in the APPC Architecture How the APPC Security Value and the SECURELOC Value Work Together Possible Values for the Default User Parameter Sample Pass-Through Sign-On Requests How
TCP/IP Commands Determine Which Servers to Start Autostart Values for TCP/IP Servers How QRMTSIGN Works with TELNET Sources of Sample Exit Programs 110 116 121 142 143 144 144 158 159 168 215

| 13
14

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

About Tips and Tools for Securing Your iSeries 400 SC41-5300
The role of computers in organizations is changing rapidly IT managers, software providers, security administrators, and auditors need to take a new look at many areas that they have taken for granted in the past iSeries security should be on that list Systems are providing many new functions that are vastly different from traditional accounting applications Users are entering systems in new ways: LANs, switched lines dial-up, wireless, networks of all types Often, users never see a sign-on display Many organizations are expanding to become an extended enterprise, either with proprietary networks or with the Internet Suddenly, systems seem to have a whole new set of doors and windows Systems managers and security administrators are justifiably concerned about how to protect information assets in this rapidly
changing environment This book provides a set of practical suggestions for using the security features of iSeries and for establishing operating procedures that are security-conscious The recommendations in this book apply to an installation with average security requirements and exposures This book does not provide a complete description of the available iSeries security features If you want to read about additional options or you need more complete background information, consult the publications that are described in Related Publications in topic Where to Get More Information and Assistance on page 235 | | | | | This book also describes how to set up and use security tools that are part of OS/400 Chapter 5 How to Set Up Your System to Use the Security Tools on page 41 and Commands and Menus for Security Commands on page 42 provide reference information about the security tools The entire book provides examples for using the tools

Who should read this book
A security officer or security administrator is responsible for the security on a system That responsibility usually includes the following tasks: v Setting up and managing user profiles v Setting system-wide values that
affect security v Administering the authority to objects v Enforcing and monitoring the security policies If you are responsible for security administration for one or more iSeries systems, this book is for you The instructions in this book assume the following: v You are familiar with basic iSeries operating procedures, such as signing on and using commands v You are familiar with the basic elements of iSeries security: security levels, security system values, user profiles, and object security | | Note: Chapter 2 Basic Elements of iSeries Security on page 13 provides a review of these elements If these basic elements are new to you, then
Copyright IBM Corp 1996, 2001

| |

read the Basic security and planning topic in the iSeries Information Center See Prerequisite and related information for more details v You have activated security on your system by setting the security level QSECURITY system value to at least 30 IBM continually enhances the security capabilities of iSeries To take advantage of these enhancements, you should regularly evaluate the cumulative fix package that is currently available for your release See if it contains fixes that are relevant to security In
addition, Chapter 1 Enhancements for iSeries 400 Security on page 3 describes the significant enhancements to iSeries security that IBM has made in recent releases of the operating system

| | | | | |

How to Use This Book
If you have not set up your system to use the security tools or if you had the Security ToolKit for OS/400 installed for an earlier release, do the following: 1 Start with Chapter 3 iSeries 400 Security Wizard and Security Advisor on page 21 It describes how to use these features to select which security tools are recommended and how to get started with them 2 More more basic security information you can review Security Basic, on-line in the Information Center

Pick What Is Right for You This book has many tips for securing iSeries Your system may only need protection in some areas Use this book to educate yourself on possible security exposures and their remedies Then focus your efforts on the areas that are most critical for your system

| | | | | | | | | | | | | | | | | | | | |

Prerequisite and related information
Use the iSeries Information Center as your starting point for looking up iSeries and AS/400eTM technical information The iSeries Information Center
is your primary resource for finding iSeries 400 information, including information that is not documented elsewhere You can access the Information Center two ways: v From the following Web site:
http://wwwibmcom/eserver/iseries/infocenter

v From CD-ROMs that ship with your Operating System/400 order: iSeries Information Center, SK3T-4091-00 This package also includes the PDF versions of iSeries Information Center manuals, iSeries Information Center: Supplemental Manuals, SK3T-4092-00, which replaces the Softcopy Library CD-ROM The Information Center contains advisors and important topics such as CL commands, system application programming interfaces APIs, logical partitions, clustering, JavaTM, TCP/IP, Web serving, and secured networks It also includes links to related IBM Redbooks and Internet links to other IBM Web sites such as the Technical Studio and the IBM home page With every new hardware order, you receive the following CD-ROM information: v iSeries 400 Installation and Service Library, SK3T-4096-00 This CD-ROM contains PDF manuals needed for installation and system maintenance of an IBM iSeries 400 server

xii

iSeries 400 Tips and Tools for Securing Your iSeries
V5R1

| | | | | |

v iSeries 400 Setup and Operations CD-ROM, SK3T-4098-00 This CD-ROM contains IBM iSeries Client AccessTM Express for Windows and the EZ-Setup wizard Client Access Express offers a powerful set of client and server capabilities for connecting PCs to iSeries servers The EZ-Setup wizard automates many of the iSeries setup tasks

Operations Navigator
| | | | | | | | IBM iSeries Operations Navigator is a powerful graphical interface for managing your iSeries and AS/400e servers Operations Navigator functionality includes system navigation, configuration, planning capabilities, and online help to guide you through your tasks Operations Navigator makes operation and administration of the server easier and more productive and is the only user interface to the new, advanced features of the OS/400 operating system It also includes Management Central for managing multiple servers from a central server For more information on Operations Navigator, refer to the Information Center

How to send your comments
Your feedback in an important factor in helping us provide you with the most accurate and usable information for your needs If you have comments about this book or any
other iSeries documentation,you can send them to us by using the readers comment form v If you prefer to send comments electronically, use one of these e-mail addresses: Comments on books: RCHCLERK@usibmcom IBMMAIL, to IBMMAILUSIB56RZ Comments on the iSeries Information Center: RCHINFOC@usibmcom v Or if you prefer to send comments by mail, you can use the readers comment form that has the mailing address printed on the back side of the form If you are mailing a readers comment form from a country other than the United States, you can give the form to the local IBM branch office or IBM representative for postage-paid mailing v If you prefer to send comments by FAX, use either of the following numbers: United States and Canada: 1-800-937-3430 Other countries: 1-507-253-5192 Be sure to include the following: v The name of the book v The publication number of the book v The page number or topic to which your comment applies

About Tips and Tools for Securing Your iSeries 400 SC41-5300

xiii

xiv

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Summary of Changes
| | | | | | | This is the sixth edition of Tips and Tools for Securing Your iSeries This edition supports the
versions V4R1, V4R2, V4R3, V4R4, V4R5, and V5R1 of OS/400 To see what each of these OS/400 releases offers for new security function, see Chapter 1 Enhancements for iSeries 400 Security on page 3, which provides a description of new security information for each version Other minor technical and wording changes have been made throughout this book A vertical line | to the left of the text indicates a change or addition

xvi

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Part 1 Read this First
By the pricking of my thumbs, Something wicked this way comes Open, locks, Whoever knocks William Shakespeare: Macbeth

RV3M1202-0

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 1 Enhancements for iSeries 400 Security
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following information will give you a brief overview of whats changed or been added to security features for the iSeries Security enhancements for V4R1, V4R2, V4R3, V4R4, V4R5, and V5R1 releases are highlighted You will find more detailed tips under individual topics Note: The
iSeries Information Center IC is your primary resource for finding iSeries 400 information Most new function, such as logical partition management, digital certificate management, etc is fully documented in the IC and nowhere else The IC also provides links to other valuable iSeries 400 information resources such as Technical Studio and on-line library For more information on accessing the Information Center, see Prerequisite and related information on page xii

Security Enhancements for V5R1
v Password Levels: V5R1 features enhanced password security encryption Multiple levels of password security are supported using advanced cryptographic algorithms to safeguard user passwords See Password Levels on page 26 for details v System Service Tools: A modified signon procedure protects access to system service tools See Signing on to System Service Tools SST on page 94 for information on the new procedure v Network Authentication Service: Network Authentication Service NAS is a tool that verifies the identity of a user in a network NAS authenticates the user and then passes the authenticated identity on to other services on a network For information on NAS, including terminology,
concepts, reference material, the process by which authentication occurs, and task-based instructions on configuring and managing NAS, please refer to the Information Center see Prerequisite and related information on page xii for details v Quality of Service QoS:QoS is a new function that allows you to request network priority and bandwidth for a TCP/IP application Packet priority is very important to you if you send applications that need predictable and reliable results, such as multimedia For information on QoS, including concepts, reference material, and task-based instructions on configuring and managing QoS, please refer to the Information Center see Prerequisite and related information on page xii for details v Digital Signatures: Most programs in the operating system have been digitally signed The QVFYOBJRST system value can be used to prevent unsigned programs, or programs with a bad signature from being stored onto your system Support has also been added that will allow you to sign your programs, save files, and stream files V5R1 operating system integrity, and the integrity of OS/400 options and licensed programs, are protected by digital signature Refer to Tips for
Object Signing on page 116 for details v Operations Console with LAN connectivity: V5R1 allows console activities to be performed across the LAN local area network Enhanced authentication provides security during this procedure See Chapter 9 Tips for using AS/400 Operations Console on page 99 for details
Copyright IBM Corp 1996, 2001

| | | | | | | | | | |

v Security Tool User Profiles: Control access to service tools through an enhanced set of user profiles Use security tools to enhance LAN security See Managing Service Tools on page 81 for details v HTTP Server for iSeries 400: The Internet Connection Server ICS is now known as IBM HTTP Server for iSeries 400 There is no longer a separate Secure HTTP Server product Instead, to enable SSL on your iSeries 400, you must install one of the following cryptographic products: 5722AC2 5722AC3 Once you have installed one of these products, SSL is enabled for all products that use SSL, including the HTTP Server

Security Enhancements for V4R5
v Websphere: IBM WebSphereTM Application Server is a Java-based application environment for building, deploying and managing Internet and intranet Web applications This complete set of products
expands to fit your Web application server needs, ranging from the simple to the advanced to the enterprise level There are security considerations that you should consider These are discussed in the pages of information on the WebSphere Application Server, where you can also review security related scenarios in order to better understand your options The URL is http://wwwsoftwareibmcom/webservers/appserv/libraryhtml v LDAP: iSeries Directory Services has the following enhancements and new features: The Windows 95 and Windows NT LDAP client shipped with iSeries Directory Services now includes the IBM SecureWay Directory Management Tool, which provides a graphical user interface for working with the LDAP directory You now specify server names with the more common uniform resource locator URL format, rather than with DNS names This includes the way servers are specified in LDAP referrals, as well as external server references in LDIF files LDIF files have an improved format You now use client authentication to add more security to SSL connections to your LDAP directory server You now use client authentication to add more security to SSL connections to your LDAP directory server
You can now use access control lists ACLs to grant authority to directory objects to any users that bind to the LDAP directory server with non-anonymous connections iSeries Directory Services now supports both UTC Time and Generalized Time UTC Time uses two digits to store the year, and is not considered Y2K safe, but is included for historical reasons Generalized Time uses four digits for the year and is considered Y2K safe The alias support has been enhanced Aliases no longer have to be leaf nodes, and can be combined with other object classes V4R4 enhancements: iSeries Directory Services had the following enhancements and new features for V4R4: You can view a list of jobs running on the server You can publish computer information from iSeries 400 to the directory server

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

When you publish iSeries 400 user information to the directory server, iSeries Directory Services automatically exports entries from the system distribution directory to the LDAP directory Directory objects can now have multiple owners, and can also own themselves The directory server schema now includes support for integer and boolean
attributes You can use a character for a requested attribute value By using the character, you can retrieve all non-operational attributes This makes retrieving both operational and non-operational attributes in one search much easier To do this, you would list in your search the operational attributes you wanted information for, plus the You can use aliases with the directory server A new non-architected TPN has been added to the iSeries 400 system For more information please refer to Tips for Architected Transaction Program Names on page 120

Security Enhancements for V4R4
v Virtual Private Network VPN: Native VPN on OS/400 allows you to selectively protect your Transmission Control Protocol/Internet Protocol TCP/IP applications v Additional Secure Sockets Layer SSL support: Beginning with V4R4, you can use SSL to encrypt communications between Telnet clients and your iSeries 400 server Also beginning with V4R4, all Client Access Express functions except MAPI can communicate over SSL Client Access Express allows SSL communications with the iSeries 400 server at three levels of encryption 40-bit, 56-bit, 128-bit v System state programs and objects that adopt allowed when
loading PTFs: A new value, ALWPTF , has been added to the system value QALWOBJRST When you specify this value, system state programs and objects that adopt authority are allowed onto your system when loading PTFs v Firewall enhancements include multiple domain and multiple mail system support New for V4R4, IBM Firewall for iSeries 400 allows you to configure multiple mail domains on both the secure and non-secure sides of your firewall Multiple mail domains create divisions within your secure network so that mail can be routed to the appropriate domain Multiple mail domains allows businesses to route mail using a single relay to connect to one or more mail servers Businesses that require domain aliases will also benefit from this enhancement For example, company xyzcom can also have a registered domain such as xyzcomuk; with the country as the final suffix to the domain

Security Enhancements for V4R3
Limit access to program function: Beginning with V4R3, you can limit which users can access program function Program function may be an application, parts of an application, or different functions within a program This support is not a replacement for resource security; it is another
method to helps you control access to your system Operations Navigator Application Administration: You can use the Application Administration support of the OpsNav to manage user access to program function

Chapter 1 Enhancements for iSeries 400 Security

iSeries 400e Security Advisor: The is a browser-based tool that provides recommendations for most of the crucial system values you use If you are a new iSeries 400 user or your environment has changed, you can also use the iSeries 400e Security Advisor to generate a list of recommendations that you can use to plan and create your security policies iSeries 400 Security Wizard: The help you configure security on your iSeries 400 by asking a series of questions about your business After your responses to the questions are processed by the wizard, a panel is displayed with information about implementing security You can use the iSeries 400 Security Wizard to configure: v Security-related system values and network attributes v Security-related reporting for monitoring the system v Command defaults for creating user profiles Print Profile Internals PRTPRFINT command: You can use the Print Profile Internals command to print a report
containing information on the number of entries contained in a user profile Print Private Authority PRTPVTAUT command and Print Public Authority command PRTPUBAUT: You can now use the PRTPVTAUT and the PRTPUBAUT command to manage authorities for objects in the integrated file system Restore User Profile RSTUSRPRF command: ALLOBJ special authority is no longer removed from user profiles in some cases It is removed when a user profile is restored to a system at security level 30 or higher in either of these situations: v The profile was saved from a different system, and the user performing the RSTUSRPRFF does not have ALLOBJ and SECADM special authorities v The profile was saved from the same system at security level 10 or 20 ALLOBJ special authority is never removed from these IBM-supplied user profiles: v v v v QSYS system QSECOFR security officer QLPAUTO licensed program-automatic install QLPINSTALL licensed program install

Internet Protocol IP Packet Filtering: This provides the ability to selectively block IP traffic based on information in the IP and protocol specific packet headers See the Information Center for details under the Networking topic HTTP proxy server: The HTTP
proxy server comes with the IBM HTTP Server for iSeries 400 The proxy server receives HTTP requests from Web browsers and resends them to Web Servers See the Information Center for details NAT network address translation: Network Address Translation NAT modifies the source or the destination IP addresses of packets that flow through the system Using NAT, you can use the iSeries 400 system as a gateway between two networks which have conflicting or incompatible addressing schemes You can also use NAT to hide the real IP addresses of one network by dynamically substituting a different address See the Information Center for details

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

VPN on the IBM Firewall for iSeries 400: IBM Firewall for iSeries 400 provides virtual private network VPN technologies When you use VPNs, you can create encrypted connections between the firewall and several other IBM firewall products In V4R3, Network Address Translation NAT for the firewall was introduced as a new feature HTTP Server for iSeries 400: The Internet Connection Server ICS is now known as IBM HTTP Server for iSeries 400 There is no longer a separate Secure HTTP Server product
Instead, to enable SSL on your iSeries 400, you must install one of the following cryptographic products: v 5769AC1 v 5769AC2 v 5769AC3 Once you have installed one of these products, SSL is enabled for all products that use SSL, including the HTTP Server

Security Enhancements for V4R2
Column-level authority for database files: Beginning with V4R2, you can specify authorities for specific fields in a DB2/400 file DB2/400 supports the following field-level authorities: Update authority: You can specify which users can make changes to the value of a field References authority: You can control which users can specify a field as a parent key in a referential constraint The capability to grant and revoke field-level authority is available through SQL statements You can use the Display Object Authority DSPOBJAUT command to view the field-level authorities for a file For more information about field-level authority, see the DB2 UDB for iSeries 400 SQL Reference book TELNET exit points: Beginning with V4R2, two exit points are available for TELNET: session initiation and session end These exit points provide you with the capability to both control and monitor TELNET access to your system
The following are examples of possible actions you can take in your TELNET user-written exit program: v Accept or deny a session request v Assign a specific iSeries device description to the request v Assign a specific user profile for the session v Log connections and disconnections from the system through the TELNET server Security Tips for Telnet in this book and the TCP/IP Configuration and Reference articles in the Information Center provide more information about the new TELNET exit points Point-to-point protocol PPP: Beginning with V4R2, TCP/IP includes support for PPP PPP provides increased performance and enhanced security capabilities when compared to SLIP With PPP, user authentication is architected and not dependent on user-created scripts Encryption of user names and passwords is available when both sides in a connection support it PPP also supports IP address validation This ensures that a user has an address within a

Chapter 1 Enhancements for iSeries 400 Security

specified range to protect against IP spoofing PPP also provides the ability to configure your connection profile to periodically reset the challenge to protect against session piggy-backing Security
Considerations for Point-to-Point Protocol in this book and the TCP/IP Configuration and Reference articles in the Information Center provide more information Password caching for Windows 95 clients: The Windows 95 client for Client Access provides the capability to save passwords to the Windows 95 password cache with a Save Password checkbox at sign-on It also provides the capability to clear passwords from the cache with a Clear Passwords button This removes all Client Access passwords from the Windows 95 password cache When you uninstall Client Access, the process also clears all Client Access passwords from the Windows 95 password cache Digital Certificate Manager: Digital Certificate Manager DCM registers user certificates that you create You can also use the DCM to register user certificates that other Certificate Authorities issue DCM automatically associates the registered certificate with the owners iSeries 400 user profile To use digital certificates, you must have TCP/IP Connectivity Utilities for iSeries 5769-TC1 and the IBM HTTP Server for iSeries 5769-DG1 installed on your iSeries You must also install a cryptographic access provider licensed program 5769-AC1,
5769-AC2, or 5769-AC3 to create certificate keys These cryptographic products determine the maximum key length permitted for cryptographic algorithms The industry standard for digital certificates is the X509 format Certificates that you create in Digital Certificate Manager are compatible with X509 versions 2 and 3 Operations Navigator: Provides user and group security configurations to make digital security management easier for iSeries 400 users

Security Enhancements for V4R1
Internet Connection Server With V4R1, the TCP/IP HTTP server is reintroduced as the Internet Connection Server ICS The ICS provides both enhanced function over the HTTP server and compatibility across multiple IBM platforms It also provides new security capabilities: v New directives allow you to require authentication user ID and password before accepting requests for some or all of your ICS resources URLs and CGI programs You can use either normal iSeries user profiles or a new iSeries validation object to provide the authentication v With new directives, you can also swap to a different iSeries user profile before accessing ICS resources instead of using the default user profiles that are provided with
the server With this capability, you can, for example, take advantage of iSeries resource security when you serve multiple Web sites on the same system Web serving with your IBM HTTP Serverfound in the Information Center provides more information about the security considerations for this new server Internet Connection Secure Server: With V4R1, the new Internet Connection Secure Server ICSS provides the capability to establish a secure connection between your iSeries and an SSL-enabled browser The ICSS uses the Secure Sockets Layer SSL protocol to authenticate servers and to encrypt the transmitted data Most popular Web browsers are SSL-enabled The ICSS provides the foundation for secure electronic commerce using an iSeries server

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Web serving with your IBM HTTP Serverfound in the Information Center provides more information about the security considerations for this new server Firewall for iSeries 400: The IBM Firewall for iSeries 400 5769FW1 is a software product that enables the Integrated Netfinity Server for iSeries 400 on your iSeries to perform the functions of a firewall The firewall separates your internal
secure network from an external non-secure network usually the Internet You can run the IBM Firewall for iSeries 400 on your production iSeries system to protect both your production system and other connected systems For maximum security protection, you would normally use a separate, dedicated iSeries system as your Internet server You might also choose to run the firewall on a multi-use iSeries system that runs your production applications and provides Internet services However, the success of this implementation depends heavily upon both your application design and the thoroughness of your configuration rules The IBM Firewall for iSeries 400 provides the following capabilities: v Packet filtering support TCP, UDP and ICMP Dynamic packet filtering support for RealAudio Progressive Networks v A domain name server v v v v v Proxy servers for common applications such as HTTP, TELNET, and FTP A socks server that is application-independent A mail server Extensive logging and monitoring Administration through a Web browser

For the system administrator, the IBM Firewall for iSeries 400 provides the advantage of using technology and an environment that you already understand It provides
an economical method to protect your internal network as you branch out to connect to other, non-secure networks The Technical Studio provides complete information about how to set up the firewall and how to use its capabilities The Firewall for iSeries 400 web site provides current information, tips, and frequently asked questions Visit the Web site at the following URL:
http://wwwas400ibmcom/firewall

NetCommerce for iSeries: The Internet Connection Server and the Internet Connection Secure Server provide the foundations for electronic commerce on your iSeries Two new licensed programs provide you with tools to develop a full-function shopping mall on your Web site v IBM NetCommerce for iSeries 5798-NC2 provides tools for you to design and administer your Web site You can create and maintain product catalogs and use a shopping basket metaphor for your Web-site visitors For the latest information about IBMs electronic commerce offerings, visit the following Web site:
http://wwwinternetibmcom/commercepoint/netcommerce/

TCP/IP Exit Points: Beginning with V4R1, more TCP/IP applications use the exit points that were previously available only for the FTP server You can now use exit
programs to control activity for both the REXEC server and the TFTP server For more information on Dynamic Host Configuration Protocol Server Exit Programs, see this topic in the Information Center The articleTCP/IP User Exits in this book provides more information about how to use the FTP exit points
Chapter 1 Enhancements for iSeries 400 Security

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Part 2 Tips for Basic iSeries 400 System Security
Curiosity is one of the permanent and certain characteristics of a vigorous mind Samuel Johnson: The Rambler While we stop to think, we often miss our opportunity Publilius Syrus: Maxim 185

RV3M1203-0

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 2 Basic Elements of iSeries Security
This topic provides a brief review of the basic elements that work together to provide iSeries security In other parts of this book we go beyond the basics to provide tips for using these security elements to meet the needs of your organization

Security Levels
You can choose how much security you want the system to enforce by setting the security level QSECURITY system value The
system offers five levels of security: Level 10: The system does not enforce any security No password is necessary If the specified user profile does not exist on the system when someone signs on, the system creates one ATTENTION: Beginning in V4R3 and future releases, you cannot set the QSECURITY system value to 10 If your system is currently at security level 10, it will remain at level 10 when you install Version 4 Release 3 If you change the security level to some other value, you cannot change it back to level 10 Because level 10 provides no security protection, security level 10 is not recommended by IBM IBM will not provide support for any problems that occur at security level 10 unless the problem can also be created at a higher security level Level 20: The system requires a user ID and password for signing on Security level 20 is often referred to as sign-on securityBy default, all users have access to all objects because all users have ALLOBJ special authority Level 30: The system requires a user ID and password for signing on Users must have authority to use objects because users do not have any authority by default This is called resource security Level 40: The system
requires a user ID and password for signing on In addition to resource security, the system provides integrity protectionfunctions The integrity protection functions are intended to protect both your system and the objects on your system from tampering by experienced system users For most installations, level 40 is the recommended security level When you receive a new iSeries system with V3R7 or a later release, the security level is set to 40 Level 50: The system requires a user ID and password for signing on The system enforces both resource security and the integrity protection of level 40,but adds enhanced integrity protection, such as the following: v Validation of parameters for interfaces to the operating system

v Restriction of message-handling between system state programs and user state programs Security level 50 is intended for iSeries systems with high security requirements Note: Level 50 is the required level for C2 certification and FIPS-140 certification For more information review the publication SecurityEnabling for C2 Chapter 2 of the iSeries Security Reference book provides more information about the security levels and
describes how to move from one security level to another

Global Settings
Your system has global settings that affect how your work enters the system and how the system appears to other system users These settings include the following: System values: System values are used to control security on your system These values are broken into four groups: v General security system values v Other system values related to security v System values that control passwords v System values that control auditing Several topics in this book discuss the security implications of specific system values Chapter 3 in the iSeries Security Reference book describes all the security-relevant system values Network attributes: Network attributes control how your system participates or chooses not to participate in a network with other systems You can read more about network attributes in the Work Management book Subsystem descriptions and other work management elements: Work management elements determine how work enters the system and what environment the work runs in Several topics in this book discuss the security implications of some work management values The Work Management book provides complete
information Communications configuration: Your communications configuration also affects how work enters your system Several topics in this book provide suggestions for protecting your system when it participates in a network

User Profiles
Every system user must have a user profile At security level 10 which is not supported beginning with V4R3, the system automatically creates a profile when a user first signs on At higher security levels, you must create a user profile before a user can sign on | | | User profiles can also be used to control access to service tools such as DASD and main storage dumps See Managing Service Tools on page 81 for more information

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | |

The user profile is a powerful and flexible tool It controls what the user can do and customizes the way the system appears to the user The iSeries Security Reference book describes all the parameters in the user profile

Group Profiles
A group profile is a special type of user profile You can use a group profile to define authority for a group of users, rather than giving authority to each user individually You can also use a group profile as a pattern
when you create individual user profiles by using the copy-profile function or if you use Operations Navigator you can use the security Policies menu to edit your users authorities Chapter 5 and Chapter 7 in the iSeries Security Reference book provide more information about planning and using group profiles

Resource Security
Resource security on the system allows you to define who can use objects and how those objects can be used The ability to access an object is called authority When you set up object authority, you can need to be careful to give your users enough authority to do their work without giving them the authority to browse and change the system Object authority give permissions to the user for a specific object and can specify what the user is allowed to do with the object An object resource can be limited through specific detailed user authorities, such as adding records or changing records System resources can be used to give the user access to specific system-defined subsets of authorities: ALL, CHANGE, USE, and EXCLUDE Files, programs, libraries, and directories are the most common system objects that require resource security protection, but you can specify
authority for any individual object on the system Chapter 6 Using Object Authority to Protect Information Assets discusses the importance of setting up object authority on your system Chapter 5 of the iSeries Security Reference book describes the options for setting up resource security

Limit Access to Program Function
The limit access to program function allows you to provide security for the program when you do not have an iSeries 400 object to secure for the program Before the limit access to program function support was added in V4R3, you could accomplish this by creating an authorization list or other object, and checking the authority to the object to control access to the program function Now you can use the limit access to program function to more easily control access to an application, parts of an application, or functions within a program There are two methods that you can use to manage user access to application functions through Operations Navigator The first uses Application Administration support: 1 Right-click the iSeries running your application 2 Click Application Administration This opens a window which contains lists of registered functions for Operations
Navigator, host applications, and client applications see Figure 1 on page 16 3 From the Application Administration window, change the default usage setting and the allow ALLOBJ indicator as desired The default for application
Chapter 2 Basic Elements of iSeries Security

authorities is ALLOBJ If you want to customize access to your application programs, you can specify which programs have authority You do this by clicking on the authority choices on the screen The new configuration is then implemented Note: When a function has a list of users that have been given or denied access to the function, the Customized Usage column contains an X 4 Highlight a function to enable the Customize button 5 Click the Customize button to display the Customize Usage dialog box 6 Within the Customize Usage dialog box, change the list of users and groups allowed or denied access to the function

Figure 1 Application Administration

The second method of managing user access involves Operations Navigators Users and Groups support: 1 Access the Properties window for a user or group 2 Click the Capabilities button 3 Choose the Applications tab This displays a list of registered functions and the
access or usage the user or group has to each function The Usage Derived From column shows where the access is from 4 At the Capabilities window, change the users settings for the listed functions From this window you can also do the following: v Change the settings for all functions in a hierarchy grouping by changing the setting for the parent function v Manage access to functions using group profiles

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

See Security and Operations Navigator on page 208 for more information on Operations Navigator security issues If you are an application writer, you can use limit access to program function APIs to do the following: v Register a function v Retrieve information about the function v Define who can or cannot use the function v Check to see if the user is allowed to use the function Note: This support is not a replacement for resource security Limit access to program function does not prevent a user from accessing a resource such as a file or program from another interface To use this support within an application, the application provider must register the functions when the application is installed The registered function
corresponds to a code block for specific functions in the application When the application is run by the user, the application calls the API before the application calls the code block The API calls the check usage API to see if the user is allowed to use the function If the user is allowed to use the registered function, the code block is run If the user is not allowed to use the function, the user is prevented from running the code block Note: APIs involve registering a 20 character function ID in the registration data base WRKREGINF Although there are no exit points related to function IDs used by the limit access to function APIs, it is required to have exit points To register anything in the registry, you must supply an exit point format name To do this the create new FUNCTION ID API, creates a dummy name and uses this dummy name for all FUNCTION IDs that are registered Because this is a dummy format name, no exit point program is ever called The system administrator specifies who is allowed or denied access to a function The administrator can either use the API to manage the access to program function or use the Operations Navigator Application Administration GUI The iSeries
400 System API Reference book provides information about the limit access to program function APIs For additional information about controlling access to functions, see Security and Operations Navigator on page 208

Security Auditing
People audit their system security for several reasons: v To evaluate whether the security plan is complete v To make sure that the planned security controls are in place and working This type of auditing is usually performed by the security officer as part of daily security administration It is also performed, sometimes in greater detail, as part of a periodic security review by internal or external auditors v To make sure that system security is keeping pace with changes to the system environment Some examples of changes that affect security are: New objects created by system users New users admitted to the system Change of object ownership authorization not adjusted Change of responsibilities user group changed
Chapter 2 Basic Elements of iSeries Security

Temporary authority not timely revoked New products installed v To prepare for a future event, such as installing a new application, moving to a higher security level, or setting up a
communications network The techniques described here are appropriate for all these situations Which things you audit and how often depends on the size and security needs of your organization Security auditing involves using commands on the iSeries system and accessing log and journal information on the system You may want to create a special profile to be used by someone doing a security audit of your system The auditor profile will need AUDIT special authority to be able to change the audit characteristics of your system Some of the auditing tasks suggested in this chapter require a user profile with ALLOBJ and SECADM special authority Be sure that you set the password for the auditor profile to NONE when the audit period has ended For more details on security auditing see Chapter 9, of the Security Reference book

System Security Attributes ReportExample
Figure 2 shows an example of the output from the Print System Security Attributes PRTSYSSECA command The report shows the settings for security-relevant system values and network attributes that are recommended for systems with normal security requirements It also shows the current settings on your system Note: The Current Value
column on the report shows the current setting on your system Compare this to the recommended value to see where you may have security exposures
System Security Attributes System Value Name QALWOBJRST QALWUSRDMN QATNPGM QAUDENDACN QAUDFRCLVL QAUDCTL QAUDLVL Current value NONE ALL QEZMAIN QSYS NOTIFY SYS AUDLVL SECURITY Recommended value NONE QTEMP NONE NOTIFY SYS AUDLVL OBJAUD AUTFAIL CREATE DELETE SECURITY SAVRST NOQTEMP

Figure 2 System Security Attributes Report-Sample Part 1 of 4

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

QAUTOCFG QAUTOVRT QCMNRCYLMT QCRTAUT QCRTOBJAUD QDEVRCYACN QDSCJOBITV QDSPSGNINF QINACTITV QINACTMSGQ QLMTDEVSSN QLMTSECOFR QMAXSGNACN QMAXSIGN

0 9999 00 CHANGE NONE DSCMSG 120 1 60 ENDJOB 0 0 2 3

0 0 00 Control at library level Control at library level DSCMSG 120 1 60 ENDJOB 1 1 3 3

Figure 2 System Security Attributes Report-Sample Part 2 of 4 QPWDEXPITV QPWDLMTAJC QPWDLMTCHR QPWDLMTREP QPWDMAXLEN QPWDMINLEN QPWDPOSDIF QPWDRQDDGT QPWDRQDDIF QPWDVLDPGM QRETSVRSEC QRMTIPL QRMTSIGN QSECURITY QSRVDMP 60 1 NONE 1 8 6 1 1 0 NONE 0 0 FRCSIGNON 50 DMPUSRJOB 60 1 AEIOU@ 2 8 6 1 1 1 NONE 0 0 FRCSIGNON 50 NONE

Figure 2 System Security Attributes
Report-Sample Part 3 of 4 System Security Attributes Network Attribute Name Current value DDMACC OBJAUT JOBACN FILE PCSACC OBJAUT Recommended value REJECT REJECT REJECT

Figure 2 System Security Attributes Report-Sample Part 4 of 4

Chapter 2 Basic Elements of iSeries Security

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 3 iSeries 400 Security Wizard and Security Advisor
iSeries 400 Security Wizard and Security Advisor tools can help you decide what security values to put into effect on your iSeries system Using the iSeries Security Wizard in Operations Navigator you will produce reports that reflect your security needs based on your selected answers You can then use this to configure your system security The Security Advisor is the on-line version of the Security Wizard Located in our Technical Studio, it allows you to select your choices based on your security needs and then gives you a report suggesting what features are needed to secure your site

iSeries 400 Security Wizard
| | | | Deciding which iSeries system security values you should use for your business can be perplexing If you are new to iSeries, new to security implementation on iSeries
servers, or the environment in which you run your iSeries has recently changed, the iSeries 400 Security Wizard can help you with decisions What is a Wizard? v A wizard is a tool designed to be run by a novice user to install or configure something on a system v The wizard prompts the user for information by asking questions The response to each question determines what question is asked next v When the wizard has asked all the questions, the user is presented with a finish dialog The user then pushes the Finish button to install and configure the item Security Wizard Goals The goal of the iSeries 400 Security Wizard is to configure, based on a users responses the following v Security Related System Values and Network Attributes v Security Related Reporting for monitoring the system v The wizard generates an Administrator Information Report and a User Information Report: The Administrator Information Report contains recommended security settings and any procedures that should be followed prior to putting the recommendations into effect The User Information Report contains information that can be used for the business security policy For example, password compositions rules are
included in this report v The wizard provides recommendation settings for various security-related items on the system | | | | | | Security Wizard objectives v The objectives of the Security Wizard are: To determine what the system security settings should be, based on the users answers to the wizards questions, then implement the settings when appropriate The wizard produces detailed information reports including the following - Report explaining the Wizards recommendations

| |

| | | | |

- Report detailing the procedures that should be followed before implementation - Report listing relevant information to be distributed to the users of the system v These items put basic security policy into effect on your system v The wizard recommends audit journal reports that you should schedule to run periodically When scheduled, these reports help: Ensure that security policies are followed Ensure that security policies are only changed with your approval Schedule reports to monitor security-related events on your system v The wizard allows you to save the recommendations or to apply some or all of the recommendations to your system

| | | |

Note:
The Security Wizard can be used more than once on the same system to allow users who may have an older installation to review their current security The Security Wizard can be used from a V3R7 system when Operations Navigator was introduced upwards To access the Security Wizard, do the following: 1 Double-click the Operations Navigator icon to open Operations Navigator

| | | | | | | | | | | | | | | | | |

Note: To use iSeries Operations Navigator, you must have Client Access installed on your Windows 95/NT PC and have an iSeries connection from that PC The user of the Wizard must be connected to an iSeries The user must have a user ID that has ALLOBJ, SECADM, AUDIT and IOSYSCFG special authority For help in connecting your Windows 95/NT PC to your iSeries system, consult the Client Access Express topic in the Information Center see Prerequisite and related information on page xii for details 2 Expand the Security folder, then select Configure the security of the server to start the Security Wizard v When a user starts the Security option of the Operations Navigator a request is sent to the iSeries to check the users special authority v Should the user not have all of the required
special authority ALLOBJ, AUDIT, IOSYSCFG, SECADM then they will not see the Configure option and not be able to access the Security Wizard 3 Assuming the user has the required authority: v Previous wizard responses are retrieved v Current security settings are retrieved The Security Wizard will present you with one of three welcome screens Which screen you see depends on which of the following conditions exists: v The wizard has never been run for the target iSeries v The wizard has been run before and the security changes were deferred v The wizard has been run before and the security changes were put into effect If you are not using Operations Navigator, you can still get help planning for your security needs The Security Advisor is an on-line version of the Security Wizard, with one difference The advisor will not automatically configure your system It will however, generate a report of recommended security options based on your answers To access the Security Advisor point your Internet browser to the following URL:
http://wwwas400ibmcom/tstudio/secure1/index_avhtm

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

The Security Advisor is part of the iSeries 400
Technical Studio

iSeries 400 Security Advisor
The Security Advisor is an on-line version of the Security Wizard It asks the same questions as the Security Wizard and, based on your answers, generates the same recommendations The main differences between the two tools are that: v The Security Advisor does not– Produce reports Compare current settings with the recommend settings Set any system value automatically v You cannot apply recommendations from the Security Advisor The Security Advisor generates a CL program that you can cut-and-paste and edit for your own use to automate security configuration You can also link directly to the iSeries 400 documentation from the Security Advisor This provides information about the system value or report that can help you determine if this setting is appropriate for your environment To access the Security Advisor, point your Internet browser to the following URL:
http://wwwas400ibmcom/tstudio/secure1/index_avhtm

The Security Advisor is part of the iSeries Technical Studio This Web site answers many of your security questions and offers timely information on workshops, classes, and other resources The URL for the Technical Studio address
is:
http://wwwas400ibmcom/techstudio

The URL for the iSeries Security section of the Technical Studio is:
http://wwwAS400ibmcom/tstudio/secure1/secdexhtm

Chapter 3 iSeries 400 Security Wizard and Security Advisor

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 4 Tips for Controlling Interactive Sign-On
When you think about restricting entry to your system, start with the obvious, the Sign On display The following are options that you can use to make it difficult for an outsider to walk up or dial up and sign on to your system by using the Sign On display v Setting password rules v Changing well-known passwords v Setting sign-on rules

Setting Password Rules
To secure your system entry do the following: v Set a policy that states that passwords must not be trivial and must not be shared v Set system values to help you with enforcement Table 1 shows recommended system value settings The combination of values in Table 1 is fairly restrictive and is intended to significantly reduce the likelihood of trivial passwords However, your users may find it difficult and frustrating to select a password that meets these restrictions Consider providing users with
the following: 1 A list of the criteria for passwords 2 Examples of passwords that are and are not valid 3 Suggestions for how to think of a good password You can run the Configure System Security CFGSYSSEC command to set these values You can use the Print System Security Attributes PRTSYSSECA command to print your current settings for these system values You can read more about these system values in Chapter 3 of the iSeries Security Reference book Values That Are Set by the Configure System Security Command on page 51 provides more information about the CFGSYSSEC command
Table 1 System Values for Passwords System Value Name Description QPWDEXPITV How often the system users must change their passwords You can specify a different value for individual users in the user profile Whether the system prevents adjacent characters that are the same What characters may not be used in passwords2 Whether the system prevents the same character from appearing more than once in the password Whether user profile passwords are limited to 10 characters or a maximum of 128 The maximum number of characters in a password The minimum number of characters in a password Whether each character in a
password must be different from the character in the same position on the previous password Recommended Value 60 days

QPWDLMTAJC QPWDLMTCHR QPWDLMTREP

1 yes AEIOU@ 2 not allowed consecutively 03 8 6 1 yes

| |

QPWDLVL QPWDMAXLEN QPWDMINLEN QPWDPOSDIF

Table 1 System Values for Passwords continued System Value Name Description QPWDRQDDGT QPWDRQDDIF QPWDVLDPGM Notes: Whether the password must have at least one numeric character How long a user must wait before using the same password again2 What exit program is called to validate a newly assigned password

Recommended Value 1 yes 5 or less expiration intervals1 NONE

1 The QPWDEXPITV system value specifies how often you must change your password, such as every 60 days This is the expiration interval The QPWDRQDDIF system value specifies how many expiration intervals must pass before you can use the same password again Chapter 3 of the iSeries Security Reference book provides more information about how these system values work together

| | |

2 QPWDLMTCHR is not enforced at password levels 2 or 3 See Password Levels for details 3 Refer to Planning Password Level Changes on page 27 to determine
the password level that is right for your needs

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Password Levels
V5R1 offers increased password security by using system value QPWDLVL In previous releases, users were limited to passwords that were no more than 10 characters long, from a limited range of characters Now, users can select a password or passphrase with as many as 128 characters, depending on the password level at which their system is set Password levels supported by V5R1 are: v Level 0: V5R1 systems are shipped at this level At level 0, passwords are no more than 10 characters in length, containing only A-Z, 09, , @, , and _ characters Passwords at level 0 are less secure than those at higher password levels v Level 1: Same rules as password level 0, but passwords for iSeries NetServer are not saved v Level 2: Passwords at this level are secure, and this level can be used for testing purposes Passwords are saved for a user on level 0 or 1 if 10 characters or less and level 0 or 1 character set Passwords or passphrases at this level have these characteristics: as many as 128 characters in length comprised of any available keyboard characters may not
be comprised entirely of blanks; blanks are removed from the end of the password case sensitive v Level 3: Passwords at this level are the most secure, and utilize the most advanced encryption algorithms available Passwords at this level have the same characteristics as at level 2 Passwords for iSeries NetServer are not saved at this level Password levels 2 and 3 should only be used if every system on a network uses V5R1 and the password level 2 or 3 If a single system on the network is not using V5R1, password levels 2 and 3 will be unavailable to all users Similarly, users must all log in using the same password level Password levels are global; users cannot choose the level at which they would like to have their password secured

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Planning Password Level Changes
Changing password levels should be planned carefully Operations with other systems may fail or users may not be able to sign on to the system if you havent planned for the password level change adequately Prior to changing the QPWDLVL system value, make sure you have
saved your security data using the SAVSECDTA or SAVSYS command If you have a current backup, you will be able to reset the passwords for all users profiles if you need to return to a lower password level Products that you use on the system, and on clients with which the system interfaces, may have problems when the password level QPWDLVL system value is set to 2 or 3 Any product or client that sends passwords to the system in an encrypted form, rather than in the clear text a user enters on a sign-on screen, must be upgraded to work with the new password encryption rules for QPWDLVL 2 or 3 Sending the encrypted password is known as password substitution Password substitution is used to prevent a password from being captured during transmission over a network Password substitutes generated by older clients that do not support the new algorithm for QPWDLVL 2 or 3, even if the specific characters typed in are correct, will not be accepted This also applies to any iSeries to iSeries peer access which utilizes the encrypted values to authenticate from one system to another The problem is compounded by the fact that some affected products ie Java Toolbox are provided as middleware A
third party product that incorporates a prior version of one of these products will not work correctly until rebuilt using an updated version of the middleware Given this and other scenarios, it is easy to see why careful planning is necessary before changing the QPWDLVL system value

Considerations for changing QPWDLVL from 0 to 1
Password level 1 allows a system, which does not have a need to communicate with the Windows 95/98/ME AS/400 Client Support for Windows Network Neighborhood AS/400 NetServer product, to have the NetServer passwords eliminated from the system Eliminating unnecessary encrypted passwords from the system increases the overall security of the system At QPWDLVL 1, all current, pre-V5R1 password substitution and password authentication mechanisms will continue to work There is very little potential for breakage except for functions/services that require the NetServer password The functions/services that require the NetServer password include: v AS/400 Support for Windows Network Neighborhood, Windows 95/98/ME edition, AS/400 NetServer

Considerations for changing QPWDLVL from 0 or 1 to 2
Password level 2 introduces the use of case sensitive passwords up to 128
characters in length also called passphrases and provides the maximum ability to revert back to QPWDLVL 0 or 1 Regardless of the password level of the system, password level 2 and 3 passwords are created whenever a password is changed or a user signs on to the system Having a level 2 and 3 password created while the system is still at password level 0 or 1 helps prepare for the change to password level 2 or 3

Chapter 4 Tips for Controlling Interactive Sign-On

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Prior to changing QPWDLVL to 2, the system administrator should use the DSPAUTUSR or PRTUSRPRF TYPEPWDINFO commands to locate all user profiles which do not have a password that is usable at password level 2 Depending on the profiles located, the administrator may wish to use one of the following mechanisms to have a password level 2 and 3 password added to the profiles v Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API This will cause the system to change the password that is usable at password levels 0 and 1; and the system also creates two equivalent case sensitive
passwords that are usable at password levels 2 and 3 An all uppercase and all lowercase version of the password is created for use at password level 2 or 3 For example, changing the password to C4D2RB4Y results in the system generating C4D2RB4Y and c4d2rb4y password level 2 passwords v Sign on to the system through a mechanism that presents the password in clear text does not use password substitution If the password is valid and the user profile does not have a password that is usable at password levels 2 and 3, the system creates two equivalent case sensitive passwords that are usable at password levels 2 and 3 An all uppercase and all lowercase version of the password is created for use at password level 2 or 3 The absence of a password that is usable at password level 2 or 3 can be a problem whenever the user profile also does not have a password that is usable at password levels 0 and 1 or when the user tries to sign on through a product that uses password substitution In these cases, the user will not be able to sign on when the password level is changed to 2 If a user profile does not have a password that is usable at password levels 2 and 3, the user profile does have a
password that is usable at password levels 0 and 1, and the user signs on through a product that sends clear text passwords, then the system validates the user against the password level 0 password and creates two password level 2 passwords as described above for the user profile Subsequent sign ons will be validated against the password level 2 passwords Any client/service which uses password substitution will not work correctly at QPWDLVL 2 if the client/service hasnt been updated to use the new password passphrase substitution scheme The administrator should check whether a client/service which hasnt been updated to the new password substitution scheme is required The clients/services that use password substitution include: v TELNET v Client Access v iSeries Host Servers v QFileSrv400 v AS/400 NetServer Print support v DDM v DRDA v SNA LU62 It is highly recommended that the security data be saved prior to changing to QPWDLVL 2 This can help make the transition back to QPWDLVL 0 or 1 easier if that becomes necessary

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

It is
recommended that the other password system values, such as QPWDMINLEN and QPWDMAXLEN not be changed until after some testing at QPWDLVL 2 has occurred This will make it easier to transition back to QPWDLVL 1 or 0 if necessary However, the QPWDVLDPGM system value must specify either REGFAC or NONE before the system will allow QPWDLVL to be changed to 2 Therefore, if you use a password validation program, you may wish to write a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by using the ADDEXITPGM command NetServer passwords are still supported at QPWDLVL 2, so any function/service that requires a NetServer password should still function correctly Once the administrator is comfortable with running the system at QPWDLVL 2, they can begin to change the password system values to exploit longer passwords However, the administrator needs to be aware that longer passwords will have these effects: v If passwords greater than 10 characters are specified, the password level 0 and 1 password is cleared This user profile would not be able to signon if the system is returned to password level 0 or 1 v If passwords contain special characters or do not follow the
composition rules for simple object names excluding case sensitivity, the password level 0 and 1 password is cleared v If passwords greater than 14 characters are specified, the NetServer password for the user profile is cleared v The password system values only apply to the new password level 2 value and do not apply to the system generated password level 0 and 1 password or NetServer password values if generated

Considerations for changing QPWDLVL from 2 to 3
After running the system at QPWDLVL 2 for some period of time, the administrator can consider moving to QPWDLVL 3 to maximize his password security protection At QPWDLVL 3, all NetServer passwords are cleared so a system should not be moved to QPWDLVL 3 until there is no need to use NetServer passwords At QPWDLVL 3, all password level 0 and 1 passwords are cleared The administrator can use the DSPAUTUSR or PRTUSRPRF commands to locate user profiles which dont have password level 2 or 3 passwords associated with them

Changing to a lower password level
Returning to a lower QPWDLVL value, while possible, is not expected to be a completely painless operation In general, the mind set should be that this is a one-way trip from
lower QPWDLVL values to higher QPWDLVL values However, there may be cases where a lower QPWDLVL value must be reinstated The following sections each discuss the work required to move back to a lower password level Considerations for changing from QPWDLVL 3 to 2: This change is relatively easy Once the QPWDLVL is set to 2, the administrator needs to determine if any user profile is required to contain NetServer passwords or password level 0 or 1 passwords and, if so, change the password of the user profile to an allowable value

Chapter 4 Tips for Controlling Interactive Sign-On

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Additionally, the password system values may have to be changed back to values compatible with NetServer and password level 0 or 1 passwords, if those passwords are needed Considerations for changing from QPWDLVL 3 to 1 or 0: Because of the very high potential for causing problems for the system like no one can sign on because all of the password level 0 and 1 passwords have been cleared, this change is not supported directly To change from QPWDLVL 3 to QPWDLVL 1 or 0, the system must first make the
intermediary change to QPWDLVL 2 Considerations for changing from QPWDLVL 2 to 1: Prior to changing QPWDLVL to 1, the administrator should use the DSPAUTUSR or PRTUSRPRF TYPEPWDINFO commands to locate any user profiles that do not have a password level 0 or 1 password If the user profile will require a password after the QPWDLVL is changed, the administrator should ensure that a password level 0 and 1 password is created for the profile using one of the following mechanisms: v Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API This will cause the system to change the password that is usable at password levels 2 and 3; and the system also creates an equivalent uppercase password that is usable at password levels 0 and 1 The system is only able to create the password level 0 and 1 password if the following conditions are met: The password is 10 characters or less in length The password can be converted to uppercase EBCDIC characters A-Z, 0-9, @, , , and underscore The password does not begin with a numeric or underscore character For example, changing the password to a value of RainyDay would result in the system generating a
password level 0 and 1 password of RAINYDAY But changing the the password value to Rainy Days In April would cause the system to clear the password level 0 and 1 password because the password is too long and it contains blanks No message or indication is produced if the password level 0 or 1 password could not be created v Sign on to the system through a mechanism that presents the password in clear text does not use password substitution If the password is valid and the user profile does not have a password that is usable at password levels 0 and 1, the system creates an equivalent uppercase password that is usable at password levels 0 and 1 The system is only able to create the password level 0 and 1 password if the conditions listed above are met The administrator can then change QPWDLVL to 1 All NetServer passwords are cleared when the change to QPWDLVL 1 takes effect next IPL Considerations for changing from QPWDLVL 2 to 0: The considerations are the same as for changing from QPWDLVL 2 to 1 except that all NetServer passwords are retained when the change takes effect Considerations for changing from QPWDLVL 1 to 0: After changing QPWDLVL to 0, the administrator should use the
DSPAUTUSR or PRTUSRPRF commands to locate any user profiles that do not have a NetServer password If the user profile requires a NetServer password, it can be created by changing the users password or signing on through a mechanism that presents the password in clear text

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

The administrator can then change QPWDLVL to 0

Changing Well-Known Passwords
Do the following to close some well-known entrances into iSeries that may exist on your system __ Step 1 Make sure that no user profiles still have default passwords equal to the user profile name You can use the Analyze Default Passwords ANZDFTPWD command See Avoiding Default Passwords on page 37 __ Step 2 Try to sign on to your system with the combinations of user profiles and passwords that are shown in Table 2 on page 32 These passwords are published, and they are the first choice of anyone who is trying to break into your system If you can sign on, use the Change User Profile CHGUSRPRF command to change the password to the recommended value __ Step 3 Now start Dedicated Service Tools DST and try to sign on with the passwords that are shown in Table 3 on page 33 You
start DST by using one of the following methods: v Perform an IPL with the system in Manual mode and select Dedicated Service Tools from the IPL or Install the System menu v Place the console in DST mode by doing the following: __ Step a Make sure that all jobs at the console are ended __ Step b Place the system unit in manual mode __ Step c Use the system panel to select function 21 __ Step d Press the enter button on the system panel __ Step e From the IPL of Install the System menu, select DST __ Step 4 If you can sign on to DST with any of these passwords, change the passwords by doing the following: __ Step a From the Dedicated Service Tools DST menu, select option 5 Work with DST environment: __ Step b From the Work with DST Environment menu, select option 11 Change DST Passwords Note: The menu option numbers may be different on your system, depending on the release of OS/400 that you are running

Remember the new passwords Write down the passwords that you select and store them in a safe place You or your hardware service representative may need these passwords to work on your system in the future __ Step c From the Change DST Passwords menu, select option 3 Change the DST
security capability password Note: DST full capability has the user ID of QSECOFR You can change this user ID if you want, but be sure to write down the new user ID

Chapter 4 Tips for Controlling Interactive Sign-On

__ Step d On the Change DST Security Capability Password display, type a new password You must type the password twice for verification The password does not display when you type it __ Step e Press the Enter key __ Step f From the Change DST Passwords menu, select option 2 Change the DST full capability password Note: DST full capability has the user ID of 22222222 You can change this user ID if you want, but be sure to write down the new user ID __ Step g On the Change DST Full Capability Password display, type a new password You must type the password twice for verification The password does not display when you type it __ Step h Press the Enter key __ Step i From the Change DST Passwords menu, select option 1 Change the DST basic capability password Note: DST basic capability has the user ID of 11111111 You can change this user ID if you want, but be sure to write down the new user ID __ Step j On the Change DST Basic Capability Password display, type a new
password You must type the password twice for verification The password does not display when you type it __ Step k Press the Enter key __ Step l Press F3 until you see the Dedicated Service Tools DST menu __ Step 5 Finally, make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password Try several different displays If you can sign on without entering information on the Sign On display, do one of the following: v Change to security level 40 or 50 QSECURITY system value Note: Your applications might run differently when you change to security level 40 or 50 from a lower security level Review the information in Chapter 2 of the iSeries Security Reference book before you change to security level 40 or 50 v Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USERRQD
Table 2 Passwords for IBM-Supplied Profiles User ID Password Recommended Value QSECOFR QSECOFR1 A nontrivial value known only to the security administrator Write down the password that you have selected and store it in a safe place NONE2 NONE2 NONE2, 3 NONE2 NONE2

QSYSOPR QPGMR QUSER QSRV
QSRVBAS

QSYSOPR QPGMR QUSER QSRV QSRVBAS

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 2 Passwords for IBM-Supplied Profiles continued User ID Password Recommended Value Notes: 1 Beginning with V3R2, the system arrives with the Set password to expired value for the QSECOFR set to YES The first time that you sign on to a new system, you must change the QSECOFR password 2 The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles For new systems installed with V3R1 or later releases, this password is shipped as NONE When you run the CFGSYSSEC command, the system sets these passwords to NONE 3 To run AS/400 Client Access for Windows 95/NT using TCP/IP, the QUSER user profile must be enabled Table 3 Passwords for Dedicated Service Tools DST Level User ID1 Password Basic capability 11111111 22222222 QSECOFR QSRV 11111111 222222223 QSECOFR3 QSRV3

Recommended Value A nontrivial value known security administrator2 A nontrivial value known security administrator2 A nontrivial value known security administrator2 A nontrivial value known security administrator2 only to the only to the only to the only to
the

| | | |

Full capability Security capability Service capability Notes:

1 A user ID is only required for PowerPC AS RISC releases of the operating system 2 If your hardware service representative needs to sign on with this user ID and password, change the password to a new value after the hardware service representative leaves

3 The service tools user profile will expire as soon as it is used for the first time

| | |

Note: DST passwords can only be changed by an authenticated device This is also true for all passwords and corresponding user IDs that are identical For more information on authenticated devices, see Operations Console Setup

Setting Sign-On Values
Table 4 shows several values that you can set to make it more difficult for an unauthorized person to sign on to your system If you run the CFGSYSSEC command, it sets these system values to the recommended settings You can read more about these system values in Chapter 3 of the iSeries Security Reference book
Table 4 Sign-On System Values System Value Name QAUTOCFG QAUTOVRT Description Whether the system automatically configures new devices The number of virtual device descriptions that the system will
automatically create if no device is available for use What the system does when a device reconnects after an error1 Recommended Setting 0 No 0

QDEVRCYACN

DSCMSG

Chapter 4 Tips for Controlling Interactive Sign-On

Table 4 Sign-On System Values continued System Value Name QDSCJOBITV QDSPSGNINF QINACTITV QINACTMSG QLMTDEVSSN Description How long the system waits before ending a disconnected job Whether the system displays information about previous sign-on activity when a user signs on How long the system waits before taking action when an interactive job is inactive What the system does when the QINACTITV time period is reached Whether the system prevents a user from signing on at more than one work station at the same time Whether users with ALLOBJ or SERVICE special authority can sign on only at specific work stations Maximum consecutive, incorrect sign-on attempts user profile or password is incorrect What the system does when the QMAXSIGN limit is reached Recommended Setting 120 1 Yes 60 DSCJOB 1 Yes

QLMTSECOFR

1 Yes2

QMAXSIGN QMAXSGNACN

3 3 Disable both user profile and device

Notes: 1 Beginning with V4R2, the system can disconnect and reconnect TELNET sessions when
the device description for the session is explicitly assigned 2 If you set the system value to 1 Yes, you will need to explicitly authorize users with ALLOBJ or SERVICE special authority to devices The simplest way to do this is to give the QSECOFR user profile CHANGE authority to specific devices

Changing Sign-On Error Messages
Hackers like to know when they are making progress toward breaking into a system When an error message on the Sign On display says Password not correct, the hacker can assume that the user ID is correct You can frustrate the hacker by using the Change Message Description CHGMSGD command to change the text for two sign-on error messages Table 5 shows the recommended text
Table 5 Sign-On Error Messages Message ID CPF1107 Shipped Text CPF1107 Password not correct for user profile CPF1120 User XXXXX does not exist Recommended Text Sign-on information is not correct Note: Do not include the message ID in the message text Sign-on information is not correct Note: Do not include the message ID in the message text

CPF1120

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Scheduling Availability of User Profiles
You may want some user profiles to be
available for sign-on only at certain times of the day or certain days of the week For example, if you have a profile set up for a security auditor, you may want to enable that user profile only during the hours that the auditor is scheduled to work You might also want to disable user profiles with ALLOBJ special authority including the QSECOFR user profile during off-hours You can use the Change Activation Schedule Entry CHGACTSCDE command to set up user profiles to be enabled and disabled automatically For each user profile that you want to schedule, you create an entry that defines the user profiles schedule For example, if you want the QSECOFR profile to be available only between 7 in the morning and 10 in the evening, you would type the following on the CHGACTSCDE display:
Change Activation Scd Entry CHGACTSCDE Type choices, press Enter User profile Enable time Disable time Days for more values QSECOFR 7:00 22:00 MON TUE WED THU FRI Name Time, NONE Time, NONE ALL, MON, TUE, WED

Figure 3 Schedule Profile Activation DisplaySample

In fact, you might want to have the QSECOFR profile available only for a very limited number of
hours each day You can use another user profile with the SECOFR class to perform most system functions Thus, you avoid exposing a well-known user profile to hacking attempts You can use the Display Audit Journal Entries DSPAUDJRNE command periodically to print the CP Change Profile audit journal entries Use these entries to verify that the system is enabling and disabling user profiles according to your planned schedule Another method for checking to ensure that user profiles are being disabled on your planned schedule is to use the Print User Profile PRTUSRPRF command When you specify PWDINFO for the report type, the report includes the status of each selected user profile If, for example, you regularly disable all user profiles with ALLOBJ special authority, you can schedule the following command to run immediately after the profiles are disabled:
PRTUSRPRF TYPEPWDINFO SELECTSPCAUT SPCAUTALLOBJ

Chapter 4 Tips for Controlling Interactive Sign-On

Removing Inactive User Profiles
Your system should contain only user profiles that are necessary If you no longer need a user profile because the user either has left or has taken a different job within the organization, remove the
user profile If someone is gone from the organization for an extended period, disable deactivate that users profile An unnecessary user profile may provide unauthorized entry to your system If you are using Operations Navigator, this can be accomplished by completing the changes using the security Authorization lists function see the Operations Navigator information in section three of this book

Disabling User Profiles Automatically
You can use the Analyze Profile Activity ANZPRFACT command to regularly disable user profiles that have been inactive for a specified number of days When you use the ANZPRFACT command, you specify the number of inactive days that the system looks for The system looks at the last used date, the restore date, and the creation date for the user profile Once you have specified a value for the ANZPRFACT command, the system schedules a job to run weekly at 1 am starting with the day after you first specified a value The job examines all profiles and disables inactive profiles You do not need to use the ANZPRFACT command again unless you want to change the number of inactive days You can use the Change Active Profile List CHGACTPRFL command to make some
profiles exempt from ANZPRFACT processing The CHGACTPRFL command creates a list of user profiles that the ANZPRFACT command will not disable, no matter how long those profiles have been inactive When the system runs the ANZPRFACT command, it writes a CP entry in the audit journal for each user profile that is disabled You can use the DSPAUDJRNE command to list the user profiles that are newly disabled Note: The system writes audit entries only if the QAUDCTL value specifies AUDLVL and the QAUDLVL system value specifies SECURITY Another method for checking to ensure that user profiles are being disabled on your planned schedule is to use the Print User Profile PRTUSRPRF command When you specify PWDINFO for the report type, the report includes the status of each selected user profile

Removing User Profiles Automatically
You can use the Change Expiration Schedule Entry CHGEXPSCDE command to manage the removing or disabling of user profiles If you know that a user is leaving for an extended period, you can schedule the user profile to be removed or disabled The first time that you use the CHGEXPSCDE command, it creates a job schedule entry that runs at 1 minute after midnight every
day The job looks at the QASECEXP file to determine whether any user profiles are scheduled for removal on that day With the CHGEXPSCDE command, you either disable or delete a user profile If you choose to delete a user profile, you must specify what the system will do with

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

the objects that the user owns Before you schedule a user profile for deletion, you need to research the objects that the user owns For example, if the user owns programs that adopt authority, do you want those programs to adopt the ownership of the new owner? Or does the new owner have more authority than necessary such as special authority? Perhaps, you need to create a new user profile with specific authorities to own the programs that need to adopt authority You also need to research whether any application problems will occur if you delete the user profile For example, do any job descriptions specify the user profile as the default user? You can use the Display Expiration Schedule DSPEXPSCD command to display the list of profiles that are scheduled to be disabled or removed You can use the Display Authorized Users DSPAUTUSR command to list all
of the user profiles on your system Use the Delete User Profile DLTUSRPRF command to delete outdated profiles Security Note: You disable a user profile by setting its status to DISABLED When you disable a user profile, you make it unavailable for interactive use You cannot sign on with or change your job to a disabled user profile Batch jobs can run under a user profile that is disabled

Avoiding Default Passwords
When you create a new user profile, the default is to make the password the same as the user profile name This provides an opportunity for someone to enter your system, if someone knows your policy for assigning profile names and knows that a new person is joining your organization When you create new user profiles, consider assigning a unique, non-trivial password instead of using the default password Tell the new user the password confidentially, such as in a Welcome to the System letter that outlines your security policies Require the user to change the password the first time that the user signs on by setting the user profile to PWDEXPYES You can use the Analyze Default Passwords ANZDFTPWD command to check all the user profiles on your system for default passwords
When you print the report, you have the option of specifying that the system should take action such as disabling the user profile if the password is the same as the user profile name The ANZDFTPWD command prints a list of the profiles that it found and any action that it took Note: Passwords are stored on your system in one-way encrypted form They cannot be decrypted The system encrypts the specified password and compares it to the stored password just as it would check a password when you sign on the system If you are auditing authority failures AUTFAIL, the system will write a PW audit journal entry for each user profile that does not have a default password for systems running V4R1 or earlier releases Beginning with V4R2, the system does not write PW audit journal entries when you run the ANZDFTPWD command

Chapter 4 Tips for Controlling Interactive Sign-On

Monitoring Sign-On and Password Activity
If you are concerned about unauthorized attempts to enter your system, you can use the PRTUSRPRF command to help you monitor sign-on and password activity Figure 4 shows an example of the report:
User Profile Information Report type Select by Special authorities
QPWDEXPITV system value User Profile Status USERA DISABLED USERB ENABLED USERX DISABLED USERY ENABLED : PWDINFO : SPCAUT : ALLOBJ : 60 Not Valid Sign-ons 1 2 0 0 SYSTEM4

SERVICE No Password X Previous Sign-on 07/19/95 06/30/95 // 04/25/95 Password Changed 05/25/95 03/02/95 11/28/95 04/25/95 Expiration Interval SYSVAL SYSVAL SYSVAL 120 Password Expired YES YES NO YES

Figure 4 User Information ReportPassword Information Example

Following are several suggestions for using this report: v Determine whether the password expiration interval for some user profiles is longer than the system value and whether the longer expiration interval is justified For example, in the report, USERY has a password expiration interval of 120 days v Run this report regularly to monitor unsuccessful sign-on attempts Someone who is trying to break into your system may be aware that your system takes action after a certain number of unsuccessful attempts Each night, the would-be intruder might try fewer times than your QMAXSIGN value to avoid alerting you to the attempts However, if you run this report early each morning and notice that certain profiles often have unsuccessful sign-on attempts,
you might suspect that you have a problem v Identify user profiles that have not been used for a long time or whose passwords have not been changed for a long time

Tips for Storing Password Information
To support some network functions and communications requirements, iSeries provides a secure method for storing passwords that can be decrypted Your system uses these passwords, for example, to establish a SLIP connection with another system Security and Dial-Out Sessions on page 162 describes this use of stored passwords iSeries stores these special passwords in a secure area that is not accessible to any user programs or interfaces Only explicitly authorized system functions can set these passwords and retrieve them For example, when you use a stored password for dial-out SLIP connections, you set the password with the system command that creates the configuration profile WRKTCPPTP You must have IOSYSCFG to use the command A specially coded connection script retrieves the password and decrypts it during the dial-out procedure The decrypted password is not visible to the user or in any job log As a security administrator, you need to decide whether you will allow passwords that
can be decrypted to be stored on your system You use the Retain Server Security Data QRETSVRSEC system value to specify this The default is 0 No Therefore, your system will not store passwords that can be decrypted unless you explicitly set this system value

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

If you have network or communications requirements for stored passwords, you should set appropriate policies and understand the policies and practices of your communications partners For example, when you use SLIP to communicate with another iSeries, both systems should consider setting up special user profiles for establishing the sessions The special profiles should have limited authority on the system This limits the impact to your system if a stored password is compromised on a partner system

Chapter 4 Tips for Controlling Interactive Sign-On

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 5 How to Set Up Your System to Use the Security Tools
This chapter describes how to set up your system to use the security tools that are part of Operating System/400

Getting Started with the Security Tools
When you install OS/400, the security
tools tools are ready to use The topics that follow provide suggestions for operating procedures with the security tools

Securing the Security Tools
When you install OS/400, the objects that are associated with the security tools are secure To operate the security tools securely, avoid making authority changes to any security tool objects Following are the security settings and requirements for security tool objects: v The security tool programs and commands are in the QSYS product library The commands and the programs ship with the public authority of EXCLUDE Many of the security tool commands create files in the QUSRSYS library When the system creates these files, the public authority for the files is EXCLUDE Files that contain information for producing changed reports have names that begin with QSEC Files that contain information for managing user profiles have names that begin with QASEC These files contain confidential information about your system Therefore, you should not change the public authority to the files v The security tools use your normal system setup for directing printed output These reports contain confidential information about your system To direct the output
to a protect output queue, make appropriate changes to the user profile or job description for users who will be running the security tools v Because of their security functions and because they access many objects on the system, the security tool commands require ALLOBJ special authority Some of the commands also require SECADM, AUDIT, or IOSYSCFG special authority To ensure that the commands run successfully, you should sign on as a security officer when you use the security tools Therefore, you should not need to grant private authority to any security tool commands

Avoiding File Conflicts
Many of the security tool report commands create a database file that you can use to print a changed version of the report Commands and Menus for Security Commands tells the file name for each command You can only run a command from one job at a time Most of the commands now have checks that enforce this If you run a command when another job has not yet finished running it, you will receive an error message Many print jobs are long-running jobs You need to be careful to avoid file conflicts when you submit reports to batch or add them to the job scheduler For example, you might want to print
two versions of the PRTUSRPRF report with different selection criteria If you are submitting reports to batch, you should use a job queue that runs only one job at a time to ensure that the report jobs run sequentially
Copyright IBM Corp 1996, 2001

If you are using the job scheduler, you need to schedule the two jobs far enough apart that the first version completes before the second job starts

Saving the Security Tools
You save the security tool programs whenever you run either the Save System SAVSYS command or an option from the Save menu that runs the SAVSYS command | | | | | The security tool files are in the QUSRSYS library You should already be saving this library as part of your normal operating procedures The QUSRSYS library contains data for many licensed programs on your system See the Information Center for more information about what commands and options save the QUSRSYS library

Commands and Menus for Security Commands
This section describes the commands and menus for security tools Examples of how to use the commands are included throughout this book Two menus are available for security tools: v The SECTOOLS Security Tools menu to run commands interactively v
The SECBATCH Submit or Schedule Security Reports to Batch menu to run the report commands in batch The SECBATCH menu has two parts The first part of the menu uses the Submit Job SBMJOB command to submit reports for immediate processing in batch The second part of the menu uses the Add Job Schedule Entry ADDJOBSCDE command You use it to schedule security reports to be run regularly at a specified day and time

Options on the Security Tools Menu
Following is the part of the SECTOOLS menu that relates to user profiles To access this menu, type GO SECTOOLS
SECTOOLS Select one of the following: Work with profiles 1 Analyze default passwords 2 Display active profile list 3 Change active profile list 4 Analyze profile activity 5 Display activation schedule 6 Change activation schedule entry 7 Display expiration schedule 8 Change expiration schedule entry 9 Print profile internals Security Tools

Table 6 on page 43 describes these menu options and the associated commands:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 6 Tool Commands for User Profiles Menu1 Option 1 Command Name ANZDFTPWD Description Use the Analyze Default Passwords command to report on and take
action on user profiles that have a password equal to the user profile name Use the Display Active Profile List command to display or print the list of user profiles that are exempt from ANZPRFACT processing Database File Used QASECPWD2

DSPACTPRFL

QASECIDL2

CHGACTPRFL

QASECIDL2 Use the Change Active Profile List command to add and remove user profiles from the exemption list for the ANZPRFACT command A user profile that is on the active profile list is permanently active until you remove the profile from the list The ANZPRFACT command does not disable a profile that is on the active profile list, no matter how long the profile has been inactive Use the Analyze Profile Activity command to disable user profiles that have not been used for a specified number of days After you use the ANZPRFACT command to specify the number of days, the system runs the ANZPRFACT job nightly You can use the CHGACTPRFL command to exempt user profiles from being disabled QASECIDL2

ANZPRFACT

DSPACTSCD

Use the Display Profile Activation Schedule command to display or print information about the schedule for enabling and disabling specific user profiles You create the schedule with the
CHGACTSCDE command Use the Change Activation Schedule Entry command to make a user profile available for sign on only at certain times of the day or week For each user profile that you schedule, the system creates job schedule entries for the enable and disable times

QASECACT2

CHGACTSCDE

QASECACT2

DSPEXPSCD

Use the Display Expiration Schedule command QASECEXP2 to display or print the list of user profiles that are scheduled to be disabled or removed from the system in the future You use the CHGEXPSCDE command to set up user profiles to expire QASECEXP2 Use the Change Expiration Schedule Entry command to schedule a user profile for removal You can remove it temporarily by disabling it or you can delete it from the system This command uses a job schedule entry that runs every day at 00:01 1 minute after midnight The job looks at the QASECEXP file to determine whether any user profiles are set up to expire on that day Use the DSPEXPSCD command to display the user profiles that are scheduled to expire

CHGEXPSCDE

Chapter 5 How to Set Up Your System to Use the Security Tools

Table 6 Tool Commands for User Profiles continued Menu1 Option 9 Command Name PRTPRFINT
Description Use the Print Profile Internals command to print a report containing information on the number of entries contained in a user profile The number of entries determines the size of the user profile Database File Used

Notes: 1 Options are from the SECTOOLS menu 2 This file is in the QUSRSYS library

You can page down on the menu to see additional options Table 7 describes the menu options and associated commands for security auditing:
Table 7 Tool Commands for Security Auditing Menu1 Option 10 Command Name CHGSECAUD Description Use the Change Security Auditing command to set up security auditing and to change the system values that control security auditing When you run the CHGSECAUD command, the system creates the security audit QAUDJRN journal if it does not exist The CHGSECAUD command provides options that make it simpler to set the QAUDLVL audit level system value You can specify ALL to activate all of the possible audit level settings Or, you can specify DFTSET to activate the most commonly used settings AUTFAIL, CREATE, DELETE, SECURITY, and SAVRST Note: If you use the security tools to set up auditing, be sure to plan for management of your audit journal receivers
Otherwise, you might quickly encounter problems with disk utilization 11 DSPSECAUD Use the Display Security Auditing command to display information about the security audit journal and the system values that control security auditing Database File Used

Notes: 1 Options are from the SECTOOLS menu

How to Use the Security Batch Menu
Following is the first part of the SECBATCH menu:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

SECBATCH

Submit or Schedule Security Reports To Batch

Select one of the following: Submit Reports to Batch 1 Adopting objects 2 Audit journal entries 3 Authorization list authorities 4 Command authority 5 Command private authorities 6 Communications security 7 Directory authority 8 Directory private authority 9 Document authority 10 Document private authority 11 File authority 12 File private authority 13 Folder authority

System:

When you select an option from this menu, you see the Submit Job SBMJOB display, such as the following:
Submit Job SBMJOB Type choices, press Enter Command to run PRTADPOBJ USRPRFALL___________________ ___________________________________________________________________________
___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ _________________________________________________________ Job name JOBD Name, JOBD Job description USRPRF Name, USRPRF Library Name, LIBL, CURLIB Job queue JOBD Name, JOBD Library Name, LIBL, CURLIB Job priority on JOBQ JOBD 1-9, JOBD Output priority on OUTQ JOBD 1-9, JOBD Print device CURRENT Name, CURRENT, USRPRF

If you want to change the default options for the command, you can press F4 Prompt on the Command to run line To see the Schedule Batch Reports, page down on the SECBATCH menu By using the options on this part of the menu, you can, for example, set up your system to run changed versions of reports regularly

Chapter 5 How to Set Up Your System to Use the Security Tools

SECBATCH

Submit or Schedule Security Reports To Batch

Select one of the following: 28 User objects 29 User profile information
30 User profile internals 31 Check object integrity Schedule Batch Reports 40 Adopting objects 41 Audit journal entries 42 Authorization list authorities 43 Command authority 44 Command private authority 45 Communications security 46 Directory authority

System:

You can page down for additional menu options When you select an option from this part of the menu, you see the Add Job Schedule Entry ADDJOBSCDE display:
Add Job Schedule Entry ADDJOBSCDE Type choices, press Enter Job name Name, JOBD Command to run PRTADPOBJ USRPRFALL__________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ _________________________________________________________ Frequency ONCE, WEEKLY, MONTHLY Schedule date, or CURRENT Date, CURRENT, MONTHST Schedule day NONE NONE, ALL, MON, TUE for more values Schedule time
CURRENT Time, CURRENT

You can position your cursor on the Command to run line and press F4 Prompt to choose different settings for the report You should assign a meaningful job name so that you can recognize the entry when you display the job schedule entries

Options on the Security Batch Menu
Table 8 on page 47 describes the menu options and associated commands for security reports When you run security reports, the system prints only information that meets both the selection criteria that you specify and the selection criteria for the tool For example, job descriptions that specify a user profile name are security-relevant Therefore, the job description PRTJOBDAUT report prints job descriptions in the specified library only if the public authority for the job description is not EXCLUDE and if the job description specifies a user profile name in the USER parameter Similarly, when you print subsystem information PRTSBSDAUT command, the system prints information about a subsystem only when the subsystem description has a communications entry that specifies a user profile

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

If a particular report prints less information
than you expect, consult the online help information to find out the selection criteria for the report
Table 8 Commands for Security Reports Menu1 Option 1, 40 Command Name PRTADPOBJ Description Database File Used

QSECADPOLD2 Use the Print Adopting Objects command to print a list of objects that adopt the authority of the specified user profile You can specify a single profile, a generic profile name such as all profiles that begin with Q, or all user profiles on the system This report has two versions The full report lists all adopted objects that meet the selection criteria The changed report lists differences between adopted objects that are currently on the system and adopted objects that were on the system the last time that you ran the report

| | | |

2, 41

DSPAUDJRNE

Use the Display Audit Journal Entries command to display or print information about entries in the security audit journal You can select specific entry types, specific users, and a time period

QASYxxJ43

3, 42

PRTPVTAUT AUTL

QSECATLOLD2 When you use the Print Private Authorities command for AUTL objects, you receive a list of all the authorization lists on the system The report includes the users who are
authorized to each list and what authority the users have to the list Use this information to help you analyze sources of object authority on your system This report has three versions The full report lists all authorization lists on the system The changed report lists additions and changes to authorization since you last ran the report The deleted report lists users whose authority to the authorization list has been deleted since you last ran the report When you print the full report, you have the option to print a list of objects that each authorization list secures The system will create a separate report for each authorization list

6, 45

PRTCMNSEC

Use the Print Communications Security command to print the security-relevant settings for objects that affect communications on your system These settings affect how users and jobs can enter your system This command produces two reports: a report that displays the settings for configuration lists on the system and a report that lists security-relevant parameters for line descriptions, controllers, and device descriptions Each of these reports has a full version and a changed version

QSECCMNOLD2

Chapter 5 How to Set Up Your System
to Use the Security Tools

Table 8 Commands for Security Reports continued Menu1 Option 15, 54 Command Name PRTJOBDAUT Description Use the Print Job Description Authority command to print a list of job descriptions that specify a user profile and have public authority that is not EXCLUDE The report shows the special authorities for the user profile that is specified in the job description This report has two versions The full report lists all job description objects that meet the selection criteria The changed report lists differences between job description objects that are currently on the system and job description objects that were on the system the last time that you ran the report See note 4 PRTPUBAUT Use the Print Publicly Authorized Objects command to print a list of objects whose public authority is not EXCLUDE When you run the command, you specify the type of object and the library or libraries for the report Use the PRTPUBAUT command to print information about objects that every user on the system can access This report has two versions The full report lists all objects that meet the selection criteria The changed report lists differences between the specified
objects that are currently on the system and objects of the same type in the same library that were on the system the last time that you ran the report See note 5 PRTPVTAUT Use the Print Private Authorities command to print a list of the private authorities to objects of the specified type in the specified library Use this report to help you determine the sources of authority to objects This report has three versions The full report lists all objects that meet the selection criteria The changed report lists differences between the specified objects that are currently on the system and objects of the same type in the same library that were on the system the last time that you ran the report The deleted report lists users whose authority to an object has been deleted since you last printed the report QPVxxxxxx5 QPBxxxxxx5 Database File Used QSECJBDOLD2

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 8 Commands for Security Reports continued Menu1 Option 24, 63 Command Name PRTQAUT Description Database File Used

Use the Print Queue Report to print the security QSECQOLD2 settings for output queues and job queues on your system These settings control who can view
and change entries in the output queue or job queue This report has two versions The full report lists all output queue and job queue objects that meet the selection criteria The changed report lists differences between output queue and job queue objects that are currently on the system and output queue and job queue objects that were on the system the last time that you ran the report

25, 64

PRTSBSDAUT

Use the Print Subsystem Description command to QSECSBDOLD2 print the security-relevant communications entries for subsystem descriptions on your system These settings control how work can enter your system and how jobs run The report prints a subsystem description only if it has communications entries that specify a user profile name This report has two versions The full report lists all subsystem description objects that meet the selection criteria The changed report lists differences between subsystem description objects that are currently on the system and subsystem description objects that were on the system the last time that you ran the report

26, 65

PRTSYSSECA

Use the Print System Security Attributes command to print a list of security-relevant system values and network
attributes The report shows the current value and the recommended value Use the Print Trigger Programs command to QSECTRGOLD2 print a list of trigger programs that are associated with database files on your system This report has two versions The full report lists every trigger program that is assigned and meets your selection criteria The changed report lists trigger programs that have been assigned since the last time that you ran the report

27, 66

PRTTRGPGM

Chapter 5 How to Set Up Your System to Use the Security Tools

Table 8 Commands for Security Reports continued Menu1 Option 28, 67 Command Name PRTUSROBJ Description Use the Print User Objects command to print a list of the user objects objects not supplied by IBM that are in a library You might use this report to print a list of user objects that are in a library such as QSYS that is in the system portion of the library list This report has two versions The full report lists all user objects that meet the selection criteria The changed report lists differences between user objects that are currently on the system and user objects that were on the system the last time that you ran the report 29, 68 PRTUSRPRF Use the
Print User Profile command to analyze user profiles that meet specified criteria You can select user profiles based on special authorities, user class, or a mismatch between special authorities and user class You can print authority information, environment information, password information, or password level information Use the Print Profile Internals command to print a report of internal information on the number of entries Use the Check Object Integrity command to determine whether operable objects such as programs have been changed without using a compiler This command can help you to detect attempts to introduce a virus program on your system or to change a program to perform unauthorized instructions The iSeries Security Reference book provides more information about the CHKOBJITG command Database File Used QSECPUOLD2

30, 69

PRTPRFINT

31, 70

CHKOBJITG

Notes: 1 Options are from the SECBATCH menu

2 This file is in the QUSRSYS library 3 xx is the two-character journal entry type For example, the model output file for AE journal entries is QSYS/QASYAEJ4 The model output files are described in Appendix F of the iSeries Security Reference book 4 The SECBATCH menu contains
options for the object types that are typically of concern to security administrators For example, use options 11 or 50 to run the PRTPUBAUT command against FILE objects Use the general options 18 and 57 to specify the object type 5 The SECBATCH menu contains options for the object types that are typically of concern to security administrators For example, options 12 or 51 run the PRTPVTAUT command against FILE objects Use the general options 19 and 58 to specify the object type 6 The xxxxxx in the name of the file is the object type For example, the file for program objects is called QPBPGM for public authorities and QPVPGM for private authorities The files are in the QUSRSYS library The file contains a member for each library for which you have printed the report The member name is the same as the library name

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Commands for Customizing Security
Table 9 describes the commands that you can use to customize the security on your system These commands are on the SECTOOLS menu
Table 9 Commands for Customizing Your System Menu1 Option 60 Command Name CFGSYSSEC Description Use the Configure System Security command to set
security-relevant system values to their recommended settings The command also sets up security auditing on your system Values That Are Set by the Configure System Security Command describes what the command does Note: To obtain security recommendations customized for your situation, run the iSeries 400 Security Wizard or the iSeries 400 Security Advisor instead of running this command See Chapter 3 iSeries 400 Security Wizard and Security Advisor on page 21 for information on these tools Use the Revoke Public Authority command to set the public authority to EXCLUDE for a set of security-sensitive commands on your system What the Revoke Public Authority Command Does on page 53 lists the actions that the RVKPUBAUT command performs Database File Used

RVKPUBAUT

Notes: 1 Options are from the SECTOOLS menu

Values That Are Set by the Configure System Security Command
Table 10 lists the system values that are set when you run the CFGSYSSEC command The CFGSYSSEC command runs a program that is called QSYS/QSECCFGS
Table 10 Values Set by the CFGSYSSEC Command System Value Name QAUTOCFG QAUTOVRT QALWOBJRST QDEVRCYACN QDSCJOBITV QDSPSGNINF QINACTITV QINACTMSGQ QLMTDEVSSN Setting 0 No 0
NONE DSCMSG Disconnect with message 120 1 Yes 60 ENDJOB 1 Yes System Value Description Automatic configuration of new devices The number of virtual device descriptions that the system will automatically create if no device is available for use Whether system state programs and programs that adopt authority can be restored System action when communications is re-established Time period before the system takes action on a disconnected job Whether users see the sign-on information display Time period before the system takes action on an inactive interactive job Action that the system takes for an inactive job Whether users are limited to signing on at one device at a time

Chapter 5 How to Set Up Your System to Use the Security Tools

Table 10 Values Set by the CFGSYSSEC Command continued System Value Name QLMTSECOFR QMAXSIGN QMAXSGNACN QRMTSIGN QRMTSVRATR QSECURITY
1

Setting 1 Yes 3 3 Both FRCSIGNON 0 Off 50 60 6 8 1 Yes See note 2 1 Yes 2 Cannot be repeated consecutively 1 Yes

System Value Description Whether ALLOBJ and SERVICE users are limited to specific devices How many consecutive, unsuccessful sign-on attempts are allowed Whether the system disables the workstation or
the user profile when the QMAXSIGN limit is reached How the system handles a remote pass-through or TELNET sign-on attempt Allows the system to be analyzed remotely The level of security that is enforced How often users must change their passwords Minimum length for passwords Maximum length for passwords Whether every position in a new password must differ from the same position in the last password Characters that are not allowed in passwords Whether adjacent numbers are prohibited in passwords Whether repeating characters in are prohibited in passwords Whether passwords must have at least one number

QPWDEXPITV QPWDMINLEN QPWDMAXLEN QPWDPOSDIF QPWDLMTCHR QPWDLMTAJC QPWDLMTREP QPWDRQDDGT QPWDRQDDIF QPWDVLDPGM Notes:

1 32 unique passwords How many unique passwords are required before a password can be repeated NONE The user exit program that the system calls to validate passwords

1 If you are currently running with a QSECURITY value of 40 or lower, be sure to review the information in Chapter 2 of the iSeries Security Reference book before you change to a higher security level 2 The restricted characters are stored in message ID CPXB302 in the message file QSYS/QCPFMSG They are
shipped as AEIOU@ You can use the Change Message Description CHGMSGD command to change the restricted characters The QPWDLMTCHR system value is not enforced at password levels 2 or 3

The CFGSYSSEC command also sets the password to NONE for the following IBM-supplied user profiles: QSYSOPR QPGMR QUSER QSRV QSRVBAS Finally, the CFGSYSSEC command sets up security auditing using the Change Security Auditing CHGSECAUD command The CFGSYSSEC command turns on action and object auditing and also, specifies the default set of actions to audit on the CHGSECAUD command

Changing the Program
If some of these settings are not appropriate for your installation, you can create your own version of the program that processes the command Do the following:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

__ Step 1 Use the Retrieve CL Source RTVCLSRC command to copy the source for the program that runs when you use the CFGSYSSEC command The program to retrieve is QSYS/QSECCFGS When you retrieve it, give it a different name __ Step 2 Edit the program to make your changes Then compile it When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECCFGS program Your
program should have a different name __ Step 3 Use the Change Command CHGCMD command to change the program to process command PGM parameter for the CFGSYSSEC command Set the PGM value to the name of your program For example, if you create a program in the QGPL library that is called MYSECCFG, you would type the following:
CHGCMD CMDQSYS/CFGSYSSEC PGMQGPL/MYSECCFG

Note: If you change the QSYS/QSECCFGS program, IBM cannot guarantee or imply reliability, serviceability, performance or function of the program The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed

What the Revoke Public Authority Command Does
You can use the Revoke Public Authority RVKPUBAUT command to set the public authority to EXCLUDE for a set of commands and programs The RVKPUBAUT command runs a program that is called QSYS/QSECRVKP As it is shipped, the QSECRVKP revokes public authority by setting public authority to EXCLUDE for the commands that are listed in Table 11 and the application programming interfaces APIs that are listed in Table 12 on page 54 When your system arrives, these commands and APIs have their public authority set to USE The commands that are
listed in Table 11 and the APIs that are listed in Table 12 on page 54 all perform functions on your system that may provide an opportunity for mischief As security administrator, you should explicitly authorize users to run these commands and programs rather than make them available to all system users When you run the RVKPUBAUT command, you specify the library that contains the commands The default is the QSYS library If you have more than one national language on your system, you need to run the command for each QSYSxxx library
Table 11 Commands Whose Public Authority Is Set by the RVKPUBAUT Command RMVCMNE CHGJOBQE ADDAJE RMVJOBQE ADDCFGLE CHGPJE ADDCMNE RMVPJE CHGRTGE ADDJOBQE RMVRTGE CHGSBSD ADDPJE RMVWSE CHGWSE ADDRTGE RSTLIB CPYCFGL ADDWSE RSTOBJ CRTCFGL CHGAJE RSTS36F CRTCTLAPPC CHGCFGL RSTS36FLR CRTDEVAPPC CHGCFGLE RSTS36LIBM CRTSBSD CHGCMNE STRRMTSPT ENDRMTSPT CHGCTLAPPC STRSBS RMVAJE CHGDEVAPPC WRKCFGL RMVCFGLE

Chapter 5 How to Set Up Your System to Use the Security Tools

The APIs in Table 12 are all in the QSYS library:
Table 12 Programs Whose Public Authority Is Set by the RVKPUBAUT Command QTIENDSUP QTISTRSUP QWTCTLTR QWTSETTR QY2FTML

Beginning with V3R7, when
you run the RVKPUBAUT command, the system sets the public authority for the root directory to USE unless it is already USE or less

Changing the Program
If some of these settings are not appropriate for your installation, you can create your own version of the program that processes the command Do the following: __ Step 1 Use the Retrieve CL Source RTVCLSRC command to copy the source for the program that runs when you use the RVKPUBAUT command The program to retrieve is QSYS/QSECRVKP When you retrieve it, give it a different name __ Step 2 Edit the program to make your changes Then compile it When you compile it, make sure that you do not replace the IBM-supplied QSYS/QSECRVKP program Your program should have a different name __ Step 3 Use the Change Command CHGCMD command to change the program to process command PGM parameter for the RVKPUBAUT command Set the PGM value to the name of your program For example, if you create a program in the QGPL library that is called MYRVKPGM, you would type the following:
CHGCMD CMDQSYS/RVKPUBAUT PGMQGPL/MYRVKPGM

Note: If you change the QSYS/QSECRVKP program, IBM cannot guarantee or imply reliability, serviceability, performance or function of
the program The implied warranties of merchantability and fitness for a particular purpose are expressly disclaimed

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Part 3 Tips for Advanced System Security
If all the good people were clever, And all clever people were good, The world would be a nicer place than ever We thought that it possibly could Elizabeth Wordsworth

RV3M1204-0

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 6 Using Object Authority to Protect Information Assets
Your challenge as security administrator is to protect your organizations information assets without frustrating the users on your system You need to make sure that users have enough authority to do their jobs without giving them the authority to browse throughout the system and to make unauthorized changes

| |

Security Tip Authority that is too tight can backfire Users sometimes react to authority restrictions that are too tight by sharing passwords with each other The OS/400 operating system provides integrated object security Users must use the interfaces that the system provides to access objects For example, if you want to
access a database file, you must use commands or programs that are intended for accessing database files You cannot use a command that is intended for accessing a message queue or a job log Whenever you use a system interface to access an object, the system verifies that you have the authority to the object that is required by that interface Object authority is a powerful and flexible tool for protecting the assets on your system Your challenge as a security administrator is to set up an effective object security scheme that you can manage and maintain

Does the System Always Enforce Object Authority?
The answer is yes and no Whenever you try to access an object, the operating system checks your authority to that object However, if the security level on your system QSECURITY system value is set to 10 or 20, every user automatically has authority to access every object because every user profile has ALLOBJ special authority Object Authority Tip: If you are not sure whether you are using object security, check the QSECURITY security level system value If QSECURITY is 10 or 20, you are not using object security You must plan and prepare before you change to security level 30 or higher
Otherwise, your users may not be able to access the information that they need | | | | The Basic system security and planning topic in the Information Center provides a method for analyzing your applications and deciding how you should set up object security If you are not yet using object security or if your object security scheme is outdated and convoluted, read this topic to help you get started

The Legacy of Menu Security
iSeries was originally designed as a follow-on product for S/36 and S/38 Many iSeries installations were, at one time, S/36 installations or S/38 installations To control what users could do, security administrators on those earlier systems often used a technique that is referred to as menu security or menu access control
Copyright IBM Corp 1996, 2001

Menu access control means that when a user signs on, the user gets a menu such as the following:
OEMENU 1 2 3 4 5 Work Work Work Work Work with with with with with Order Entry Menu customer records orders order history prices contracts

Select option number: ___

Figure 5 Sample Order Entry Menu

The user can perform only the functions that are on the menu The user cannot get to a command line on the
system to perform any functions that are not on the menu In theory, the security administrator does not have to worry about authority to objects because menus and programs control what users can do iSeries provides several user profile options to assist with menu access control, you can use the: v Initial menu INLMNU parameter to control what menu the user first sees after the user signs on v Initial program INLPGM parameter to run a setup program before the user sees a menu Or, you can use the INLPGM parameter to restrict a user to running a single program v Limit capabilities LMTCPB parameter to restrict a user to a limited set of commands It also prevents the user from specifying a different initial program or menu on the Sign On display The LMTCPB parameter only limits commands that are entered from the command line

Limitations of Menu Access Control
Computers and computer users have changed a great deal in the past few years Many tools, such as query programs and spreadsheets, are available so that users can do some of their own programming to off-load IS departments Some tools, such as SQL or ODBC, provide the capability to view information and to change information To
enable these tools within a menu structure is very difficult Fixed-function green-screen workstations are rapidly being replaced by personal computers and computer-to-computer networks If your system participates in a network, users may enter your system without ever seeing a sign-on display or a menu As a security administrator who is trying to enforce menu access control, you have two basic problems: v If you are successful in limiting users to menus, your users will probably be unhappy because their ability to use modern tools is limited v If you are not successful, you could jeopardize critical, confidential information that menu access control is supposed to protect When your system participates in a network, your ability to enforce menu access control decreases For example, the LMTCPB parameter applies only to commands that are entered from a command line in an interactive session The LMTCPB parameter has no affect on requests from communications sessions, such as PC file transfer, FTP, or remote commands

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Tips for Enhancing Menu Access Control with Object Security
With the many new options that are available to
connect to systems, a viable iSeries security scheme for the future cannot rely solely on menu access control This topic provides suggestions for moving toward an object security environment to complement your menu access control The Basic system security and planning topic in the Information Center describes a technique for analyzing the authority that users must have to objects to run your current applications You then assign users to groups and give the groups appropriate authority This approach is reasonable and logical However, if your system has been operational for many years and has many applications, the task of analyzing applications and setting up object authority probably seems overwhelming Object Authority Tip: Your current menus combined with programs that adopt the authority of the program owners may provide a transition beyond menu access control Be sure to protect both the programs that adopt authority and the user profiles that own them You may be able to use your current menus to help you set up a transition environment while you gradually analyze your applications and objects Following is an example that uses the Order Entry OEMENU menu Figure 5 on page 58 and
the associated files and programs

Setting Up a Transition EnvironmentExample
This example starts with the following assumptions and requirements: v All of the files are in the library ORDERLIB v You do not know the names of all the files You also do not know what authority the menu options require to different files v The menu and all the programs that it calls are in a library called ORDERPGM v You want everyone who can sign on to your system to be able to view information in all the order files, customer files, and item files with queries or spreadsheets, for example v Only users whose current sign-on menu is the OEMENU should be able to change the files And, they must use the programs on the menu to do this v System users other than the security administrators do not have ALLOBJ or SECADM special authority Do the following to change this menu-access-control environment to accommodate the need for queries: __ Step 1 Make a list of the users whose initial menu is the OEMENU You can use the Print User Profile PRTUSRPRF ENVINFO command to list the environment for every user profile on your system The report includes the initial menu, initial program, and current library Figure 13
on page 81 shows an example of the report __ Step 2 Make sure that the OEMENU object it may be a PGM object or a MENU object is owned by a user profile that is not used for sign on The user profile should be disabled or have a password of NONE For this example, assume that OEOWNER owns the OEMENU program object __ Step 3 Make sure that the user profile that owns the OEMENU program object is not a group profile You can use the following command:
Chapter 6 Using Object Authority to Protect Information Assets

DSPUSRPRF USRPRFOEOWNER TYPEGRPMBR

__ Step 4 Change the OEMENU program to adopt the authority of the OEOWNER user profile Use the CHGPGM command to change the USRPRF parameter to OWNER Note: MENU objects cannot adopt authority IF OEMENU is a MENU object, you can adapt this example by doing one of the following: v Create a program to display the menu v Use adopted authority for the programs that run when the user selects options from the OEMENU menu __ Step 5 Set the public authority to all of the files in ORDERLIB to USE by typing the following two commands:
RVKOBJAUT OBJORDERLIB/ALL OBJTYPEFILE USERPUBLIC AUTALL GRTOBJAUT OBJORDERLIB/ALL OBJTYPEFILE USERPUBLIC
AUTUSE

Remember that if you select USE authority, users can copy the file by using PC file transfer or FTP __ Step 6 Give the profile that owns the menu program ALL authority to the files by typing the following:
GRTOBJAUT OBJORDERLIB/ALL OBJTYPEFILE USEROEOWNER AUTALL

For most applications, CHANGE authority to files is sufficient However, your applications may perform functions, such as clearing physical file members, that require more authority than CHANGE Eventually, you should analyze your applications and provide only the minimum authority that is necessary for the application However, during the transition period, by adopting ALL authority, you avoid applications failures that may be caused by insufficient authority __ Step 7 Restrict authority to the programs in the order library by typing the following:
GRTOBJAUT OBJORDERPGM/ALL OBJTYPEPGM USERPUBLIC AUTEXCLUDE

__ Step 8 Give the OEOWNER profile authority to the programs in the library by typing the following:
GRTOBJAUT OBJORDERPGM/ALL OBJTYPEPGM USEROEOWNER AUTUSE

__ Step 9 Give the users that you identified in step 1 authority to the menu program by typing the following for each user:
GRTOBJAUT OBJORDERPGM/OEMENU
OBJTYPEPGM USERuser-profile-name AUTUSE

When you have completed these steps, all system users who are not explicitly excluded will be able to access but not change the files in the ORDERLIB library Users who have authority to the OEMENU program will be able to use the programs that are on the menu to update files in the ORDERLIB library Only users who have authority to the OEMENU program will now be able to change the files in this library A combination of object security and menu access control protects the files

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

When you complete similar steps for all the libraries that contain user data, you have created a simple scheme for controlling database updates This method prevents system users from updating database files except when they use the approved menus and programs At the same time, you have made database files available for viewing, analyzing, and copying by users with decision-support tools or with links from another system or from a PC Object Authority Tip: When your system participates in a network, USE authority may provide more authority than you expect For example, with FTP, you can make a copy of a file to
another system including a PC if you have USE authority to the file

Using Library Security to Complement Menu Security
To access an object in a library, you must have authority both to the object and to the library Most operations require either EXECUTE authority or USE authority to the library Depending on your situation, you may be able to use library authority as a simple means for securing objects For example, assume that for the Order-Entry menu example, everyone who has authority to the Order Entry menu can use all of the programs in the ORDERPGM library Rather than securing individual programs, you can set the public authority to the ORDERPGM library to EXCLUDE You can then grant USE authority to the library to specific user profiles, which will allow them to use the programs in the library This assumes that public authority to the programs is USE or greater Library authority can be a simple, efficient method for administering object authority However, you must ensure that you are familiar with the contents of the libraries that you are securing so that you do not provide unintended access to objects

Tips for Setting Up Object Ownership
The ownership of objects on your
system is an important part of your object authority scheme By default, the owner of an object has ALL authority to the object Chapter 5 in the iSeries Security Reference book provides recommendations and examples for planning object ownership Following are a few tips: v In general, group profiles should not own objects If a group profile owns an object, all group members have ALL authority to the object unless the group member is explicitly excluded v If you use adopted authority, consider whether the user profiles that own programs should also own application objects, such as files You may not want the users who run the programs that adopt authority to have ALL authority to files | | | | If you are using Operations Navigator, this can be accomplished by completing the changes using the security policies function For more information, refer to the iSeries Information Center see Prerequisite and related information on page xii for details

Tips for Object Authority to System Commands and Programs
Following are several suggestions when you restrict authority to IBM-supplied objects:

Chapter 6 Using Object Authority to Protect Information Assets

v When you have more than one
national language on your system, your system has more than one system QSYS library Your system has a QSYSxxxx library for each national language on your system If you are using object authority to control access to system commands, remember to secure the command in the QSYS library and in every QSYSxxx library on your system v The System/38TM library sometimes provides a command with function that is equivalent to the commands that you want to restrict Be sure you restrict the equivalent command in the QSYS38 library v If you have the System/36TM environment, you may need to restrict additional programs For example, the QY2FTML program provides System/36 file transfer

Tips for Auditing Security Functions Security Auditing
This chapter describes techniques for auditing the effectiveness of security on your system People audit their system security for several reasons: v To evaluate whether the security plan is complete v To make sure that the planned security controls are in place and working This type of auditing is usually performed by the security officer as part of daily security administration It is also performed, sometimes in greater detail, as part of a periodic security
review by internal or external auditors v To make sure that system security is keeping pace with changes to the system environment Some examples of changes that affect security are: New objects created by system users New users admitted to the system Change of object ownership authorization not adjusted Change of responsibilities user group changed Temporary authority not timely revoked New products installed v To prepare for a future event, such as installing a new application, moving to a higher security level, or setting up a communications network The techniques described in this chapter are appropriate for all these situations Which things you audit and how often depends on the size and security needs of your organization The purpose of this chapter is to discuss what information is available, how to obtain it, and why it is needed, rather than to give guidelines for the frequency of audits This chapter has three parts: v A checklist of security items that can be planned and audited v Information about setting up and using the audit journal provided by the system v Other techniques that are available to gather security information on the system Security auditing involves
using commands on the iSeries system and accessing log and journal information on the system You may want to create a special profile to be used by someone doing a security audit of your system The auditor profile will need AUDIT special authority to be able to change the audit characteristics of your system Some of the auditing tasks suggested in this chapter

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

require a user profile with ALLOBJ and SECADM special authority Be sure that you set the password for the auditor profile to NONE when the audit period has ended For more details on security auditing see Chapter 9, of the Security Reference book

Analyzing User Profiles
You can display or print a complete list of all the users on your system with the Display Authorized Users DSPAUTUSR command The list can be sequenced by profile name or group profile name Following is an example of the group profile sequence:

Display Authorized Users Group Profile DPTSM DPTWH QSECOFR NO GROUP User Profile ANDERSOR VINCENTM ANDERSOR WAGNERR JONESS HARRISOK DPTSM DPTWH RICHARDS SMITHJ Password Last No Changed Password Text 08/04/9x 09/15/9x 08/04/9x 09/06/9x 09/20/9x 08/29/9x
09/05/9x 08/13/9x 09/05/9x 09/18/9x X X Roger Anders Mark Vincent Roger Anders Rose Wagner Sharon Jones Ken Harrison Sales and Marketing Warehouse Janet Richards John Smith

Printing Selected User Profiles
You can use the Display User Profile DSPUSRPRF command to create an output file, which you can process using a query tool
DSPUSRPRF USRPRFALL TYPEBASIC OUTPUTOUTFILE

You can use a query tool to create a variety of analysis reports of your output file, such as: v A list of all users who have both ALLOBJ and SPLCTL special authority v A list of all users sequenced by a user profile field, such as initial program or user class You can create query programs to produce different reports from your output file For example: v List all user profiles that have any special authorities by selecting records where the field UPSPAU is not equal to NONE v List all users who are allowed to enter commands by selecting records where the Limit capabilities field called UPLTCP in the model database outfile is equal to NO or PARTIAL v List all users who have a particular initial menu or initial program v List inactive users by looking at the date last sign-on field

Chapter 6 Using Object Authority
to Protect Information Assets

Examining Large User Profiles
User profiles with large numbers of authorities, appearing to be randomly spread over most of the system, can reflect a lack of security planning Following is one method for locating large user profiles and evaluating them: 1 Use the Display Object Description DSPOBJD command to create an output file containing information about all the user profiles on the system:
DSPOBJD OBJALL OBJTYPEUSRPRF DETAILBASIC OUTPUTOUTFILE

2 Create a query program to list the name and size of each user profile, in descending sequence by size 3 Print detailed information about the largest user profiles and evaluate the authorities and owned objects to see if they are appropriate:
DSPUSRPRF USRPRFuser-profile-name TYPEOBJAUT OUTPUTPRINT DSPUSRPRF USRPRFuser-profile-name TYPEOBJOWN OUTPUTPRINT

Some IBM-supplied user profiles are very large because of the number of objects they own Listing and analyzing them is usually not necessary However, you should check for programs adopting the authority of the IBM-supplied user profiles that have ALLOBJ special authority, such as QSECOFR and QSYS For more details on security auditing see Chapter
9, of the Security Reference book

Tips for Analyzing Object Authorities
You can use the following method to determine who has authority to libraries on the system: 1 Use the DSPOBJD command to list all the libraries on the system:
DSPOBJD OBJALL OBJTYPELIB OUTPUTPRINT

2 Use the Display Object Authority DSPOBJAUT command to list the authorities to a specific library:
DSPOBJAUT OBJlibrary-name OBJTYPELIB OUTPUTPRINT

3 Use the Display Library DSPLIB command to list the objects in the library:
DSPLIB LIBlibrary-name OUTPUTPRINT

Using these reports, you can determine what is in a library and who has access to the library If necessary, you can use the DSPOBJAUT command to view the authority for selected objects in the library also

Checking for Objects That Have Been Altered
You can use the Check Object Integrity CHKOBJITG command to look for objects that have been altered An altered object is usually an indication that someone is attempting to tamper with your system You may want to run this command after someone has: v Restored programs to your system v Used dedicated service tools DST When you run the command, the system creates a database file containing information about any
potential integrity problems You can check objects owned by one profile, several different profiles, or all profiles You can look for objects

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

whose domain has been altered You can also recalculate program validation values to look for objects of type PGM, SRVPGM, MODULE, and SQLPKG that have been altered Running the CHKOBJITG program requires AUDIT special authority The command may take a long time to run because of the scans and calculations it performs You should run it at a time when your system is not busy Note: Profiles that own many objects with many private authorities can become very large The size of an owner profile affects performance when displaying and working with the authority to owned objects, and when saving or restoring profiles System operations can also be impacted To prevent impacts to either performance or system operations, distribute ownership of objects to multiple profiles Do not assign all or nearly all objects to only one owner profile

Analyzing Programs That Adopt Authority
Programs that adopt the authority of a user with ALLOBJ special authority represent a security exposure The following
method can be used to find and inspect those programs: 1 For each user with ALLOBJ special authority, use the Display Programs That Adopt DSPPGMADP command to list the programs that adopt that users authority:
DSPPGMADP USRPRFuser-profile-name OUTPUTPRINT

Note: The topic Printing Selected User Profiles on page 63 shows how to list users with ALLOBJ authority 2 Use the DSPOBJAUT command to determine who is authorized to use each adopting program and what the public authority is to the program:
DSPOBJAUT OBJlibrary-name/program-name OBJTYPEPGM OUTPUTPRINT

3 Inspect the source code and program description to evaluate: v Whether the user of the program is prevented from excess function, such as using a command line, while running under the adopted profile v Whether the program adopts the minimum authority level needed for the intended function Applications that use program failure can be designed using the same owner profile for objects and programs When the authority of the program owner is adopted, the user has ALL authority to application objects In many cases, the owner profile does not need any special authorities 4 Verify when the program was last changed, using the DSPOBJD
command:
DSPOBJD OBJlibrary-name/program-name OBJTYPEPGM DETAILFULL

Chapter 6 Using Object Authority to Protect Information Assets

When you run the command, the system creates a database file containing information about any potential integrity problems You can check objects owned by one profile, several different profiles, or all profiles You can look for objects whose domain has been altered You can also recalculate program validation values to look for objects of type PGM, SRVPGM, MODULE, and SQLPKG that have been altered Running the CHKOBJITG program requires AUDIT special authority The command may take a long time to run because of the scans and calculations it performs You should run it at a time when your system is not busy Note: Profiles that own many objects with many private authorities can become very large
The size of an owner profile affects performance when displaying and working with the authority to owned objects, and when saving or restoring profiles System operations can also be impacted To prevent impacts to either performance or system operations, distribute ownership of objects to multiple profiles Do not assign all or nearly all objects to only one owner profile For more details on security auditing see Chapter 9, of the Security Reference book

Tips for Managing the Audit Journal and Journal Receivers
| | | | | The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing Objects should not be journaled to the audit journal Commitment control should not use the audit journal User entries should not be sent to this journal using the Send Journal Entry SNDJRNE command or the Send Journal Entry QJOSJRNE API Special locking protection is used to ensure that the system can write audit entries to the audit journal When auditing is active the QAUDCTL system value is not NONE, the system arbitrator job QSYSARB holds a lock on the QSYS/QAUDJRN journal You cannot perform certain operations on the audit journal when auditing is active, such as: v DLTJRN command v
ENDJRNxxx command v APYJRNCHG command v RMVJRNCHG command v DMPOBJ or DMPSYSOBJ command v Moving the journal v Restoring the journal v Operations that work with authority, such as the GRTOBJAUT command v WRKJRN command The information recorded in the security journal entries is described in Security Reference book All security entries in the audit journal have a journal code of T In addition to security entries, system entries also appear in the journal QAUDJRN These are entries with a journal code of J, which relate to initial program load IPL and general operations performed on journal receivers for example, saving the receiver

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

If damage occurs to the journal or to its current receiver so that the auditing entries cannot be journaled, the QAUDENDACN system value determines what action the system takes Recovery from a damaged journal or journal receiver is the same as for other journals You may want to have the system manage the changing of journal receivers Specify MNGRCVSYSTEM when you create the QAUDJRN journal, or change the journal to that value If you specify MNGRCVSYSTEM, the system automatically detaches
the receiver when it reaches its threshold size and creates and attaches a new journal receiver This is called system change-journal management | | | | | | If you specify MNGRCVUSER for the QAUDJRN, a message is sent to the threshold message queue specified for the journal when the journal receiver reaches a storage threshold The message indicates that the receiver has reached its threshold Use the CHGJRN command to detach the receiver and attach a new journal receiver This prevents Entry not journaled error messages If you do receive a message, you must use the CHGJRN command for security auditing to continue The default message queue for a journal is QSYSOPR If your installation has a large volume of messages in the QSYSOPR message queue, you may want to associate a different message queue, such as AUDMSG, with the QAUDJRN journal You can use a message handling program to monitor the AUDMSG message queue When a journal threshold warning is received CPF7099, you can automatically attach a new receiver If you use system change-journal management, then message CPF7020 is sent to the journal message queue when a system change journal is completed You can monitor for this message to
know when to do a save of the detached journal receivers Attention: The automatic cleanup function provided using Operational Assistant menus does not clean up the QAUDJRN receivers You should regularly detach, save, and delete QAUDJRN receivers to avoid problems with disk space See the Backup and Recovery book for complete information about managing journals and journal receivers Note: The QAUDJRN journal is created during an IPL if it does not exist and the QAUDCTL system value is set to a value other than NONE This occurs only after an unusual situation, such as replacing a disk device or clearing an auxiliary storage pool

Saving and Deleting Audit Journal Receivers
Overview: Purpose: To attach a new audit journal receiver; To save and delete the old receiver How To: CHGJRN QSYS/QAUDJRN JRNRCVGEN SAVOBJ to save old receiver DLTJRNRCV to delete old receiver Authority: ALL authority to journal receiver USE authority to journal Journal Entry: J system entry to QAUDJRN
Chapter 6 Using Object Authority to Protect Information Assets

You should regularly detach the current audit journal receiver and attach a new one for two reasons: v Analyzing journal entries is easier if each
journal receiver contains the entries for a specific, manageable time period v Large journal receivers can affect system performance, in addition to taking valuable space on auxiliary storage Having the system manage receivers automatically is the recommended approach You can specify this by using the Manage receiver parameter when you create the journal If you have set up action auditing and object auditing to log many different events, you may need to specify a large threshold value for the journal receiver If you are managing receivers manually, you may need to change journal receivers daily If you log only a few events, you may want to change receivers to correspond with the backup schedule for the library containing the journal receiver | You use the CHGJRN command to detach a receiver and attach a new receiver System-Managed Journal Receivers: If you have the system manage the receivers, use the following procedure to save all detached QAUDJRN receivers and to delete them: 1 Type WRKJRNA QAUDJRN The display shows you the currently attached receiver Do not save or delete this receiver 2 Use F15 to work with the receiver directory This shows all receivers that have been
associated with the journal and their status 3 Use the SAVOBJ command to save each receiver, except the currently attached receiver, which has not already been saved 4 Use the DLTJRNRCV command to delete each receiver after it is saved Note: An alternative to the above procedure could be done using the journal message queue and monitoring for the CPF7020 message which indicates that the system change journal has completed successfully See the Backup and Recovery for more information on this support User-Managed Journal Receivers: If you choose to manage journal receivers manually, use the following procedure to detach, save and delete a journal receiver: 1 Type CHGJRN JRNQAUDJRN JRNRCVGEN This command: a Detaches the currently attached receiver b Creates a new receiver with the next sequential number c Attaches the new receiver to the journal For example, if the current receiver is AUDRCV0003, the system creates and attaches a new receiver called AUDRCV0004 The Work with Journal Attributes WRKJRNA command tells you which receiver is currently attached: WRKJRNA QAUDJRN 2 Use the Save Object SAVOBJ command to save the detached journal receiver Specify object type JRNRCV 3 Use the
Delete Journal Receiver DLTJRNRCV command to delete the receiver If you try to delete the receiver without saving it, you receive a warning message

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

For more details on security auditing see Chapter 9, of the Security Reference book

Chapter 6 Using Object Authority to Protect Information Assets

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 7 Tips for Managing and Monitoring Authority
A set of security reports are available to help you keep track of how the authority is set up on your system When you run these reports initially, you can print everything authority for all the files or for all the programs, for example After you have established your base of information, you can run the changed versions of reports regularly The changed versions help you identify security-relevant changes on your system that require your attention For example, you can run the report that shows the public authority for files every week You can request only the changed version of the report It will show you both new files on the system that are available to everyone and existing files whose public authority has
changed since the last report Two menus are available to run security tools: v Use the SECTOOLS menu for running programs interactively v Use the SECBATCH menu for running programs in batch The SECBATCH menu has two parts: one for submitting jobs to the job queue immediately, and the other for placing jobs on the job scheduler | | | | If you are using Operations Navigator, this can be accomplished by completing the changes using the security policies function For more information, refer to the iSeries Information Center see Prerequisite and related information on page xii for details

Monitoring Public Authority to Objects
For both simplicity and performance, most systems are set up so that most objects are available to most users Users are explicitly denied access to certain confidential, security-sensitive objects rather than having to be explicitly authorized to use every object A few systems with high security requirements take the opposite approach and authorize objects on a need-to-know basis On those systems, most objects are created with the public authority set to EXCLUDE iSeries is an object-based system with many different types of objects Most object types do not
contain sensitive information or perform security-relevant functions As a security administrator on an iSeries system with typical security needs, you probably want to focus your attention on objects that require protection, such as database files and programs For other object types, you can just set public authority that is sufficient for your applications, which for most object types is USE authority You can use the Print Public Authority PRTPUBAUT command to print information about objects that public users can access A public user is anyone with sign-on authority who does not have explicit authority to an object When you use the PRTPUBAUT command, you can specify the object types, and libraries or directories, that you want to examine Options are available on the SECBATCH and SECTOOLS menus to print the Publicly Authorized Objects Report for the object types that most commonly have security implications

Figure 6 shows an example of the Publicly Authorized Objects Report for the FILE objects in the CUSTLIB library:
Publicly Authorized Objects Full Report SYSTEM4 Object type : FILE Specified library : CUSTLIB Authorization
Library Object Owner List CUSTLIB CUSTMAST AROWNER NONE CUSTLIB ORDERS AROWNER NONE CUSTLIB PRICES AROWNER NONE CUSTLIB TAXES AROWNER NONE

Authority USE CHANGE USE CHANGE

———-Object———– ————Data———–Opr Mgt Exist Alter Ref Read Add Upd Dlt Execute X X X X X X X X X X X X X X X X X X

Figure 6 Publicly Authorized Objects Report-Sample

You can print the changed version of this report regularly to see what objects might require your attention

Managing Authority for New Objects
OS/400 provides functions to help you manage the authority and ownership for new objects on your system When a user creates a new object, the system determines the following: v Who will own the object v What the public authority for the object is v Whether the object has any private authorities v Where to put the object what library or directory v Whether access to the object will be audited The system uses system values, library parameters, and user profile parameters to make these decisions Assigning Authority and Ownership to New Objects in chapter 5 of the iSeries Security Reference book provides several examples of the options that are available You can use the PRTUSRPRF
command to print the user profile parameters that affect ownership and authority for new objects Figure 11 on page 79 shows an example of this report

Monitoring Authorization Lists
SECBATCH menu options: 3 to submit immediately 42 to use the job scheduler You can group objects with similar security requirements by using an authorization list Conceptually, an authorization list contains a list of users and the authority that the users have to the objects that are secured by the list Authorization lists provide an efficient way to manage the authority to similar objects on the system However, in some cases, they make it difficult to keep track of authorities to objects You can use the Print Private Authority PRTPVTAUT command to print information about authorization list authorities Figure 7 on page 73 shows a sample of the report

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

SYSTEM4 Authorization List Owner LIST1 QSECOFR LIST2 BUDNIKR LIST3 LIST4 QSECOFR CJWLDR

Private Authorities Full Report Primary Group NONE NONE NONE NONE User PUBLIC BUDNIKR PUBLIC PUBLIC CJWLDR GROUP1 PUBLIC Authority EXCLUDE ALL CHANGE EXCLUDE ALL ALL EXCLUDE List Mgt X X
———-Object———– ————Data———–Opr Mgt Exist Alter Ref Read Add Upd Dlt Execute X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

Figure 7 Private Authorities Report for Authorization Lists

This report shows the same information that you see on the Edit Authorization List EDTAUTL display The advantage of the report is that it provides information about all authorization lists in one place If you are setting up security for a new group of objects, for example, you can quickly scan the report to see if an existing authorization list meets your needs for those objects You can print a changed version of the report to see new authorization lists or authorization lists with authority changes since you last printed the report You also have the option of printing a list of the objects that are secured by each authorization list Figure 8 shows an example of the report for one authorization list:
Authorization list Library Owner Primary group Object CUSTMAS CUSTORD Display Authorization List Objects : CUSTAUTL : QSYS : AROWNER : NONE Type FILE FILE Owner AROWNER OEOWNER Primary group NONE NONE Text

Library
CUSTLIB CUSTORD

Figure 8 Display Authorization List Objects Report

You can use this report, for example, to understand the effect of adding a new user to an authorization list what authorities that user will receive

Tips for using Authorization lists
Operations Navigator provides security features designed to assist you in developing a security plan and policy, and configure your system to meet your companys needs One of the functions available is the use of authorization lists Authorization lists have the following features v An authorization list group objects with similar security requirements v An authorization list conceptually contains a list of users and groups and the authority each has to the objects secured by the list v Each user and group can have a different authority to the set of object the list secures v Authority can be given by way of the list, rather than to individual users and groups Tasks that can be done using authorization lists include the following v Create an authorization list v Change an authorization list
Chapter 7 Tips for Managing and Monitoring Authority

v Add users and groups v Change user permissions v Display secured objects use this
function do the following Start the Operations Navigator program Login to iSeries Select Security and click on box You will see Authorization Lists and Policies Right click the mouse to get the menu 5 Select New Authorization List and left click the mouse A window will now display The New Authorization List allows you to do the following v Use: Allows access to the object attributes and use of the object The public may view, but not change the objects v Change: Allows the contents of the object with some exceptions to be changed v All: Allows all operations on the object, except those that are limited to the owner The user or group can control the objects existence, specify the security for the object, change the object, and perform basic functions on the object The user or group can also change ownership of the object v Exclude:All operations on the object are prohibited No access or operations are allowed to the object for the users and groups having this permission Specifies the public is not allowed to use the object When working with authorization lists you will want to grant permissions for both objects and data Object permissions you can choose are listed below v
Operational: Provides the permission to look at the description of an object and use the object as determined by the data permission that the user or group has to the object v Management: Provides the permission to specify the security for the object, move or rename the object, and add members to the database files v Existence: Provides the permission to control the objects existence and ownership The user or group can delete the object, free storage of the object, perform save and restore operations for the object, and transfer ownership of the object If a user or group has special save permission, the user or group does not need object existence permission v Alter used only for database files and SQL packages: Provides the permission needed to alter the attributes of an object If the user or group has this permission on a database file, the user or group can add and remove triggers, add and remove referential and unique constraints, and change the attributes of the database file If the user or group has this permission on an SQL package, the user or group can change the attributes of the SQL package This permission is currently used only for database files and SQL packages v
Referenceused only for database files and SQL packages: Provides the permission needed to reference an object from another object such that operations on that object may be restricted by the other object If the user or group has this permission on a physical file, the user or group can add referential constraints in which the physical file is the parent This permission is currently used only for database files Data permissions you can choose are listed below v Read: Provides the permission needed to get and display the contents of the object, such as viewing records in a file v Add: Provides the permission to add entries to an object, such as adding messages to a message queue or adding records to a file To 1 2 3 4

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

v Update: Provides the permission to change the entries in an object, such as changing records in a file v Delete: Provides the permission to remove entries from an object, such as removing messages from a message queue or deleting records from a file v Execute: Provides the permission needed to run a program, service program or SQL package The user can also locate an object in a library or directory For
more information on each process as you are creating or editing your authorization lists, see the on-line help screens for each step

Audit policy tool
Operations navigator has two policy areas They are: v Audit policy v and Security policy To create and use policies within operations navigator you will need to do the following 1 Start the Operations Navigator program 2 Login to iSeries 3 Select Security and click on box 4 You will see Policies in the menu, right click to get the menu for policies 5 Select Explore and left click on the title This will provide you with a list of policies and their names For example; Audit Policy and Security Policy with a description for each Audit policies is the function that the system audits access to an object and makes an entry into the audit journal The audit policy keeps track of all users who access a critical object on the system and keeps track of all the objects accessed by a particular user To get to the audit policies properties window, you can double click the left mouse button onAudit Policies or you can right click the mouse for a menu and select Properties The Audit Policies Properties window will allow you select and activate
auditing features The auditing actions include the following v APPN filter violation: Audits violations detected by the APPN firewall Directory search filter and the End point filter violations are audited v Authorization failure: Audits unsuccessful attempts to sign on the system and to access objects Authorization failures can be used regularly to monitor users trying to perform unauthorized functions on the system They can also be used to assist with migration to a higher security level and to test resource security for a new application v Job tasks: Audits actions that affect a job, such as starting or stopping the job, holding, releasing, canceling, or changing it Job tasks may be used to monitor who is running batch jobs v Object creations: Audits the creation or replacement of an object Object creation may be used to monitor when programs are created or compiled again v Object deletion: Audits the deletion of an object v Object management: Audits an object rename or move operation Object management may be used to detect copying confidential information by moving the object to a different library v Object restore:Audits the restore object Object restore may be used to detect
attempts to restore unauthorized objects v Office tasks: Audits change of the system distribution directory and opening of the mail log Actions performed on specific items in the mail log are not

Chapter 7 Tips for Managing and Monitoring Authority

v v v v v v v

recorded Office tasks may be used to detect attempts to change how mail is routed or to monitor opening another users mail log Optical tasks: Audits optical functions, such as adding or removing optical cartridge, or changing the authorization list used to secure an optical volume Other functions include copying, moving, or renaming an optical file, saving or releasing a held optical file, and so on Printing functions: Audits the printing of a spooled file, printing directly from a program, or sending a spooled file to a remote printer Printing functions may be used to detect printing confidential information Program adoption: Audits the use of adopted authority to gain access to an object Program adoption may be used to test where and how a new application uses adopted authority Security tasks: Audits security-revelant events, such as changing a user profile or a system value Security tasks may be used to keep a
record of all security activities Service tasks: Audits the use of service tools, such as Dump Object and Start Copy Screen Service tasks may be used to detect attempts to circumvent security by using service tools Spool management: Audits actions performed on spooled files, including creating, copying, and sending Spool management may be used to detect attempts to print or send confidential data System integrity violation: audits program domain violations when a program causes an integrity error System integrity violation may be used to assist with migration to a higher security level or to test a new application System management: Audits system management activities, such as changing a reply list or the power on/off schedule System management may be used to detect attempts to use system management functions to circumvent security controls

| | | | |

When the new objects window is created you will see what has been created and can make changes and then click okay to accept this new object If you get a window that says Journal QAUDJRN does not exist in Library QSYS, use the CHGSECAUD CL Command to create the security audit QUADJRN journal if it does not exist If you are wanting to
audit a single user you can do this by returning to the main menu screen 1 Under the main menu select Users and Groups 2 Expand and click on All Users 3 Select the user you want to monitor and right click to get the pull down menu Select Properties 4 From the properties menu select and click on Capabilities 5 The next menu gives you the option of auditing a single user Make your audit choices and then select okay You will now be able to monitor the use of this person and your system

Security policy tool
Security policies are used to administer the security related system values To set and maintain your security policies you need to do the following steps 1 Start the Operations Navigator program 2 Login to iSeries 3 Select Security and click on box 4 You will see Authorization Lists and Policies Right click the mouse to get the menu

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

5 Select Policies and left click the mouse A window will now display 6 Double click on the Security Policies file This will bring you to a window called Security Policy Properties- and give the name of your iSeries 7 After you have made your choices click Okay to have them applied to your
policies 8 The following Operations Navigator security functions replace these command line interfaces
Security Values Security controls tab Security level Security actions QSECURITY QALWOBJRST; QRMTSRVATR; ALWSYSSTT; ALWPGMADP; ALWPFT;QRETSVRSEC QCRTAUT Command line interface

Default authority for newly created objects in the QSYSLIB file system System sign-on Incorrect sign-on attempts

QMAXSIGN; QMAXSGNACN; QDSPSGNINF; QLMTDEVSSN; QLMTSECOFR QUATOVRT; QAUTOCFG QPWDEXPITV

Allow auto-configuration of Password expiration Password screen Password lengths Password characters Previous passwords Time-Out Inactive jobs Disconnect jobs Device Error Action Action to take when a device error occurs on the workstation: Remote Sign-On Use TELNET for remote sign-on screen Note: If you check the Use pass-through for remote sign-on; the value will be used for both PassThrough and Telnet Objects Not Available Allow these objects in:

QPWDMINLEN; QPWDMAXLEN QPWDDLMTAJC; QPWMINLEN; QPWDLMTREP; QPWDLMTCHR QPWDPOSIF; QPWDRQDDIF

QINACTITV; QINACTMSGQ QDSCJOBITV

QDEVRCYACN

QRMTSIGN

QALWUSRDMN

Chapter 7 Tips for Managing and Monitoring Authority

Monitoring Private Authority to
Objects
SECBATCH menu options: 12 to submit immediately 41 to use the job scheduler You can use the Print Private Authority PRTPVTAUT command to print a list of all the private authorities for objects of a specified type in a specified library You can use this report to help you detect new authorities to objects It can also help you keep your private authority scheme from becoming convoluted and unmanageable Figure 9 shows an example of the report:

5769SS1 VxRxMx 000000 Directory : PUBLIC authority : Object type : Object ProdData UserData include locales Owner QSYS QSYS QSYS

Private Authorities Full Report /qibm RX DIR

TESTSYS

00/00/00

00:00:00

Primary Group NONE NONE NONE NONE

Auth List NONE NONE NONE NONE

User PUBLIC QSYS PUBLIC QSYS PUBLIC QSYS PUBLIC QLPINSTA

QLPINSTALL

Data Authority RX RWX RX RWX RX RWX RX RWX

———–Object———-Mgt Exist Alter Ref X X X X X X X X X X X X X X X X

Figure 9 Private Authorities ReportSample

Monitoring Access to Output Queues and Job Queues
Sometimes a security administrator does a great job of protecting access to files and then forgets about what happens when the contents of a file are printed
iSeries provides functions for you to protect sensitive output queues and job queues You protect an output queue so that unauthorized users cannot, for example, view or copy confidential spooled files that are waiting to print You protect job queues so that an unauthorized user cannot either redirect a confidential job to a nonconfidential output queue or cancel the job entirely

SECBATCH menu options: 24 to submit immediately 63 to use the job scheduler The Basic system security and planning in the Information Center and iSeries Security Reference books describe how to protect your output queues and job queues You can use the Print Queue Authority PRTQAUT command to print the security settings for the job queues and output queues on your system You can then evaluate printing jobs that print confidential information and ensure that they are going to output queues and job queues that are protected Figure 10 on page 79 shows an example of the PRTQAUT report:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Queue Authority Full Report Specified library : ALL Library Object Type BASQLIB OUTQ1 OUTQ BASQLIB OUTQ2 OUTQ BASQLIB OUTQ3 OUTQ BASQLIB OUTQ4 OUTQ BASQLIB
OUTQ5 OUTQ BASQLIB JOBQ2 JOBQ BASQLIB JOBQ3 JOBQ Owner BASMLYR BASMLYR BASMLYR BASMLYR BASMLYR BASMLYR BASMLYR Authority USE ALL CHANGE EXCLUDE EXCLUDE CHANGE EXCLUDE DSPDTA NO YES OWNER NO NO NONE NONE

SYSTEM4 OPRCTL YES YES YES NO NO NO NO AUTCHK OWNER OWNER OWNER OWNER DTAAUT OWNER DTAAUT

Figure 10 Queue Authority ReportSample

For output queues and job queues that you consider to be security-sensitive, you can compare your security settings to the information in Appendix D of the iSeries Security Reference book The tables in Appendix D tell what settings are required to perform different output queue and job queue functions

Monitoring Special Authorities
When users on your system have unnecessary special authorities, your efforts to develop a good object-authority scheme may be wasted Object authority is meaningless when a user profile has ALLOBJ special authority A user with SPLCTL special authority can see any spooled file on the system, no matter what efforts you make to secure your output queues A user with JOBCTL special authority can affect system operations and redirect jobs A user with SERVICE special authority may be able to use service tools to access data without
going through the operating system

SECBATCH menu options: 29 to submit immediately 68 to use the job scheduler You can use the Print User Profile PRTUSRPRF command to print information about the special authorities and user classes for user profiles on your system When you run the report, you have several options: v All user profiles v User profiles with specific special authorities v User profiles that have specific user classes v User profiles with a mismatch between user class and special authorities Figure 11 shows an example of the report that shows the special authorities for all user profiles:
User Profile Information Report type : AUTINFO Select by : SPCAUT Special authorities : ALL ————-Special Authorities————IO User Group ALL AUD SYS JOB SAV SEC SER SPL User Profile Profiles OBJ IT CFG CTL SYS ADM VICE CTL Class USERA NONE X X X X X X X X SECOFR USERB NONE X X PGMR USERC NONE X X X X X X X X SECOFR USERD NONE USER

Owner USRPRF USRPRF USRPRF USRPRF

Group Group Authority Authority Type NONE PRIVATE NONE PRIVATE NONE PRIVATE NONE PRIVATE

Limited Capability NO NO NO NO

Figure 11 User Information ReportExample 1

In addition to the
special authorities, the report shows the following: v Whether the user profile has limited capability
Chapter 7 Tips for Managing and Monitoring Authority

v Whether the user or the users group owns new objects that the user creates v What authority the users group automatically receives to new objects that the user creates Figure 12 shows an example of the report for mismatched special authorities and user classes:
User Profile Information Report type : AUTINFO Select by : MISMATCH ——————————–Special Authorities————IO User Group ALL AUD SYS JOB SAV SEC SER SPL User Profile Profiles OBJ IT CFG CTL SYS ADM VICE CTL Class USERX NONE X X X X SYSOPR USERY NONE X USER USERZ X USER QPGMR X X

Owner USRPRF USRPRF USRPRF

Group Group Authority Authority Type NONE PRIVATE NONE PRIVATE NONE PRIVATE

Limited Capability NO NO NO

Figure 12 User Information ReportExample 2

In Figure 12, notice the following: v USERX has a system operator SYSOPR user class but has ALLOBJ and SPLCTL special authorities v USERY has a user USER user class but has SECADM special authority v USERZ also has a user USER class and SECADM special authority You can
also see that USERZ is a member of the QPGMR group, which has JOBCTL and SAVSYS special authorities You can run these reports regularly to help you monitor the administration of user profiles

Monitoring User Environments
One role of the user profile is to define the environment for the user, including the output queue, the initial menu, and the job description The users environment affects how the user sees the system and, to some extent, what the user is allowed to do The user must have authority to the objects that are specified in the user profile However, if your authority scheme is still in progress or is not very restrictive, the user environment that is defined in a user profile may produce results that you do not intend Following are several examples:

SECBATCH menu options: 29 to submit immediately 68 to use the job scheduler v The users job description may specify a user profile that has more authority than the user v The user may have an initial menu that does not have a command line However, the users attention-key-handling program may provide a command line v The user may be authorized to run confidential reports However, the users output may be directed to an output
queue that is available to users who should not see the reports You can use the ENVINFO option of the Print User Profile PRTUSRPRF command to help you monitor the environments that are defined for system users Figure 13 on page 81 shows an example of the report:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | |

User Profile Information Report type : ENVINFO Select by : USRCLS Initial Initial Job User Current Menu/ Program/ Description/ Profile Library Library Library Library AUDSECOFR AUDITOR MAIN NONE QDFTJOBD LIBL QGPL USERA CRTDFT OEMENU NONE QDFTJOBD LIBL QGPL USERB CRTDFT INVMENU NONE QDFTJOBD LIBL QGPL USERC CRTDFT PAYROLL NONE QDFTJOBD LIBL QGPL

Message Queue/ Library QSYSOPR QSYS USERA QUSRSYS USERB QUSRSYS USERC QUSRSYS

Output Queue/ Library WRKSTN WRKSTN WRKSTN PAYROLL PRPGMLIB

Attention Program/ Library SYSVAL SYSVAL SYSVAL SYSVAL

| | Figure 13 Print User Profile-User Environment Example | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Managing Service Tools
Service tools DST are used to: v diagnose system problems v add hardware resources to the system v manage DASD or
memory v manage LPAR logical partition activities v review the LIC and product activity logs v perform main storage dumps Service tools can be used for taking the pulse of the system–seeing how the system is functioning at that time Those tools have not changed, but what you can do with them has There are now new ways to manage service tools security on your system: v Service Tools User Profiles v Service Tools Device Profiles v Service Tools Security Data These new functions can be accessed via the Work with DST Environment screen, as seen here:

Work with DST Environment Select one of the following: 1 2 3 4 5 6 Active service tools System devices Service tools user profiles System values Service tools device profiles Service tools security data

System: ____________

Selection

Figure 14 Work with DST Environment

Once a Service Tool User Profile has been created, sign on using the procedure described in Signing on to System Service Tools SST on page 94
Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Service Tools Server STS
The Service Tools Server STS allows you to use your
PC to perform DST functions via TCP/IP In order to use the STS to perform GUI-based LPAR or Disk Management activities, you need to make the STS available The STS can be configured for DST, OS/400, or both Once configured, authorized users will be able to perform LPAR or Disk Management functions using Operations Navigator Note: Until you have configured th STS for DST or OS/400, you will be unable to access any Operations Navigator-available DST function

Configuring the Service Tools Server for DST
In V5R1, the STS can be configured to be available when the system is at DST If you use only the Operations Console with LAN connectivity to perform DST activities, the STS does not need to be reconfigured, as it is already available to you when the system is at DST Otherwise, you can enable the STS through DST by dedicating a network interface card to the STS To enable the STS with its own network interface card: 1 From the Use Dedicated Service Tools DST screen, select 5 Work with DST environment and press Enter The Work with DST Environment screen see Figure 14 on page 81 appears 2 From the Work with DST Environment screen, select 2 System devices and press Enter The Work with
System Devices screen appears 3 From the Work with System Devices screen, select 6 Console mode and press Enter The Select Console Type screen appears

Select Console Type Select one of the following: 1 Twinaxial 2 Operations consoleDirect 3 Operations consoleLAN

System: ____________

Selection

Figure 15 Select Console Type screen

4 From the Select Console Type screen, press F11 Configure The Configure Service Tools Adapter screen appears 5 From the Configure Service Tools Adapter screen, enter the LAN Adapter and TCP/IP information Press F1 Help for the type of information required in each field

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Configure Service Tools Adapter System: ____________ Type choices, press Enter to verify input Resource name: Adapter type: Adapter model: Adapter serial number: Internet address Primary router address Secondary router address Subnet mask System name Node Duplex Network speed CMN03_______ 2724________ 001_________ 12-1234567__ ____________ ____________ ____________ ____________ ____________ 000000000000 0 is default AUTO________
HALF, FULL, AUTO AUTO________ 4,10,15,100,AUTO

F3Exit F5Load F6Clear F7Store F12Cancel F13Deactivate F14Activate

Figure 16 Configure Service Tools Adapter screen

6 Press F7 Store to commit your changes 7 Press F14 Activate to activate the adapter The STS is ready to use with a valid Service Tools User Profile see Creating a Service Tools User Profile on page 86

Configuring the Service Tools Server for OS/400
You must add the STS to the service table in order to access DST functions on the OS/400 using TCP/IP and Operations Navigator The STS can be added prior to configuring your local area network LAN To add the STS to the service table: 1 From any command line, type ADDSRVTBLE Add Service Table Entry and press Enter The Add Service Table Entry screen appears 2 Enter the following information in the fields provided: v Service: as-sts v Port: 3000 v Protocol: tcp v Text description: Service Tools Server This field is optional, but you are strongly encouraged to enter a description of the table entry 3 Press F10 Additional Parameters 4 Enter AS-STS in the Alias field The Alias must be capitalized, because some service table searches are case sensitive

Chapter 7 Tips for Managing
and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Add Service Table Entry ADDSRVTBLE Type choices, press Enter Service Port Protocol Text description as-sts 3000 1-65535 tcp Service Tools Server Additional Parameters Aliases AS-STS for more values

Figure 17 Completed Add Service Table Entry ADDSRVTBLE screen

5 Press Enter to add the table entry 6 Press F3 to exit the Add Service Table Entry screen 7 Enter ENDTCP End TCP 8 Enter STRTCP Start TCP Verify that the service tools server is listening to port 3000 by entering NETSTAT OPTIONCNN from a 5250 session Look for as-sts under the heading Local Port with a State value of Listen If you will be using Operations Navigator to perform Disk or Logical Partition configuration and management you need to do the following once per system 1 From an Operations Navigator work station for your current system, right-click the system name under My Connections For your environment you may use your own name for the connections function instead of the default My Connections 2 Select Application Administration Click OK on the first
window On the next window select the Host Applications tab, expand Operating System/400, and expand Service 3 Click on any of the service tools that you want to authorize for the service tools user: Disk Units, QIBM_QYTP_SERVICE_LPARMGMT, and/or Service Trace 4 Press OK These functions are now available to the Operations Navigator user provided they have a Service Tools profile Once STS has been added to the service table, authorized users see Creating a Service Tools User Profile on page 86 can access LPAR and the Disk Management service tools using Operations Navigator and TCP/IP Note that, as with all Service Tools user profiles, you can selectively grant or restrict a user to specific functions

Using Service Tools User Profiles
In the past, authorized users could access any service tool on your system if they had a valid password and user ID Users who needed access to only one tool could access all tools This posed a potential security risk: the Display/Alter/Dump tool, for instance, is very powerful and it should be used only by a small number of users However, it was available for any user authorized to use other tools, such as DASD management You can now create user-defined
profiles that can be granted functional privilege to the service tools Users can be granted privileges to specific tools, such as DASD management or LPAR, or to a group of tools You can define as many as 96

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

different user profiles bringing the total number to 100, including the four supplied by IBM which will allow you to manage access to service tools more effectively IBM continues to supply standard user profiles–QSECOFR which has access to all service tools, and can work with and change UIDs and passwords, 11111111 which has basic access privileges, and 2222222 more advanced than 11111111, but without all of the capabilities of QSECOFR IBM has also added a new user profile QSRV which has much of the same functionality as 22222222, but without the ability to Display/Alter/Dump Note: All IBM-supplied service tools user profiles except for 11111111 will expire after they are used for the first time You should immediately change the passwords for these profiles see Changing a Service Tools User Profile on page 86

Working with Service Tools User
Profiles
The Service Tools User Profiles are not simply comprised of a user ID and password They also have an expiration date, which allows you to minimize your systems security risk For example, you can create a profile for a service technician that is valid for a short time, granting that technician access to only the service tools necessary The profile can also be disabled if the user it is associated with leaves, minimizing a former employees potential to maliciously access service tools Each user profile also has a functional privilege list associated with that profile You can select the functional privilege list of specific tools each user profile will have access to and easily grant and revoke functional privileges any time you want

Tip: Use Service Tools User Profiles to manage access to key service tools Create a profile to handle the tasks of the QSECOFR Then, if that person is on vacation, the alternate profile can be used to perform these tasks From the Work with DST Environment screen, press 3 Service tools user profiles to work with Service Tools User Profiles

Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | |

Work With Service Tools User Profiles Type option, press Enter 1Create 2Change password 5Enable 6Disable User Option Profile ____ ____ ____ ____ ____ ____ ____ ____ F3Exit ____________ ____________ ____________ ____________ ____________ ____________ ____________ ____________

System: _______________ 4Display 8Change Description Status ________ ________ ________ ________ ________ ________ ________ ________ More

3Delete 7Change privileges

Description _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________ _________________________________________________________

F5Refresh F12Cancel

Figure 18 Work with Service Tools User Profiles

From the screen shown in Figure 18, you can create, change, delete, and display user profiles Access to DASD management and LPAR functions are GUI-based
in this release, and all other tools may be accessed via green screen Creating a Service Tools User Profile: To create a Service Tools User Profile: 1 Enter the name of the new service tools user in the space provided 2 Select 1 Create from the Work with Service Tools User Profiles screen The Create Service Tools User Profile screen appears 3 Enter information about the new user profile: v Passphrase: This passphrase will be used by the new user profile This phrase must be at least one character in length No other passphrase composition rules apply v Allow profile access before storage management recovery: The default for this field is 2 No v Set password to expire: The default for this field is 1 Yes v Description: This is an optional field, which can be used for more detailed information about the owner of the user profile, such as name, department, and phone number 4 Once all information about the user profile has been entered, you can choose one of two options: v To create the profile with the default privileges, press Enter v To change the default privileges, press F5 to go to the Change Service Tools User Privileges screen This screen lists all service tools to which
privilege may be granted To change a privilege, see Changing a Service Tools User Profile for more information To learn how to sign on to System Service Tools SST, see Signing on to System Service Tools SST on page 94 Changing a Service Tools User Profile: To change a Service Tools User Profile:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

1 On the Work with Service Tools User Profiles screen, select the user profile to change and press 7 Change privileges in the option field The Change Service Tools User Privileges screen appears a Enter 1 Revoke in the option field next to the functional privileges you want to remove from the user profile b Enter 2 Grant in the option field next to the functional privileges you want to add to the user profile 2 Press Enter to enable these changes If you press F3 Exit before pressing Enter, the changes will not take effect, and the user profile will be reset with the default values If you press F9 Defaults, the functional privileges will be reset to the default values To change a service tools user profile password: 1 On the Work with
Service Tools User Profiles screen, select the user profile to change and press 2 Change password in the option field a If you have the system administrative privilege of changing others service tools user profiles, the Change Service Tools User Password Another User screen appears Complete the following fields: v Service tools user profile name: Enter the user profile name you wish to change v New password: Enter a new passphrase v Set Password to expired: select 1 Yes or 2 No in this field The default value is 1 Yes b If you do not have the system administrative privilege of changing others service tools user profiles, the Change Service Tools User Password screen appears Complete the following fields: v Current password: Enter the passphrase currently in use for the user profile v New password: Enter the new passphrase v New password to verify: Re-enter the new passphrase 2 Press Enter to execute the change To change a Service Tools User Profile Description: 1 On the Work with Service Tools User Profiles screen, select the user profile description to change and press 8 Change description in the option field 2 In the Description field, enter a new description for the user profile
This may include the users name, department, and telephone number Deleting a Service Tools User Profile: To delete a Service Tools User Profile: 1 On the Work with Service Tools User Profiles screen, select the user profile you wish to delete and press 3 Delete in the option field The Delete Service Tools User Profile screen appears 2 You are prompted for confirmation of your choice to delete the user profile v Press Enter to delete the profile v Press F12 Cancel to cancel the action and return to the Work with Service Tools User Profiles screen Displaying a Service Tools User Profile: To display a Service Tools User Profile: 1 On the Work with Service Tools User Profiles screen, select the user profile you wish to display and press 4 Display The Display Service Tools User Profile screen appears This screen displays information relating to the user profile:
Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

v v v v v

Previous sign on date and time Sign-on attempts not valid Status Date password last changed Allow profile access before storage management recovery Yes or No

v Date password
expires date v Password set to expire Yes or No 2 Press F5 Display privileges to view the functional privileges associated with this profile The Display Service Tools User Privileges screen appears This screen lists all functional privileges and the users status for each You cannot make changes to the user profile from this screen Enabling or Disabling a Service Tools User Profile: v To enable a Service Tools User Profile: 1 On the Work with Service Tools User Profiles screen, select the user profile you wish to enable and enter 5 Enable in the option field The Enable Service Tools User Profile screen appears 2 Press Enter to confirm your choice to enable the user profile you selected v To disable a Service Tools User Profile: 1 On the Work with Service Tools User Profiles screen, select the user profile you wish to enable and enter 6 Disable in the option field The Disable Service Tools User Profile screen appears 2 Press Enter to confirm your choice to disable the user profile you selected

Using Service Tools Device Profiles
New in this release is the enhancement to security for the new LAN-based Operations Console see Tips for Using Operations Console with LAN connectivity on
page 101 Device profiles allow any Operations Console device on a LAN to act as the console This removes the limitation of physical proximity to the iSeries, and allows a more flexible console arrangement to suit your business needs Note: Any Operations Console device can be a console, but only LAN-based configurations use the service tool user profile Because any Operations Console device can be the console, console function can be spread across multiple devices on the LAN For example, one device may have the functional privilege to perform LPAR functions only, while another performs DASD management A maximum of 50 device profiles can be created to handle console activities on the LAN, and any device attempting to act as a console on the LAN is authenticated by the iSeries before console functions are performed This authentication involves confirming that the device has the functional privilege to perform the console functions it is requesting, as well as confirming that it is an authorized device on the LAN From the Work with DST Environment screen, select 5 Service tools device profiles

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Working with Service Tools Devices Profiles
Work with Service Tools Device Profiles Type option, press Enter 1Create 2Reset Password 3Delete 4Display 5Enable 6Disable 7Change Attributes 8Change Description Option ____ ____ ____ ____ ____ ____ ____ ____ Device Profile _____________ _____________ _____________ _____________ _____________ _____________ _____________ _____________ Description ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________

System: ___________

Status _________ _________ _________ _________ _________ _________ _________ _________ More

F3Exit F5Refresh

F12Cancel

Figure 19 Work with Service Tools Device Profiles

Creating a Service Tools Devices Profile: To create a Service Tools Devices Profile: 1 Select 1 Create from the Work with Service Tools
Devices Profiles screen The Create Service Tools Devices Profile screen appears 2 Enter the name of the new service tools device profile in the space provided 3 Enter information about the new device profile: v Passphrase: This passphrase will be used by the new device profile v Description: This is an optional field, which can be used for more detailed information about the owner of the device profile, such as name, department, and phone number 4 Once all information about the user profile has been entered, you can choose one of two options: v To create the profile with the default attributes, press Enter v To change the default attributes, press F5 to go to the Change Service Tools Device Attributes screen This screen lists all service tools to which privilege may be granted To change a privilege, see Changing a Service Tools Device Profile on page 90 for more information Resetting a Service Tools Device Profile: To reset a Service Tools Device Attribute: 1 On the Work with Service Tools Device Profiles screen, select the user profile and press 2 Reset Password in the option field The Reset Service Tools Device Password screen appears 2 Press Enter to confirm the password reset
Note: The password is reset to the device profile name 3 Reset the password on your PC Refer to the Resynchronizing the PC and iSeries device profile passwords appendix in the Operations Console Setup manual

Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Changing a Service Tools Device Profile: To change Service Tools Device Attributes: 1 On the Work with Service Tools Device Profiles screen, select the user profile to change and press 7 Change attributes in the option field The Change Service Tools Device Attributes screen appears a Enter 1 Revoke in the option field next to the service attribute you want to remove from the user profile b Enter 2 Grant in the option field next to the service attribute you want to add to the user profile 2 Press Enter to execute these changes If you press F3 Exit before pressing Enter, the changes will not take effect, and the device attributes will be reset with the default values If you press F5 Reset before pressing Enter, the device attributes will be reset to the default values To change a Service Tools Devices Profile Description: 1 On the
Work with Service Tools Device Profiles screen, select the user profile description to change and press 8 Change description in the option field 2 In the Description field, enter a new description for the user profile This may include the users name, department, and telephone number

Deleting a Service Tools Device Profile
To delete a Service Tools Device Profile: 1 On the Work with Service Tools Device Profiles screen, select the device profile you wish to delete and press 3 Delete in the option field The Delete Service Tools Device Profile screen appears 2 You are prompted for confirmation of your choice to delete the device profile v Press Enter to delete the profile v Press F12 Cancel to cancel the action and return to the Work with Service Tools Device Profiles screen

Displaying a Service Tools Device Profile
To display a Service Tools Device Profile: 1 On the Work with Service Tools Device Profiles screen, select the device profile you wish to display and press 4 Display The Display Service Tools Device Profile screen appears This screen displays information relating to the device profile: v Status v Description 2 Press F5 Display attributes to view the attributes associated
with this profile The Display Service Tools Device Attributes screen appears This screen lists all device attributes and the profiles status for each You cannot make changes to the device attributes from this screen

Enabling or Disabling a Service Tools Device Profile
v To enable a Service Tools Device Profile: 1 On the Work with Service Tools Device Profiles screen, select the device profile you wish to enable and enter 5 Enable in the option field The Enable Service Tools Device Profile screen appears 2 Press Enter to confirm your choice to enable the device profile you selected v To disable a Service Tools Device Profile:

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

1 On the Work with Service Tools Device Profiles screen, select the user profile you wish to enable and enter 6 Disable in the option field The Disable Service Tools Device Profile screen appears 2 Press Enter to confirm your choice to disable the device profile you selected

Using Service Security Data
Once you have a security plan in place, you need to be able to monitor its effectiveness, and see where
alterations are required to fine-tune the security of your system The information you can gather from Service Security Data can help you do that The options available to you from this screen also allow you to alter key password and operating system security From the Work with DST Environment screen, select option 6 Service tools service data

Working with Service Security Data
The options available to you from the Service Security Data screen allow you to view system security logs to track security-related activity being performed on your iSeries see Working with Service Tools Security Log on page 93 You can also save and restore security data, set and change password levels, reset the operating system default password and change the operating system install security
Work with Service Tools Security Data System: ____________

Select one of the following: 1 2 3 4 5 6

Reset operating system default password Change operating system install security Work with service tools security log Restore service tools security data Save service tools security data Password level

Selection

Figure 20 Work with Service Tools Security Data

Resetting operating system default password: To reset the
operating system default password: 1 From the Work with Service Tools Security Data screen, select 1 Reset operating system default password The Confirm Reset of System Default password screen appears

Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

System: ____________ Press Enter to confirm your choice to reset the operating system security officer sign-on password The password will be reset to the default assigned when the system was shipped Press F12 to return to change your choice

Confirm Reset of System Default Password

F12Cancel Operating system password override not in effect

Figure 21 Reset the operating system default password

2 Press Enter to confirm the reset A confirmation message appears
Confirm Reset of System Default Password

F12Cancel Operating system password override set

Figure 22
Confirm Reset of System Default Password

The default system password is QSECOFR You should change this default password immediately Default passwords are widely published, and a failure to change this default represents a significant security vulnerability to your system Changing operating system install security: To change operating system install security: 1 From the Work with Service Tools Security Data screen, select 2 change operating system install security The Change Operating System Install Security screen appears
Change Operating System Install Security Type choice, press Enter Secure operating system install

System: ____________ 1Secure 2Not secure

F3Exit F12Cancel Operating system install is currently not secure

Figure 23 Change operating system install security

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

2 Select option 1 Secure The Work with Service Tools Security Data screen reappears, with the Operating system install is now secure message displayed Repeat this procedure and select option 2 from the Change Operating System Install Security screen
to change from a secured to an unsecured operating system install status Working with Service Tools Security Log: To work with the Service Tools Security Log: Any time a user signs on using a service tool user profile, the event is logged This log can help you trace unusual access patterns or other potential security risks 1 From the Work with Service Tools Security Data screen, select 3 Work with service tools security log The Work with Service Tools Security Log screen appears This screen displays security related activity by date and time 2 optional Press F6 Print to print this log 3 optional Press 5 Display details in the option field of the activity you are interested in v If the the activity is related to a grant or revoke privilege, the Display Service Tools Security Log Details screen appears showing the following information: Time of activity Activity description Profile of the changer Affected profile Privilege description

v If the activity is related to enabling or disabling a profile, the Display Service Tools Security Log Details screen appears showing the following information: Time of activity Activity description Profile of the changer Affected profile v
If the activity is related to any other type of event, the Display Service Tools Security Log Details screen appears showing the following information: Time of activity Activity description Affected profile Restoring Service Tools Security Data: To restore the Service Tools Security Data: 1 From the Work with Service Tools Security Data screen, select 4 Restore service tools security data The Select Media Type screen appears 2 Select one of the available options: v Tape a Press Enter to restore The Work with Tape Devices screen appears b You may choose to select, deselect, or display details on any of the tape devices that appear If you choose to select, continue to Step 3 v Optical a Press enter to restore The Work with Optical Devices screen appears b You may choose to select, deselect, or display details on any of the optical devices that appear If you choose to select, continue to Step 3
Chapter 7 Tips for Managing and Monitoring Authority

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

3 The instructions for selecting the device from which you want to restore security data are the same for tape and optical devices a Enter option 1 Select in
the option field next to the resource you want to work with The Restore Service Tools User Profiles screen appears b Select one of these options: v To restore all service tools user profiles: 1 Select option 1 2 Press Enter All profiles are restored v To choose the service tools user profiles you wish to restore: 1 Select option 2 and press Enter The Select Service Tools User Profile to Restore screen appears 2 Enter option 1 Select in the option field next to the profile you wish to restore Saving Service Tools Security Data: To save the Service Tools Security Data: 1 From the Work with Service Tools Security Data screen, select 5 Save service tools security data The Save Service Tools Security Data screen appears 2 Select one of the available options: v Tape a Press Enter to save The Work with Tape Devices screen appears b You may choose to select, deselect, or display details on any of the tape devices that appear Enter the appropriate option value in the option field next to the tape device to which you want to save the security data v Optical a Press enter to save The Work with Optical Devices screen appears b You may choose to select, deselect, or display details on any of
the optical devices that appear Enter the appropriate option value in the option field next to the optical device to which you want to save the security data Confirming Password Level: To confirm the password level: 1 From the Work with Service Tools Security Data screen, select 6 Password Level The Confirmation to Set Password Level screen appears 2 Note any system messages that appear 3 Press Enter to confirm the password level change

Signing on to System Service Tools SST
In V5R1, the signon procedure to access System Service Tools SST has changed slightly to provide increased security for the service tool area To access SST: 1 Type STRSST Start SST on the command line The Start SST Signon screen appears

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | |

Start SST Signon User Profile: ________________________ User Password: ________________________

Figure 24 Start SST Signon

2 Enter the following information: v User Profile: this profile must be created from the DST environment see Creating a Service Tools User Profile on page 86 v Password: the passphrase associated with this user profile 3 Press Enter

Chapter 7 Tips for
Managing and Monitoring Authority

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 8 Using Logical Partitions Security LPAR
Having multiple logical partitions on a single iSeries 400 system could prove beneficial in the following scenarios v Maintaining Independent Systems: Dedicating a portion of the resources disk storage unit, processors, memory, and I/O devices to a partition achieves logical isolation of software Logical partitions also have some hardware fault tolerance if configured properly Interactive and batch workloads which may not run well together on a single machine can be isolated and run efficiently in separate partitions v Consolidation : A logically partitioned system can reduce the number of iSeries 400 systems that are needed within an enterprise You can consolidate several systems into a single logically partitioned system This eliminates the need for, and expense of, additional equipment You can shift resources from one logical partition to another as needs change v Creating a Mixed Production and Test Environment: You can create a combination production and test environment You can create a single production partition in the
primary partition For multiple production partitions, see Creating a Multiple Production Partition Environment below A logical partition is either a test or production partition A production partition runs the your main business applications A failure in a production partition could significantly hinder business operations and cost the you time and money A test partition tests software A failure in a test partition, while not necessarily planned, will not disrupt normal business operations v Creating a Multiple Production Partition Environment: You should create multiple production partitions only in your secondary partitions In this situation, you dedicate the primary partition to partition management v Hot Backup: When a secondary partition replicates to another logical partition within the same system, switching to the backup during partition failure would cause minimal inconvenience This configuration also minimizes the effect of long save windows You can take the backup partition off line and save, while the other logical partition continues to perform production work You will need special software to use this hot backup strategy v Integrated Cluster: Using OptiConnect/400,
and high availability application software, your partitioned system can run as an integrated cluster You can use an integrated cluster to protect your system from most unscheduled failures within a secondary partition | | | | | | | | | Note: When setting up a secondary partition, additional considerations for card locations need to be made If the Input/Output Processor IOP you select for the console also has a LAN card and the LAN card is not intended for use with Operations Console, it will be activated for use by the console and you may not be able to use it for your intended purposes For more information on working with Operations Console, see Chapter 9 Tips for using AS/400 Operations Console on page 99 Refer to Logical Partitions in the iSeries Information Centerfor more detailed information on this topic

Managing security for logical partitions
The security-related tasks you perform on a partitioned system are the same as on a system without logical partitions However, when you create logical partitions, you work with more than one independent system Therefore you will have to perform the same tasks on each logical partition instead of
just once on a system without logical partitions Here are some basic rules to remember when dealing with security on logical partitions: v You add users to the system one logical partition at a time You need to add users to each logical partition you want them to access v Limit the number of people who have authority to go to dedicated service tools DST and system service tools SST on the primary partition Refer to the Managing logical partitions with Operations Navigator along with DST and SST topic in the iSeries Information Center for more information on DST and SST Refer to Managing Service Tools on page 81 for information on using service tool user profiles to control access to partition activities Note: You must initialize the Service Tools Server STS before using Operations Navigator to access LPAR functions See Service Tools Server STS on page 82 for instructions v Secondary partitions cannot see or use main storage and disk units of another logical partition v Secondary partitions can only see their own hardware resources v The primary partition can see all system hardware resources in the Work with System Partitions displays of DST and SST v The primary partition
operating system still only sees its resources available v The system control panel controls the primary partition When you set the panel mode to Secure, no actions can be performed on the Work with Partition Status display from SST To force DST from the system control panel, you must change the mode to Manual v When you set the operating mode of a secondary partition to secure, you restrict the usage of its Work with Partition Status in these ways: You can only use DST on the secondary partition to change partition status; you cannot use SST to change partition status You can only force DST on the secondary partition from the primary partition Work with Partition Status display using either DST or SST You can only use DST on the primary partition to change a secondary partition mode from secure to any other value Once a secondary partitions mode is no longer secure, you can use both DST and SST on the secondary partition to change partition status For more information on security on your iSeries 400, refer to the Security Reference book and the Basic system security and planning pages of the iSeries Information Center

| | | | | | | | | |

iSeries 400 Tips and Tools for
Securing Your iSeries V5R1

Chapter 9 Tips for using AS/400 Operations Console
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In V4R3, IBM introduced As/400 Operations Console, which allows you to use your PC to access and control your iSeries system In V4R4, support was added so a remote PC to dial in to aniSeries without a console device and become the console When you use Operations Console, be aware of the following: v You can do any tasks that you could do from a traditional console from Operations Console For example, user profiles that have SERVICE or ALLOBJ special authority are able to sign on to the Operations Console session, even if they are disabled v Operations Console uses Service Tools User Profiles and passwords to enable the connection to iSeries 400 This makes it especially important to change your Service Tools User Profiles and passwords Hackers are likely to be familiar with the default Service Tools User Profiles userids and passwords, and could use them to attempt a remote console session to your iSeries See Changing Well-Known Passwords on page 31 and Avoiding Default Passwords on page 37 for tips on passwords v To
protect your information when using the Remote Console, use the call back option of Windows Dial-Up Networking v When setting up a secondary partition, additional considerations for card locations need to be made If the Input/Output Processor IOP you select for the console also has a LAN card and the LAN card is not intended for use with Operations Console, it will be activated for use by the console and you may not be able to use it for your intended purposes In V5R1, Operations Console was enhanced to enable console activities to be performed across a local area network LAN Enhanced authentication and data encryption provide network security for console procedures To use Operations Console with LAN connectivity, you are strongly encouraged to install the following products: v Cryptographic Access Provider, 5722AC2 or 5722AC3 on your iSeries 400 v Client Encryption, 5722CE2 or 5722CE3 on your Operations Console PC In order for the console data to be encrypted, the iSeries must have one of the Cryptographic Access Provider products installed and the PC must have one of the Client Encryption products installed Note: If no cryptographic products are installed, there wont be any data
encryption The table below summarizes the encryption results of the available products:
Table 13 Encryption results Cryptographic Access Client Encryption on your Provider on your iSeries 400 Operations Console PC None 5722AC2 5722AC2 5722AC3 5722AC3
Copyright IBM Corp 1996, 2001

Resulting Data Encryption None 56 bit 56 bit 56 bit 128 bit

None 5722CE2 5722CE3 5722CE2 5722CE3

| | For additional information about setting up and administering AS/400 Operations Console, see Operations Console Setup

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Operations Console Security Overview
Operations Console security consists of: v console device authentication v user authentication v data privacy v data integrity Operations Console with direct connectivity has implicit device authentication, data privacy, and data integrity due to its point-to-point connection User authentication security is required to sign on to the console display

Console Device Authentication
Console device authentication assures which physical device is the console Operations Console with direct connectivity uses a physical connection similar to a twinaxial console Operations
Console using a direct connection may be physically secured similar to a twinaxial connection to control access to the physical console device Operations Console with LAN connectivity uses a version of secure sockets layer SSL which supports device and user authentication but without using certificates For this form of connection, device authentication is based on a service tools device profile See Using Service Tools Device Profiles on page 88 for information on using service tool device profiles Refer to 101 for more details

User Authentication
User authentication provides assurance about who is using the console device All issues related to user authentication are the same regardless of console type

Data Privacy
Data privacy provides confidence that the console data can only be read by the intended recipient Operations Console with direct connectivity uses a physical connection similar to a twinaxial console or secure network connection for LAN connectivity to protect console data Operations Console using a direct connection has the same data privacy of a twinaxial connection If the physical connection is secure, the console data remains protected Operations Console with LAN
connectivity uses a secure network connection if the appropriate cryptographic products are installed ACx and CEx The console session uses the strongest encryption possible depending on the cryptographic products installed on the iSeries and the PC running Operations Console Note: If no cryptographic products are installed, there will not be any data encryption

Data Integrity
Data integrity provides confidence that the console data has not changed en route to the recipient Operations Console with direct connectivity uses a physical

100

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

connection similar to a twinaxial console or secure network connection for LAN connectivity to protect console data Operations Console using a direct connection has the same data integrity of a twinaxial connection If the physical connection is secure, the console data remains protected Operations Console with LAN connectivity uses a secure network connection if the appropriate cryptographic products are installed ACx and CEx The console session uses the strongest encryption possible depending on the
cryptographic products installed on the iSeries and the PC running Operations Console Note: If no cryptographic products are installed, there will not be any data encryption

Tips for Using Operations Console with LAN connectivity
Note: Any Operations Console device can be a console, but only LAN-based configurations use the service tool user profile The iSeries is shipped with a default service tools device profile of QCONSOLE with a default password of QCONSOLE Operations Console with LAN connectivity will change the password during each successful connection See Using the Operations Console Setup Wizard for more information For additional information about iSeries 400 Operations Console with LAN connectivity, refer to the Information Center see Prerequisite and related information on page xii for details

Tips for Protecting Operations Console with LAN connectivity
When using Operations Console with LAN connectivity, the items below are recommended: v Create another service tools device profile with console attributes and store the profile information in a safe place v Install Cryptographic Access Provider, 5722AC2 or 5722AC3 on your iSeries 400 and Client Encryption, 5722CE2 or
5722CE3 on your Operations Console PC v Choose a non-trivial service device information password For more information on service tools device passwords, see Using Service Tools Device Profiles on page 88 v Protect the Operations Console PC in the same manner you would protect a twinaxial console or an Operations Console with direct connectivity

Using the Operations Console Setup Wizard
The setup wizard will add the necessary information to the PC when using Operations Console with LAN connectivity The setup wizard asks for the service tools device profile, the service tools device profile password, and a password to protect the service tools device profile information

Chapter 9 Tips for using AS/400 Operations Console

101

Figure 25 Passwords protect service device profile information

| | | | | | |

Note: The service tools device profile information password is used to lock and unlock the service tools device profile information service tools device profile and password on the PC When establishing a network connection, the Operations Console setup wizard will prompt you for the service device information password to access the encrypted service tools device profile and password
You will also be prompted for a valid service tools user identification and password

102

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 10 Detecting Suspicious Programs
Recent trends in computer usage have increased the likelihood that your system has programs from untrusted sources or programs that perform unknown functions Following are examples: v A personal computer user sometimes obtains programs from other PC users If the PC is attached to your iSeries system, that program can affect your iSeries v Users who connect to networks can also obtain programs, for example from bulletin boards v Hackers have become more active and renowned They often publish their methods and their results This can lead to imitation by normally law-abiding programmers These trends have led to a problem in computer security that is called a computer virus A virus is a program that can change other programs to include a copy of itself The other programs are then said to be infected by the virus Additionally, the virus can perform other operations that can take up system resources or destroy data The architecture of iSeries provides some protection from the infectious
characteristics of a computer virus Protecting Against Computer Viruses describes this An iSeries security administrator needs to be more concerned about programs that perform unauthorized functions The remaining topics in this chapter describe ways that someone with ill intentions might set up harmful programs to run on your system The topics provide tips for preventing programs from performing unauthorized functions

Security Tip Object authority is always your first line of defense If you do not have a good plan for protecting your objects, your system is defenseless This chapter discusses ways that an authorized user might try to take advantage of loop-holes in your object authority scheme

Protecting Against Computer Viruses
A computer that has a virus infection has a program that can change other programs The object-based architecture of iSeries makes it more difficult for a mischief-maker to produce and spread this type of virus than it is with other computer architectures On iSeries, you use specific commands and instructions to work on each type of object You cannot use a file instruction to change an operable program object which is what most virus-creators do Nor can you
easily create a program that changes another program object To do this requires considerable time, effort, and expertise, and it requires access to tools and documentation that are not generally available However, as new iSeries functions become available to participate in the open-systems environment, some of the object-based protection functions of iSeries no longer apply For example, with the integrated file system, users can directly manipulate some objects in directories, such as stream files

103

Also, although iSeries architecture makes it difficult for a virus to spread among iSeries programs, its architecture does not prevent iSeries from being a virus-carrier As a file server, iSeries can store programs that many PC users share Any one of these programs might contain a virus that iSeries does not detect To prevent this type of virus from infecting the PCs that are attached to your iSeries server, you must use PC virus-scan software Several functions exist on iSeries to prevent someone from using a low-level language with pointer capability to alter an operable object program: v If your system runs at security level 40 or higher, the
integrity protection includes protections against changing program objects For example, you cannot successfully run a program that contains blocked protected machine instructions v At security level 40 or higher, the program validation value is also intended to protect you when you restore a program that was saved and potentially changed on another system Chapter 2 in the iSeries Security Reference book describes the integrity protection functions for security level 40 and higher, including program validation values Note: The program validation value is not foolproof, and it is not a replacement for vigilance in evaluating programs that are restored to your system Several tools are also available to help you detect the introduction of an altered program into your system: v You can use the Check Object Integrity CHKOBJITG command to scan objects operable objects that meet your search values to ensure that those objects have not been altered This is similar to a virus-scan function v You can use the security auditing function to monitor programs that are changed or restored The PGMFAIL, SAVRST, and SECURITY values for the authority level system value provide audit records that can
help you detect attempts to introduce a virus-type program into your system Chapter 9 and Appendix F in the iSeries Security Reference book provide more information about audit values and the audit journal entries v You can use the force create FRCCRT parameter of the Change Program CHGPGM command to re-create any program that has been restored to your system The system uses the program template observable information to re-create the program If the program object has been changed after it was compiled, the system re-creates the changed object and replaces it If the program template contains blocked protected instructions and you are running security level 40 or higher, the system will not re-create the program successfully v You can use the QVFYOBJRST verify objects on restore system value to prevent the restore of programs that do not have a digital signature or do not have a valid digital signature When a digital signature is not valid, it means the program has been changed since it was signed by its developer APIs exist that allow you to sign your own programs, save files, and stream files For more information on signing and how it can be used to protect your system from
attack, see Tips for Object Signing on page 116

| | | | | | |

104

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Monitoring the Use of Adopted Authority
On iSeries, you can create a program that adopts the authority of the owner of the program This means that any user who runs the program has the same authorities private authorities and special authorities as the user profile that owns the program Adopted authority is a valuable security tool when it is used correctly Tips for Enhancing Menu Access Control with Object Security on page 59, for example, describes how to combine adopted authority and menus to help you expand beyond menu access control You can use adopted authority to protect your important files from being changed outside of your approved application programs while you still allow queries against the files As security administrator, you should make sure that adopted authority is used properly: v Programs should adopt the authority of a user profile that has only enough authority to do the necessary functions, not excessive authority You should be particularly cautious of programs that adopt the authority of a user profile that either has ALLOBJ special
authority or owns important objects v Programs that adopt authority should have a specific, limited function and should not provide command-entry capability v Programs that adopt authority should be secured properly v Excessive use of adopted authority may have a negative impact on your system performance To help you avoid performance problems, review the authority-checking flowcharts and the suggestions for using adopted authority in Chapter 5 of the iSeries Security Reference book

SECBATCH menu options: 1 to submit immediately 40 to use the job scheduler You can use the Print Adopting Objects PRTADPOBJ command option 21 on the SECTOOLS menu to help you monitor the use of adopted authority on your system Figure 26 shows an example of the output from this command:

Adopted Objects by User Profile Full Report User profile : Special authorities : ———-Object————Public Name Type Authority PGM1 PGM USE PGM2 PGM CHANGE CJWLDR ALLOBJ AUDIT IOSYSCFG JOBCTL SAVSYS SECADM SERVICE SPLCTL ——Library——-Public Private Name Authority Authorities LIB1 USE Y LIB2 USE N

Figure 26 Adopted Objects by User Profile Report-Full Report

Figure 26 shows information for
one user profile, CJWLDR It shows the special authorities that CJWLDR has and the programs that adopt CJWLDRs authority In
Chapter 10 Detecting Suspicious Programs

105

this example, anyone who has access to a command line can run the programs that adopt CJWLDRs authority because the programs have public authority of USE This example demonstrates a potentially serious security exposure because of CJWLDRs special authorities After you have established a base of information, you can print the changed version of the adopted objects report regularly It lists new programs that adopt authority and programs that have been changed to adopt authority since you last ran the report Figure 27 shows an example of the changed report:
Adopted Objects by User Profile Changed Report User profile : CJWLDR Special authorities : ALLOBJ AUDIT IOSYSCFG JOBCTL SAVSYS SECADM SERVICE SPLCTL Last changed report : 01/21/96 14:23:53 ———-Object——————–Library——–Public Public Private Name Type Authority Name Authority Authorities PGMX PGM CHANGE LIB3 CHANGE Y PGMY PGM USE LIB4 USE N Figure 27 Adopted Objects by User Profile Report-Changed Report

If you suspect that
adopted authority is being misused on your system, you can set the QAUDLVL system value to include PGMADP When this value is active, the system creates an audit journal entry whenever someone starts or ends a program that adopts authority The entry includes the name of the user who started the program and the name of the program

Limiting the Use of Adopted Authority
When an iSeries program runs, the program can use adopted authority to gain access to objects in two different ways: v The program itself can adopt the authority of its owner This is specified in the user profile USRPRF parameter of the program or service program v The program can use inherit adopted authority from a previous program that is still in the jobs call stack A program can inherit the adopted authority from previous programs even if the program itself does not adopt authority The use adopted authority USEADPAUT parameter of a program or a service program controls whether the program inherits adopted authority from previous programs in the program stack Following is an example of how using adopted authority from previous programs works Assume that the ICOWNER user profile has CHANGE authority to the ITEM file
and that the public authority to the ITEM file is USE No other user profiles have any explicitly defined authority to the ITEM file Table 14 shows the attributes for three programs that use the ITEM file:
Table 14 Use Adopted Authority USEADPAUT Example Program Name Program Owner USRPRF Value PGMA PGMB PGMC ICOWNER ICOWNER ICOWNER OWNER USER USER USEADPAUT Value YES YES NO

106

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Example 1Adopting Authority: 1 USERA runs the PGMA program 2 The PGMA program attempts to open the ITEM file with update capability Result: Attempt is successful USERA has CHANGE access to the ITEM file because PGMA adopts ICOWNERs authority Example 2Using Adopted Authority: 1 USERA runs the PGMA program 2 The PGMA program calls the PGMB program 3 The PGMB program attempts to open the ITEM file with update capability Result: Attempt is successful Although the PGMB program does not adopt authority USRPRF is USER, it allows the use of previous adopted authority USEADPAUT is YES The PGMA program is still in the program stack Therefore, USERA gets CHANGE access to the ITEM file because PGMA adopts ICOWNERs authority Example 3Not Using Adopted Authority:
1 USERA runs the PGMA program 2 The PGMA program calls the PGMC program 3 The PGMC program attempts to open the ITEM file with update capability Result: Authority failure The PGMC program does not adopt authority The PGMC program also does not allow the use of adopted authority from previous programs Although PGMA is still in the call stack, its adopted authority is not used

Preventing New Programs from Using Adopted Authority
The passing of adopted authority to later programs in the stack provides an opportunity for a knowledgeable programmer to create a Trojan horse program The Trojan horse program can rely on previous programs in the stack to get the authority that it needs to perform mischief To prevent this, you can limit which users are allowed to create programs that use the adopted authority of previous programs When you create a new program, the system automatically sets the USEADPAUT parameter to YES If you do not want the program to inherit adopted authority, you must use the Change Program CHGPGM command or the Change Service Program CHGSRVPGM to set the USEADPAUT parameter to NO With V3R2 and V3R7, you can use an authorization list and the use adopted authority
QUSEADPAUT system value to control who can create programs that inherit adopted authority When you specify an authorization list name in the QUSEADPAUT system value, the system uses this authorization list to determine how to create new programs When a user creates a program or service program, the system checks the users authority to the authorization list If the user has USE authority, the USEADPAUT parameter for the new program is set to YES If the user does not have USE authority, the USEADPAUT parameter is set to NO The users authority to the authorization list cannot come from adopted authority

Chapter 10 Detecting Suspicious Programs

107

The authorization list that you specify in the QUSEADPAUT system value also controls whether a user can use a CHGxxx command to set the USEADPAUT value for a program or a service program Notes: 1 You do not need to call your authorization list QUESADPAUT You can create an authority list with a different name Then specify that authorization list for the QUSEADPAUT system value In the commands in this example, substitute the name of your authorization list 2 The QUSEADPAUT system value does not affect existing programs on your system Use
the CGHPGM command or the CHGSRVPGM command to set the USEADPAUT parameter for existing programs More Restrictive Environment: If you want most users to create new programs with the USEADPAUT parameter set to NO, do the following: 1 To set the public authority for the authorization list to EXCLUDE, type the following:
CHGAUTLE AUTLQUSEADPAUT USERPUBLIC AUTEXCLUDE

2 To set up specific users to create programs that use the adopted authority of previous programs, type the following:
ADDAUTLE AUTLQUSEADPAUT USERuser-name AUTUSE

Less Restrictive Environment: If you want most users to create new programs with the USEADPAUT parameter set to YES, do the following: 1 Leave the public authority for the authorization list set to USE 2 To prevent specific users from creating programs that use the adopted authority of previous programs, type the following:
ADDAUTLE AUTLQUSEADPAUT USERuser-name AUTEXCLUDE

Monitoring the Use of Trigger Programs
DB2 UDB provides the capability to associate trigger programs with database files Trigger-program capability is common across the industry for high-function database managers When you associate a trigger program with a database file, you specify when
the trigger program runs For example, you can set up the customer order file to run a trigger program whenever a new record is added to the file When the customers outstanding balance exceeds the credit limit, the trigger program can print a warning letter to the customer and send a message to the credit manager Trigger programs are a productive way both to provide application functions and to manage information Trigger programs also provide the ability for someone with devious intentions to create a Trojan horse on your system A destructive program may be sitting and waiting to run when a certain event occurs in a database file on your system Note: In history, the Trojan horse was a large hollow wooden horse that was filled with Greek soldiers After the horse was introduced within the walls of Troy, the soldiers climbed out of the horse and fought the Trojans In the computer world, a program that hides destructive functions is often called a Trojan horse

108

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

SECBATCH menu options: 27 to submit immediately 66 to use the job scheduler When your system ships, the ability to add a trigger program to a database file is
restricted If you are managing object authority carefully, the typical user will not have sufficient authority to add a trigger program to a database file Appendix D in the iSeries Security Reference book tells the authority that is required or all commands, including the Add Physical File Trigger ADDPFTRG command You can use the Print Trigger Programs PRTTRGPGM command to print a list of all the trigger programs in a specific library or in all libraries Figure 28 shows an example of the report:

Trigger Programs Full Report Specified library : CUSTLIB Trigger Library File Library CUSTLIB MB106 ARPGMLIB CUSTLIB MB107 ARPGMLIB Trigger Program INITADDR INITNAME Trigger Time Before Before Trigger Event Update Update Trigger Condition Always Always

Figure 28 Print Trigger Programs Report-Full Report Example

You can use the initial report as a base to evaluate any trigger programs that already exist on your system Then, you can print the changed report regularly to see whether new trigger programs have been added to your system When you evaluate trigger programs, consider the following: v Who created the trigger program? You can use the Display Object Description DSPOBJD command
to determine this v What does the program do? You will have to look at the source program or talk to the program creator to determine this For example, does the trigger program check to see who the user is? Perhaps the trigger program is waiting for a particular user QSECOFR in order to gain access to system resources After you have established a base of information, you can print the changed report regularly to monitor new trigger programs that have been added to your system Figure 29 shows an example of the changed report:
Specified library : LIBX Last changed report : 96/01/21 Trigger Library File Library INVLIB MB108 INVPGM INVLIB MB110 INVPGM Trigger Programs Changed Report 14:33:37 Trigger Program NEWPRICE NEWDSCNT Trigger Time After After Trigger Event Delete Delete Trigger Condition Always Always

Figure 29 Print Trigger Programs Report-Changed Report Example

Chapter 10 Detecting Suspicious Programs

109

Checking for Hidden Programs
Trigger programs are not the only possible way to introduce a Trojan horse into your system Trigger programs are an example of an exit program When a certain event occurs, such as a file update in the case of a trigger program, the
system runs the exit program that is associated with that event Table 15 describes other examples of exit programs that might be on your system You should use the same methods for evaluating the use and content of these exit programs that you use for trigger programs Note: Table 15 is not a complete list of possible exit programs
Table 15 System-Provided Exit Programs Program Name User-specified name on the DDMACC network attribute User-specified name on the PCSACC network attribute User-specified name on the QPWDVLDPGM system value User-specified name on the QRMTSIGN system value QSYS/QEZUSRCLNP When the Program Runs When a user attempts to open a DDM file on your system or makes a DRDA connection When a user attempts to use Client Access functions using the Original Clients to access objects on your system When a user runs the Change Password function When a user attempts to sign on interactively from a remote system When the automatic cleanup function runs

User-specified name on the EXITPGM When you use the Operation Assistant backup function parameter of the CHGBCKUP command User-specified names on the CRTPRDLOD command User-specified name on the DFTPGM parameter of the
CHGMSGD command Before and after you save, restore, or delete the product that was created with the command If a default program is specified for a message, the system runs the program when the message is issued Because of the large number of message descriptions on a typical system, the use of default programs is difficult to monitor To prevent public users from adding default programs for messages, consider setting the public authority for message files MSGF objects to USE When the user presses a function key during the 3270 device emulation session The system returns control to the 3270 device emulation session when the exit program ends To process data that is collected by the following commands: STRPFRMON, ENDPFRMON, ADDPFRCOL, and CHGPFRCOL The program runs when data collection ends For each journal entry or group of journal entries that it reads from the specified journal and journal receivers

User-specified name on the FKEYPGM parameter of the STREML3270 command User-specified name on the EXITPGM parameter of the performance monitor commands

| |

User-specified name on the EXITPGM parameter of the RCVJRNE command

User-specified name on the QTNADDCR During a COMMIT or
ROLLBACK operation API User-specified names on the QHFRGFS API To perform the file system functions

User-specified name on the SEPPGM To determine what to print on the separator page before or after a parameter of a printer device description spooled file or a print job QGPL/QUSCLSXT When a database file is closed to allow the capture of file usage information

110

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 15 System-Provided Exit Programs continued Program Name User-specified name on the FMTSLR parameter of a logical file When the Program Runs When a record is written to the database file and a record format name is not included in the high-level language program The selector program receives the record as input, determines the record format used, and returns it to the database When a user presses the Attention key

User-specified name that is specified in the QATNPGM system value, the ATNPGM parameter in a user profile, or the PGM parameter of the SETATNPGM command User-specified name on the EXITPGM parameter of the TRCJOB command

Before starting the Trace Job procedure

For commands that allow you to specify an exit program, you should ensure that the
command default has not been changed to specify an exit program You should also ensure that the public authority for these commands is not sufficient to change the command default The CHGCMDDFT command requires OBJMGT authority to the command You do not need OBJMGT authority to run a command

Evaluating Registered Exit Programs
You can use the system registration function to register exit programs that should be run when certain events occur To list the registration information on your system, type WRKREGINF OUTPUTPRINT Figure 30 shows an example of the report:
Work with Registration Exit point Exit point format Exit point registered Allow deregister Maximum number of exit programs Current number of exit programs Preprocessing for add Library Format Preprocessing for remove Library Format Preprocessing for retrieve Library Information : QIBM_QGW_NJEOUTBOUND : NJEO0100 : YES : YES : NOMAX : 0 : NONE : : : NONE : : : NONE :

Figure 30 Work with Registration Information-Example

For each exit point on the system, the report shows whether any exit
programs are currently registered When an exit point has programs that are currently registered, you can select option 8 Display programs from the display version of WRKREGINF to display information about the programs:

Chapter 10 Detecting Suspicious Programs

111

Work with Registration Information Type options, press Enter 5Display exit point 8Work with exit programs Exit Exit Point Opt Point Format QIBM_QGW_NJEOUTBOUND NJEO0100 8 QIBM_QHQ_DTAQ DTAQ0100 QIBM_QLZP_LICENSE LICM0100 QIBM_QMF_MESSAGE MESS0100 QIBM_QNPS_ENTRY ENTR0100 QIBM_QNPS_SPLF SPLF0100 QIBM_QNS_CRADDACT ADDA0100 QIBM_QNS_CRCHGACT CHGA0100

Registered YES YES YES YES YES YES YES YES

Text Network Job Entry outbound ex Original Data Queue Server Original License Mgmt Server Original Message Server Network Print Server - entry Network Print Server - spool Add CRQ description activity Change CRQ description activi

Use the same method for evaluating these exit programs that you use for other exit programs and trigger programs

Checking Scheduled Programs
| | | | iSeries provides several methods for scheduling jobs to run at a later time, including the job scheduler Normally, these methods do not represent a
security exposure because the user who schedules the job must have the same authority that is required to submit the job to batch However, you should periodically check for jobs scheduled in the future A disgruntled user who is no longer in the organization may use this method to schedule a disaster

Restricting Save and Restore Capability
Most users do not need to save and restore objects on your system The save commands provide the possibility of copying important assets of your organization to media or to another system Most save commands support save files that can be sent to another system by using the SNDNETF file command without having access to media or a save/restore device Restore commands provide the opportunity to restore unauthorized objects, such as programs, commands, and files, to your system You can also restore information without access to media or to a save/restore device by using save files Save files can be sent from another system by using the SNDNETF command or by using the FTP function Following are suggestions for restricting save and restore operations on your system: v Control which users have SAVSYS special authority SAVSYS special authority allows the
user to save and restore objects even when the user does not have the necessary authority to the objects | v Control physical access to save and restore devices v Restrict access to the save and restore commands When you install OS/400 licensed programs, the public authority for the RSTxxx commands is EXCLUDE Public authority for the SAVxxx commands is USE Consider changing the public authority for SAVxxx commands to EXCLUDE Carefully limit the users that you authorize to the RSTxxx commands

112

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| |

v Use the QALWOBJRST system value to restrict restoration of system-state programs, programs that adopt authority, and objects that have validation errors v Use the QVFYOBJRST system value to control restoring signed objects on your system v Use security auditing to monitor restore operations Include SAVRST in the QAUDLVL system value, and periodically print audit records that are created by restore operations Chapter 9 and Appendix F of the iSeries Security Reference book provide more information about the audit entries operations

Checking for User Objects in Protected Libraries
Every iSeries job has a library list The
library list determines the sequence in which the system searches for an object if a library name is not specified with the object name For example, when you call a program without specifying where the program is, the system searches your library list in order and runs the first copy of the program that it finds The iSeries Security Reference book provides more information about the security exposures of library lists and calling programs without a library name called an unqualified call It also provides suggestions for controlling the content of library lists and the ability to change the system library lists For your system to run properly, certain system libraries, such as QSYS and QGPL, must be in the library list for every job You should use object authority to control who can add programs to these libraries This helps to prevent someone from placing an imposter program in one of these libraries with the same name as a program that appears in a library later in the library list You should also evaluate who has authority to the CHGSYSLIBL command and monitor SV records in the security audit journal A devious user could place a library ahead of QSYS in the library list and cause
other users to run unauthorized commands with the same names as IBM-supplied commands

SECBATCH menu options: 28 to submit immediately 67 to use the job scheduler You can use the Print User Objects PRTUSROBJ command to print a list of user objects objects not created by IBM that are in a specified library You can then evaluate the programs on the list to determine who created them and what function they perform User objects other than programs can also represent a security exposure when they are in system libraries For example, if a program writes confidential data to a file whose name is not qualified, that program might be fooled into opening an imposter version of that file in a system library Figure 31 on page 114 shows an example of the report:

Chapter 10 Detecting Suspicious Programs

113

User Objects Full Report Library QSYS QSYS QSYS Object PRTCUSTL CHGLMT TESTINV Type PGM PGM PGM Attribute RPG RPG CLP Owner GEORGE GEORGE ROSE Description

Figure 31 Print User Objects Report-Sample

Note: This report includes objects that PTF exit programs create in the library

114

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 11 Tips for Preventing and Detecting
Hacking Attempts
This chapter is a collection of miscellaneous tips to help you to detect potential security exposures and mischief-makers

Tips for Physical Security
Your system unit represents an important business asset and a potential door into your system Some system components inside the system are both small and valuable You should place the system unit in a controlled location to prevent someone from removing valuable system components The system unit has a control panel that provides the ability to perform basic functions without a workstation For example, you can use the control panel to do the following: v Stop the system v Start the system v Load the operating system v Start service functions All of these activities can disrupt your system users They also represent a potential security exposure to your system You can use the keylock that comes with your system to control when these activities are allowed To prevent the use of the control panel, place the keylock in the Secure position, remove the key, and store it in a safe place | | | | | Notes: 1 If you need to perform remote IPLs or perform remote diagnostics on your system, you may need to choose another setting for
the keylock The Getting Started topic in the iSeries Information Center provides more information about keylock settings see Prerequisite and related information on page xii for details 2 Not all system models come with a keylock as a standard feature

Tips for Monitoring User Profile Activity
User profiles provide entry to your system Parameters in the user profile determine a users environment and a users security characteristics As a security administrator, you need to control and audit changes that occur to user profiles on your system You can set up security auditing so that your system writes a record of changes to user profiles You can use the DSPAUDJRNE command to print a report of those changes You can create exit programs to evaluate requested actions to user profiles Table 16 on page 116 shows the exit points that are available for user profile commands

115

Note: User profile exits are available beginning with V3R2
Table 16 Exit Points for User Profile Activity User Profile Command Create User Profile CRTUSRPRF Change User Profile CHGUSRPRF Delete User Profile DLTUSRPRF Restore User Profile RSTUSRPRF Exit Point Name QIBM_QSY_CRT_PROFILE
QIBM_QSY_CHG_PROFILE QIBM_QSY_DLT_PROFILE QIBM_QSY_RST_PROFILE

Your exit program can, for example, look for changes that might cause the user to run an unauthorized version of a program These changes might be assigning either a different job description or a new current library Your exit program might either notify a message queue or take some action like changing or disabling the user profile based on the information that the exit program receives The iSeries Security Reference book provides more information about the exit programs for user profile actions | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

Tips for Object Signing
All of the security precautions you take are meaningless if someone can bypass them by introducing tampered data into your system The iSeries has many built-in features which you can use to keep tampered software from being loaded onto your system, and to detect any such software already there One of the techniques added in V5R1 is object signing Object signing is the iSeries implementation of a cryptographic concept known as digital signatures The idea is relatively straightforward: once a software producer is ready to ship software to
customers, the producer signs the software This signature does not guarantee that the software performs any specific function However, it provides a way to prove that the software came from the producer who signed it, and that the software has not changed since it was produced and signed This is particularly important if the software has been transmitted across the Internet or stored on media which you feel might have been modified Using digital signatures gives you greater control over which software can be loaded onto your system, and allows you more power to detect changes once it has been loaded The new system value Verify Object Restore QVFYOBJRST provides a mechanism for setting a restrictive policy which requires all software loaded onto the system to be signed by known software sources You can also choose a more open policy and simply verify signatures if they are present All OS/400 software, as well as the software for options and iSeries licensed programs, has been signed by IBM These signatures help the system protect its integrity, and they are checked when fixes are applied to the system to ensure that the fix has come from IBM and that it did not change in transit
These signatures can also be checked once the software is on the system The CHKOBJITG Check Object Integrity command has been expanded to check signatures in addition to other integrity features of the objects on the system Additionally, the Digital Certificate Manager has panels that you can use to check signatures on objects, including objects in the operating system Just as the operating system has been signed, you could use digital signatures to protect the integrity of software which is critical to your business You might buy software which has been signed by a software provider, or you might sign

116

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | | | | | | | | | |

software which you have purchased or written Part of your security policy, then, might be to periodically use CHKOBJITG, or the Digital Certificate Manager, to verify that the signatures on that software are still valid–that the objects have not changed since they were signed You might further require that all software which gets restored on your system be signed by you or a known source However, since most iSeries software which is not produced by IBM is not currently signed, this might be too
restrictive for your system The new digital signature support gives you the flexibility to decide how best to protect your software integrity Digital signatures that protect software are just one use of digital certificates Additional information on managing digital certificates can be found in the Digital certificate management topic in the Information Center see Prerequisite and related information on page xii for details

Tips for Monitoring Subsystem Descriptions
When you start a subsystem on iSeries, the system creates an environment for work to enter the system and run A subsystem description defines what that environment looks like Subsystem descriptions, therefore, can provide an opportunity for devious users A mischief-maker might use a subsystem description to start a program automatically or to make it possible to sign on without a user profile When you run the Revoke Public Authority RVKPUBAUT command, the system sets public authority to subsystem description commands to EXCLUDE This prevents users who are not specifically authorized and who do not have ALLOBJ special authority from changing or creating subsystem descriptions The topics that follow provide suggestions
for reviewing the subsystem descriptions that currently exist on your system You can use the Work with Subsystem Descriptions WRKSBSD command to create a list of all the subsystem descriptions When you select 5 Display from the list, you see a menu like the one shown in Figure 32 for the system description that you selected It shows a list of the parts of a subsystem environment
Display Subsystem Description Subsystem description: Status: ACTIVE QINTER Library: QSYS

Select one of the following: 1 2 3 4 5 6 7 8 9 10 Operational attributes Pool definitions Autostart job entries Work station name entries Work station type entries Job queue entries Routing entries Communications entries Remote location name entries Prestart job entries

Figure 32 Display Subsystem Description Display

You select options to see details about the parts Use the Change Subsystem Description CHGSBSD command to change the first two items on the menu To

Chapter 11 Tips for Preventing and Detecting Hacking Attempts

117

change other items, use the appropriate add, remove, or change command for the entry type For example, to change a workstation entry, use the Change Workstation Entry CHGWSE command The Work
Management book provides more information about working with subsystem descriptions It also lists the shipped values for IBM-supplied subsystem descriptions

Tips for Autostart Job Entries
An autostart job entry contains the name of a job description The job description may contain request data RQSDTA that causes a program or a command to run For example, the RQSDTA might be CALL LIB1/PROGRAM1 Whenever the subsystem starts, the system will run the program PROGRAM1 in library LIB1 Look at your autostart job entries and the associated job descriptions Ensure that you understand the function of any program that runs automatically when a subsystem starts

Tips for Workstation Names and Workstation Types
When a subsystem starts, it allocates all unallocated workstations that are listed specifically or generically in its entries for workstation names and workstations types When a user signs on, the user is signing on to the subsystem that has allocated the workstation The workstation entry tells what job description will be used when a job starts at that workstation The job description may contain request data that causes a program or a command to run For example, the RQSDTA parameter
might be CALL LIB1/PROGRAM1 Whenever a user signs on to a workstation in that subsystem, the system will run PROGRAM1 in LIB1 Look at your workstation entries and the associated job descriptions Ensure that no one has added or updated any entries to run programs that you are not aware of A workstation entry might also specify a default user profile For certain subsystem configurations, this allows someone to sign on simply by pressing the Enter key If the security level QSECURITY system value on your system is less than 40, you should review your workstation entries for default users

Tips for Job Queue Entries
When a subsystem starts, it allocates any unallocated job queues that are listed in the subsystem description Job queue entries do not provide any direct security exposure However, they do provide an opportunity for someone to tamper with system performance by causing jobs to run in unintended environments You should periodically review the job queue entries in your subsystem descriptions to ensure that batch jobs are running where you expect them to run

Tips for Routing Entries
A routing entry defines what a job does once it enters the subsystem The subsystem uses routing
entries for all job types: batch, interactive, and communications jobs A routing entry specifies the following:

118

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

v The class for the job Like job queue entries, the class that is associated with a job can affect its performance but does not represent a security exposure v The program that runs when the job starts Look at the routing entries and ensure that no one has added or updated any entries to run programs that you are not aware of

Tips for Communications Entries and Remote Location Names
When a communications job enters your system, the system uses the communications entries and the remote location name entries in the active subsystem to determine how the communications job will run Look at the following for these entries: v All subsystems are capable of running communications jobs If a subsystem that you intend for communications is not active, a job that is trying to enter your system might find an entry in another subsystem description that meets its needs You need to look at the entries in all subsystem descriptions v A communications entry contains a job description The job description may contain request
data that runs a command or program Look at your communications entries and their associated job descriptions to ensure that you understand how jobs will start v A communications entry also specifies a default user profile that the system uses in some situations Make sure that you understand the role of default profiles If your system contains default profiles, you should ensure that they are profiles with minimal authority See Chapter 13 Tips for Securing APPC Communications for more information about default user profiles You can use the Print Subsystem Description PRTSBSDAUT command to identify communications entries that specify a user profile name

Tips for Prestart Job Entries
You can use prestart job entries to make a subsystem ready for certain kinds of jobs so that the jobs start more quickly Prestart jobs may start when the subsystem starts or when they are needed A prestart job entry specifies the following: A program to run A default user profile A job description All of these provide the potential for security exposures You should make sure that prestart job entries perform only authorized, intended functions

Tips for Jobs and Job Descriptions
Job descriptions contain
request data and routing data that can cause a specific program to run when that job description is used When the job description specifies a program in the request data parameter, the system runs the program When the job description specifies routing data, the system runs the program that is specified in the routing entry that matches the routing data The system uses job descriptions for both interactive and batch jobs For interactive jobs, the workstation entry specifies the job description Typically, the workstation entry value is USRPRF, so the system uses the job description that is specified in the user profile For batch jobs, you specify the job description when you submit the job

Chapter 11 Tips for Preventing and Detecting Hacking Attempts

119

You should periodically review job descriptions to make sure that they do not run unintended programs You should also use object authority to prevent changes to job descriptions USE authority is sufficient to run a job with a job description A typical user does not need CHANGE authority to job descriptions

SECBATCH menu options: 15 to submit immediately 54 to use the job scheduler Job descriptions can also specify what user
profile the job should run under With security level 40 and higher, you must have USE authority to the job description and to the user profile that is specified in the job description With security levels lower than 40, you need USE authority only to the job description You can use the Print Job Description Authority PRTJOBDAUT command to print a list of job descriptions that specify user profiles and have public authority of USE Figure 33 shows an example of the report:

Job Descriptions with Excess Authority Full Report Specified library Library QGPL QGPL Job Description JOBD1 JOBD2 : Owner QSECOFR QSECOFR QGPL User Profile USERA USERB SYSTEM4 ——————–Special Authorities———————ALL AUD IOSYS JOB SAV SEC SER SPL OBJ IT CFG CTL SYS ADM VICE CTL X X X X X X X X

Figure 33 Job Descriptions with Excess Authority Report-Example

The report shows the special authorities of the user profile that is specified in the job description The report includes the special authorities of any group profiles that the user profile has You can use the following command to display the user profiles private authorities:
DSPUSRPRF USRPRFprofile-name TYPEOBJAUT

The job description
specifies the library list that the job uses when it runs If someone can change a users library list, that user might run an unintended version of a program in a different library You should periodically review the library lists that are specified in the job descriptions on your system Finally, you should ensure that the default values for the Submit Job SBMJOB command and the Create User Profile CRTUSRPRF command have not been changed to point to unintended job descriptions

Tips for Architected Transaction Program Names
Some communications requests send a specific type of signal to your system This request is called an architecture transaction program name TPN because the name of the transaction program is part of the APPC architecture for the system A request for display station pass-through request is an example of an architecture TPN Architecture TPNs are a normal way for communications to function and do not necessarily represent a security exposure However, architecture TPNs may provide an unexpected entrance into your system

120

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Some TPNs do not pass a profile on the request If the request becomes associated with
a communications entry whose default user is SYS, the request may be initiated on your system However, the SYS profile can run system functions only, not user applications If you do not want architecture TPNs to run with a default profile, you can change the default user from SYS to NONE in communications entries Architected TPN Requests lists the architecture TPNs and the associated user profiles If you do not want a specific TPN to run on your system at all, do the following: 1 Create a CL program that accepts several parameters The program should perform no function It should simply have the Declare DCL statements for parameters and then end 2 Add a routing entry for the TPN to each subsystem that has communications entries or remote location name entries The routing entry should specify the following: v A Compare value CMPVAL value equal to the program name for the TPN see Architected TPN Requests with a starting position of 37 v A Program to call PGM value equal to the name of the program that you created in step 1 This prevents the TPN from locating another routing entry, such as ANY Several TPNs already have their own routing entry in the QCMN subsystem These have been added
for performance reasons

Architected TPN Requests
Table 17 Programs and Users for TPN Requests TPN Request X30F0F8F1 X06F3F0F1 X30F0F2D1 X30F0F1F9 X07F0F0F1 X07F6C4C2 X30F0F7F7 X30F0F1F4 X30F0F1F3 X30F0F2C4 X30F0F6F0 X30F0F8F0 X30F0F1F7 X30F0F1F8 X30F0F6F6 DB2DRDA APINGD X30F0F5F4 X30F0F2C1 Program AMQCRC6A QACSOTP QANRTP QCNPCSUP QCNTEDDM QCNTEDDM QCQNRBAS QDXPRCV QDXPSEND QEVYMAIN QHQTRGT QLZPSERV QMFRCVR QMFSNDR QND5MAIN QCNTEDDDM QNMAPINGD QNMEVK QNPSERVR User Profile NONE QUSER QADSM NONE QUSER QUSER QSVCCS QUSER QUSER QUSER NONE NONE NONE NONE QUSER QUSER QUSER QUSER NONE Description Message queuing APPC sign-on transaction program ADSM/400 APPC configuration Shared folders DDM Remote SQLDRDA1 SNA CC_Server DSNXPC receiver DSNXPC sender ENVY/400 Server PC data queue Client Access license manager PC message receiver PC message sender APPN 5394 workstation controller DB2DRDA APINGD System management utilities PWS-I network print server

Chapter 11 Tips for Preventing and Detecting Hacking Attempts

121

Table 17 Programs and Users for TPN Requests continued TPN Request X30F0F7F9 X30F0F6F1 X20F0F0F7 X20F0F0F8 X30F0F5F1 X20F0F0F0 X30F0F0F5 X30F0F0F9 X30F0F4F6 X30F0F2C8 X30F0F2C9
X30F0F6F9 X30F0F6F5 X30F0F6F4 X30F0F2D2 X21F0F0F8 X21F0F0F7 X30F0F1F6 X30F0F2F4 X30F0F1F5 X30F0F2D3 X30F0F8F3 X21F0F0F2 X21F0F0F1 X30F0F2C5 X30F0F2C6 X30F0F2C7 Program QOCEVOKE QOKCSUP QOQSESRV QOQSESRV QOQSESRV QOSAPPC QPAPAST2 QPAPAST2 QPWFSTP0 QPWFSTP1 QPWFSTP2 QRQSRVX QRQSRV0 QRQSRV1 QSVRCI QS2RCVR QS2STSND QTFDWNLD QTIHNPCS QVPPRINT QWGMTP QZDAINIT QZDRCVR QZDSTSND QZHQTRG QZRCSRVR QZSCSRVR User Profile NONE QDOC QUSER QUSER QUSER QUSER QUSER QUSER NONE NONE NONE NONE NONE NONE QUSER QGATE QGATE NONE QUSER NONE QWGM QUSER QSNADS QSNADS NONE NONE NONE Description Cross-system calendar Directory shadowing DIA Version 2 DIA Version 2 DIA Version 2 DIA Version 1 S/36–S/38 pass-through Printer pass-through Shared Folders Type 2 Client Access file server Windows Client Access file server Remote SQLconverged server Remote SQL without commit Remote SQL without commit SOC/CT SNADS FS2 receiver SNADS FS2 sender PC transfer function TIE function PC virtual print Ultimedia Mail/400 Server PWS-I data access server SNADS receiver SNADS sender PWS-I data queue server PWS-I remote command server PWS-I central server

Methods for Monitoring Security Events
Setting up security is not a
one-time effort You need to constantly evaluate both the changes on your system and your security failures Then make adjustments to your security environment to respond to what you have discovered The security reports help you to monitor security-relevant changes that occur on your system Following are other system functions that you can use to help you to detect security failures or exposures: v Security auditing is a powerful tool that you can use to observe many different types of security-relevant events that occur on your system For example, you can set up the system to write an audit record every time a user opens a particular database file for updating You can audit all changes to system values You can audit actions that happen when users restore objects

122

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 9 in the iSeries Security Reference book provides complete information about the security auditing function You can use the Change Security Auditing CHGSECAUD command to set up security auditing on your system You can also use the Display Audit Journal Entries DSPAUDJRNE command to print selected information from the security audit journal v You can
create the QSYSMSG message queue to capture critical system-operator messages The QSYSOPR message queue receives many messages of varying importance throughout a typical business day Critical, security-relevant messages may be overlooked because of the sheer volume of messages in the QSYSOPR message queue If you create a QSYSMSG message queue in the QSYS library on your system, the system automatically directs certain critical messages to the QSYSMSG message queue instead of to the QSYSOPR message queue Either you can create a program to monitor the QSYSMSG message queue, or you can assign it in break mode to yourself or to another trusted user

Chapter 11 Tips for Preventing and Detecting Hacking Attempts

123

124

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Part 4 Tips for Applications and Network Communications

RV3M1202-0

125

126

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 12 Using the Integrated File System to secure your files
The integrated file system provides you with multiple ways to store and view information on iSeries The integrated file system is a part of the OS/400 operating system that
supports stream input and output operations It provides storage management methods that are similar to and compatible with personal computer operating systems and UNIX operating systems Prior to V3R1, iSeries stored and presented objects from the perspective of libraries or folders for document library objects With the integrated file system, all objects on the system can be viewed from the perspective of a hierarchical directory structure However, in most cases, users view objects in the way that is most common for a particular file system For example, traditional iSeries objects are in the QSYSLIB file system Typically, users view these objects from the perspective of libraries Users typically view objects in the QDLS file system from the perspective of documents within folders The root /, QOpenSys, and user-defined file systems present a structure of hierarchical nested directories As a security administrator, you need to understand the following: v Which file systems are used on your system v The unique security characteristics of each file system The topics that follow provide some general considerations for the security of the integrated file system

The Integrated File
System Approach to Security
The root file system acts as an umbrella or a foundation for all other file systems on iSeries At a high level, it provides an integrated view of all of the objects on the system Other file systems that can exist on iSeries provide varying approaches to object management and integration, depending on the underlying purpose of each file system The QOPT optical file system, for example, allows iSeries applications and servers including the Client Access file server to access the CD-ROM drive on the iSeries Similarly, the QFileSvr400 file system allows applications to access integrated file system data on remote iSeries 400s The QLANSrv file server allows access to files stored on Integrated xSeries Server for iSeries or other connected servers in the network The security approach for each file system depends on the data that the file system makes available The QOPT file system, for example, does not provide object-level security because no technology exists to write authority information to a CD-ROM For the QFileSvr400 file system, access control occurs at the remote system where the files are physically stored and managed For file systems like QLANSrv,
the Integrated xSeries Server for iSeries provides access control Despite the differing security models, many file systems support consistent management of access control through the integrated file system commands, such as Change Authority CHGAUT and Change Owner CHGOWN Here are some tips related to the nooks and crannies of integrated file system security The integrated file system is designed to follow POSIX standards as

127

closely as possible This leads to some interesting behavior where iSeries 400 authority and POSIX permissions are blended: 1 Do not remove the private authority for a user to a directory owned by that user, even if that user is authorized through the public authority, a group, or authorization list When working with libraries or folders in the standard iSeries security model, removing the owners private authority would reduce the amount of authority information stored for a user profile and would not affect other operations But, because of the way the POSIX standard defines permission inheritance for directories, the owner of a newly-created directory will have the same object authorities to that directory as the owner of
the parent has to the parent, even if the owner of the newly-created directory has other private authorities to the parent That may be hard to understand, so heres an example: USERA owns directory /DIRA, but USERAs private authorities have been removed USERB has private authority to /DIRA USERB creates directory /DIRA/DIRB Because USERA has no object authorities to /DIRA, USERB will have no object authorities to /DIRA/DIRB USERB will be unable to rename or delete /DIRA/DIRB without further action to change USERBs object authorities This also comes into play when creating files with the open API using the O_INHERITMODE flag If USERB created a file /DIRA/FILEB, USERB would have no object authorities AND no data authorities to it USERB could not write to the new file 2 Adopted authority is not honored by most physical file systems This includes the root /, QOpenSys, QDLS, and user-defined file systems 3 Any objects are owned by the user profile which created the objects, even if the OWNER field of the user profile is set to GRPPRF 4 Many file system operations require RX data authority to every component of the path, including the root / directory When experiencing authority problems,
make sure to check the users authorization to the root itself 5 Displaying or retrieving the current working directory DSPCURDIR, getcwd, etc requires RX data authority to every component in the path However, changing the current working directory CD, chdir, etc only requires X data authority to every component Therefore, a user may change the current working directory to a certain path and then be unable to display that path 6 The intent of the COPY command is to duplicate an object The authority settings on the new file will be the same as the original except for the owner The intent of the CPYTOSTMF command, however, is simply to duplicate data The authority settings on the new file cannot be controlled by the user The creator/owner will have RWX data authority, but the group and public authorities will be EXCLUDE The user must use another means CHGAUT, chmod, etc to assign the desired authorities 7 A user must be the owner or have OBJMGT object authority to an object to retrieve authority information about the object This pops up in some unexpected places, like COPY, which must retrieve the authority information on the source object to set the equivalent authorities on the
target object 8 When changing the owner or group of an object, the user must not only have appropriate authority to the object, but also must have ADD data authority to the new owner/group user profile and DELETE data authority to the old owner/group profile These data authorities are not related to the file system data authorities These data authorities can be displayed using the DSPOBJAUT command and changed using the EDTOBJAUT command This also pops up unexpectedly on COPY when it tries to set the group ID for a new object 9 The MOV command is prone to puzzling authority errors, especially when moving from one physical file system to another, or when performing data conversion In these cases, the move actually becomes a copy-and-delete

128

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

operation Therefore, the MOV command can be affected by all of the same authority considerations as the COPY command see 7 and 8 above and the RMVLNK command, in addition to other specific MOV considerations Following sections provide you with some considerations for several representative file systems For more information about a specific file system on your iSeries, you will need
to consult the documentation for the licensed program that uses the file system

Security Tips for the Root /, QOpenSys, and User-Defined File Systems
Following are security considerations for the root, QOpenSys, and user-defined file systems

How Authority Works for the Root /, QOpenSys, and User-Defined File Systems
The root, QOpenSys, and user-defined file systems provide a blending of iSeries, PC, and UNIX capabilities both for object management and for security When you use the integrated file system commands from an iSeries session WRKAUT and CHGAUT, you can set all the normal iSeries object authorities This includes the R, W, and X authorities that are compatible with Spec 1170 UNIX-type operating systems Note: The root, QOpenSys, and user-defined file systems are functionally equivalent The QOpenSys file system is case-sensitive The root file system is not User-defined file systems can be defined as case-sensitive Because these file systems have the same security characteristics, you can assume in the topics that follow that their names are used interchangeably When you access the root file system as an administrator from a PC session, you can set object attributes that the
PC uses to restrict certain types of access: v System v Hidden v Archive v Read-only These PC attributes are in addition to, not replacements for, iSeries object authority values When a user attempts to access an object in the root file system, OS/400 enforces all of the object authority values and attributes for the object, whether or not those authorities are visible from the users interface For example, assume that the read-only attribute for an object is set on A PC user cannot delete the object through a Client Access interface An iSeries user with a fixed function workstation cannot delete the object either, even if the iSeries user has ALLOBJ special authority Before the object can be deleted, an authorized user must use a PC function to reset the read-only value to off Similarly, a PC user might not have sufficient OS/400 authority to change the PC-relevant security attributes of an object UNIX-type applications that run on iSeries use UNIX-like application programming interfaces APIs to access data in the root file system With UNIX-like APIs, applications can recognize and maintain the following security information:
Chapter 12 Using the Integrated File System to secure
your files

129

v v v v v

Object owner Group owner iSeries primary group authority Read files Write change contents Execute run programs or search directories

The system maps these data authorities to existing iSeries object and data authorities: v Read R OBJOPR and READ v Write W OBJOPR, ADD, UPD, DLT v Execute X OBJOPR and EXECUTE The concepts for other object authorities OBJMGT, OBJEXIST, OBJALTER, and OBJREF do not exist in a UNIX-type environment However, these object authorities do exist for all of the objects in the root file system When you create an object using a UNIX-like API, that object inherits these authorities from the parent directory, resulting in the following: v The new objects owner has the same object authority as the parent directorys owner v The new objects primary group has the same object authority as the parent directorys primary group v The new objects public has the same object authority as the parent directorys public The new objects data authority for owner, primary group, and public are specified on the API with the mode parameter When all of the object authorities are set on, you get the authority behavior that you would expect in a UNIX-type
environment It is best to leave them set on, unless you do not want the POSIX-like behavior When you run applications that use UNIX-like APIs, the system enforces all object authorities, whether or not they are visible to UNIX-type applications For example, the system will enforce the authority of authorization lists even though the concept of authorization lists does not exist in UNIX-type operating systems When you have a mixed-application environment, you need to ensure that you do not make authority changes in one environment that will break your applications in another environment

Working with Security for the Root /, QOpenSys, and User-Defined File Systems
With the introduction of the integrated file system, iSeries also provided a new set of commands for working with objects in multiple file systems This command set includes commands for working with security: v Change Auditing CHGAUD v Change Authority CHGAUT v Change Owner CHGOWN v Change Primary Group CHGPGP v Display Authority DSPAUT v Work with Authority WRKAUT These commands group the underlying data and object authorities into the UNIX-like authority subsets: RWX Read/write/execute RW Read/write

130

iSeries 400
Tips and Tools for Securing Your iSeries V5R1

R WX W X

Read Write/execute Write Execute

In addition, UNIX-like APIs are available to work with security

Public Authority to the Root Directory
When your system ships, the public authority to the root directory is ALL all object authorities and all data authorities This setting provides flexibility and compatibility with both what UNIX-like applications expect and what typical iSeries users expect An iSeries user with command-line capability can create a new library in the QSYSLIB file system simply by using the CRTLIB command Normally, authority on a typical iSeries system allows this Similarly, with the shipped setting for the root file system, a typical user can create a new directory in the root file system just like you can create a new directory on your PC As a security administrator, you must educate your users about adequately protecting the objects that they create When a user creates a library, probably the public authority to the library should not be CHANGE the default The user should set public authority either to USE or to EXCLUDE, depending on the contents of the library If your users need to create new directories
in the root /, QOpenSys, or user-defined file systems, you have several security options: v You can educate your users to override the default authority when they create new directories The default is to inherit authority from the immediate parent directory In the case of a newly created directory in the root directory, by default the public authority will be ALL v You can create a master subdirectory under the root directory Set the public authority on that master directory to an appropriate setting for your organization Then instruct users to create any new personal directories in this master subdirectory Their new directories will inherit its authority v You can consider changing the public authority for the root directory to prevent users from creating objects in that directory Remove W, OBJEXIST, OBJALTER, OBJREF, and OBJMGT authorities However, you need to evaluate whether this change will cause problems for any of your applications You might, for example, have UNIX-like applications that expect to be able to delete objects from the root directory

Print Private Authorities Objects PRTPVTAUT command
The Print Private Authorities PRTPVTAUT command allows you to print a report
of all the private authorities for objects of a specified type in a specified library, folder, or directory The report lists all objects of the specified type and the users that are authorized to the object This is a way to check for different sources of authority to objects This command prints three reports for the selected objects The first report Full Report contains all of the private authorities for each of the selected objects The second report Changed Report contains additions and changes to the private authorities to the selected objects if the PRTPVTAUT command was previously run for the specified objects in the specified library, folder, or directory Any new objects of the selected type, new authorities to existing objects, or changes to existing authorities to the existing objects are listed in the Changed Report If the
Chapter 12 Using the Integrated File System to secure your files

131

PRTPVTAUT command was not previously run for the specified objects in the specified library, folder, or directory, there will be no Changed Report If the command has been previously run but no changes have been made to the authorities on the objects, then the Changed Report is printed
but there are no objects listed The third report Deleted Report contains any deletions of privately authorized users from the specified objects since the PRTPVTAUT command was previously run Any objects that were deleted or any users that were removed as privately authorized users are listed in the Deleted Report If the PRTPVTAUT command was not previously run, there will be no Deleted Report If the command has been previously run but no delete operations have been done to the objects, then the Deleted Report is printed but there are no objects listed Restriction: You must have ALLOBJ special authority to use this command Examples: This command creates the full, changed, and deleted reports for all file objects in the PAYROLLLIB:
PRTPVTAUT OBJTYPEFILE LIBPAYROLLLIB

This command creates the full, changed, and deleted reports for all the stream file objects in the directory garry:
PRTPVTAUT OBJTYPESTMF DIR/GARRY SCHSUBDIRNO

This command creates the full, changed, and deleted reports for all the stream file objects in the subdirectory structure that starts at the directory garry:
PRTPVTAUT OBJTYPESTMF DIR/GARRY SCHSUBDIRYES

Print Publicly Authorized Objects PRTPUBAUT command
The
Print Publicly Authorized Objects PRTPUBAUT command allows you to print a report of the specified objects that do not have public authority of EXCLUDE For PGM objects, only the programs that do not have public authority of EXCLUDE that a user can call the program is either user domain or the system security level QSECURITY system value is 30 or below will be included in the report This is a way to check for objects that every user on the system is authorized to access This command will print two reports The first report Full Report will contain all of the specified objects that do not have public authority of EXCLUDE The second report Changed Report will contain the objects that now do not have public authority of EXCLUDE that did have public authority of EXCLUDE or did not exist when the PRTPUBAUT command was previously run If the PRTPUBAUT command was not previously run for the specified objects and library, folder, or directory, there will be no Changed Report If the command has been previously run, but no additional objects do not have public authority of EXCLUDE, then the Changed Report will be printed but there will be no objects listed Restrictions: You must have ALLOBJ
special authority to use this command Examples:

132

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

This command creates the full, and changed reports for all the file objects in the library GARRY that do not have a public authority of EXCLUDE:
PRTPUBAUT OBJTYPEFILE LIBGARRY

This command creates the full, changed, and deleted reports for all the stream file objects in the subdirectory structure that starts at the directory garry that do not have a public authority of EXCLUDE:
PRTPUBAUT OBJTYPESTMF DIRGARRY SCHSUBDIRYES

Restricting Access to the QSYSLIB File System
Because the root file system is the umbrella file system, the QSYSLIB file system appears as a subdirectory within the root directory Therefore, any PC user with access to your iSeries can manipulate objects stored in iSeries libraries the QSYSLIB file system with normal PC commands and actions A PC user could, for example, drag a QSYSLIB object such as the library with your critical data files to the shredder As you learned in Security Tips for the Root /, QOpenSys, and User-Defined File Systems on page 129, the system enforces all object authority whether or not it is visible to the interface Therefore, a
user cannot shred delete an object unless the user has OBJEXIST authority to the object However, if your iSeries depends on menu access security rather than object security, the PC user might very well discover objects in the QSYSLIB file system that are available for shredding As you expand the uses of your system and the different methods of access that you provide, you will soon discover that menu access security is not sufficient Chapter 6 Using Object Authority to Protect Information Assets on page 57 discusses your strategies for supplementing menu access control with object security However, iSeries also provides a simple way for you to prevent access to the QSYSLIB file system through the root file system directory structure You can use the QPWFSERVER authorization list to control which users can access the QSYSLIB file system through the root directory When a users authority to the QPWFSERVER authorization list is EXCLUDE, the user cannot enter the QSYSLIB directory from the root directory structure When a users authority is USE, the user can enter the directory Once the user has authority to enter the directory, normal object authority applies for any action the user
attempts to perform on an object within the QSYSLIB file system In other words, the authority to the QPWFSERVER authorization list acts like a door to the entire QSYSLIB file system For the user with EXCLUDE authority, the door is locked For the user with USE authority or any greater authority, the door is open For most situations, users do not need to use a directory interface to access objects in the QSYSLIB file system Probably, you will want to set the public authority to the QPWFSERVER authorization list to EXCLUDE Keep in mind, that authority to the authorization list opens or closes the door to all libraries within the QSYSLIB file system, including user libraries If you encounter users who object to this exclusion, you can evaluate their requirements on an individual basis If appropriate, you can explicitly authorize an individual user to the authorization list However, you need to ensure that the user has appropriate authority to objects within the QSYSLIB file system Otherwise, the user might unintentionally delete objects or entire libraries

Chapter 12 Using the Integrated File System to secure your files

133

Notes: 1 When your system ships, the public authority to
the QPWFSERVER authorization list is USE 2 If you explicitly authorize an individual user, the authorization list controls access only with Client Access file serving, NetServer file serving and file serving between iSeries This does not prevent access to the same directories via FTP, ODBC, and other networks

Securing Directories
To access an object within the root file system, you read through the entire path to that object To search a directory, you must have X OBJOPR and EXECUTE authority to that directory Assume, for example, that you want to access the following object:
/companya/customers/custfiledat

You must have X authority to the companya directory and to the customers directory With the root file system, you can create a symbolic link to an object Conceptually, a symbolic link is an alias for a path name Usually, it is shorter and easier to remember than the full path name A symbolic link does not, however, create a different physical path to the object The user still needs X authority to every directory and subdirectory in the physical path to the object For objects in the root file system, you can use directory security just as you might use library security in the
QSYSLIB file system You can, for example, set the public authority of a directory to EXCLUDE to prevent public users from accessing any objects within that tree

Security for New Objects
When you create a new object in the root file system, the interface that you use to create it determines its authorities For example, if you use the CRTDIR command and its defaults, the new directory inherits all of the authority characteristics of its parent directory, including private authorities, primary group authority, and authorization list association The following sections describe how authorities are determined for each type of interface Authority comes from the immediate parent directory, not from directories higher up in the tree Therefore, as a security administrator, you need to view the authority that you assign to directories in a hierarchy from two perspectives: v How the authority affects access to objects in the tree like library authority v How the authority affects newly created objects like the CRTAUT value for libraries Recommendation: You may want to give users who work in the integrated file system a home directory for example, /home/usrxxx, then set the security
appropriately such as PUBLIC EXCLUDE Any directories the user creates under their home directory will then inherit the authorities Following are the descriptions of authority inheritance for different interfaces:

134

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Using the iSeries 400 Create Directory Command
When you create a new subdirectory by using the CRTDIR command, you have two options for specifying authority: v You can specify the public authority data authority, object authority, or both v You can specify INDIR for the data authority, object authority, or both When you specify INDIR for both data authority and object authority, the system makes an exact copy of all the authority information from the parent directory to the new object, including authorization list, primary group, public authority, and private authorities The system does not copy private authority that the QSYS profile or the QSECOFR profile has to the object

Creating a Directory with an API
When you create a directory by using the mkdir API, you specify the data authorities for the owner, the primary group, and public using the authority map of R, W, and X The system uses the information in
the parent directory to set the object authorities for the owner, primary group, and public Because UNIX-type operating systems do not have the concept of object authorities, the mkdir API does not support specifying object authorities If you want different object authorities, you can use the iSeries command CHGAUT However, when you remove some object authorities, the UNIX-like application might not work as you expect it to work

Creating a Stream File with the open or creat API
When you use the creat API to create a stream file, you can specify the data authorities for the owner, the primary group, and public using the UNIX-like authorities of R, W, and X The system uses the information in the parent directory to set the object authorities for the owner, primary group, and public You can also specify these authorities when you use the open API to create a stream file Alternatively, when you use the open API you can specify that the object should inherit all authorities from the parent directory This is called inherit mode When you specify inherit mode, the system then creates a complete match for the parent authorities, including authorization list, primary group, public
authority, and private authorities This option works like specifying INDIR on the CRTDIR command

Creating an Object by Using a PC Interface
When you use a PC application to create an object in the root file system, the system automatically inherits all authority from the parent directory This includes authorization list, primary group, public authority, and private authorities PC applications do not have any equivalent to specifying authority when you create an object

Security Tips for the QLANSrv and QNetWare File Systems
The purpose of both the QLANSrv file system and the QNetWare file system is to provide iSeries jobs with the ability to access data on a network server An iSeries job uses the QLANSrv file system to make a client request for data to the LAN Server program The LAN Server program can be running on an Integrated PC Server on the same iSeries system, or it might be running on a physically separate server in the network

Chapter 12 Using the Integrated File System to secure your files

135

Note: The QLANSrv file system is not supported beyond V4R3 Similarly, an iSeries job uses the QNetWare file system to make a client request for data to the NetWare Integration
program, which might be running on an Integrated xSeries Server for iSeries or another server Neither the QLANSrv file system nor the QNetWare file system actually stores or maintains any data They provide the client function to allow iSeries jobs to access data that is stored and maintained on a server Therefore, the server program LAN Server or NetWare Integration has responsibility for securing the data As an iSeries security administrator, you should consider two things when a server program runs on an Integrated PC Server or Integrated xSeries Server for iSeries that is part of your system: v First, understand who has responsibility for server-related security Do you have an administrator for the server and does that person have responsibility for security? Or is that data considered part of your iSeries application suite and thus, part of your responsibility? Be sure that server security is not ignored simply because the administrative roles are not well-defined v Second, If your security responsibility is broader than your traditional iSeries applications, you need to understand how server security works The following suggestions use the LAN Server program as a starting
point Other server programs have similar security considerations LAN Server users do not pose a direct threat to your system They cannot access data outside the QLANSrv file system from the LAN Server program You and the LAN administrator need to understand that recovering LAN Server users and authorities is different from recovering iSeries users and authorities You need to make plans to ensure that your LAN Server security information is being saved correctly

Security Tips for the QFileSvr400 File System
With the QFileSvr400 file system, a user USERX on one iSeries system SYSTEMA can access data on another connected iSeries system SYSTEMB The USERX has an interface that is just like the Client Access interface The remote iSeries SYSTEMB appears as a directory with all its file systems as subdirectories When USERX attempts to access SYSTEMB with this interface, SYSTEMA sends USERXs user profile name and encrypted password to SYSTEMB The same user profile and password must exist on SYSTEMB or SYSTEMB rejects the request If SYSTEMB accepts the request, USERX appears to SYSTEMB just like any Client Access user The same authority-checking rules apply to any actions that USERX
attempts As a security administrator, you need to be aware that the QFileSvr400 file system represents another possible door to your system You cannot assume that you are limiting your remote users to an interactive sign on with display station passthrough If you have the QSERVER subsystem running and your system is connected to another iSeries system, remote users can access your system as if they are on a local PC running Client Access More than likely, your system will have a connection that needs to have the QSERVER subsystem running This is yet another reason why a good object authority scheme is essential

136

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Security Tips for the Network File System
The Network File System NFS provides access to and from systems that have NFS implementations NFS is an industry-standard method for sharing information among users on networked systems Most major operating system including PC operating systems provide NFS For UNIX systems, NFS is the primary method for accessing data iSeries can act as both an NFS client and an NFS server When you are the security administrator of an iSeries system that acts as an NFS server, you need
to understand and manage the security aspects of NFS Following are suggestions and considerations: v You must explicitly start the NFS server function by using the STRNFSSVR command Control who has authority to use this command v You make a directory or an object available to NFS clients by exporting it Therefore, you have very specific control over which parts of your system you will make available to NFS clients in your network v When you export, you can specify which clients have access to the objects You identify a client by system name or IP address A client can be an individual PC or an entire iSeries or UNIX system In NFS terminology, the client IP address is called a machine v When you export, you can specify read-only access or read/write access for each machine that has access to an exported directory or object In most cases, you will probably want to provide read-only access v The NFS does not provide password protection It is designed and intended for data sharing within a trusted community of systems When a user requests access, the server receives the users uid Following are some uid considerations: The iSeries attempts to locate a user profile with the same uid If
it finds a matching uid, it uses the credentials of the user profile Credentials is an NFS term to describe using the authority of a user This is similar to profile swapping in other iSeries applications When you export a directory or object, you can specify whether you will allow access by a profile with root authority The NFS server on iSeries equates root authority to ALLOBJ special authority If you specify that you will not allow root authority, an NFS user with a uid that maps to a user profile with ALLOBJ special authority will not be able to will not be able to access the object under that profile Instead, if anonymous access is allowed, the requester will be mapped to the anonymous profile When you export a directory or object, you can specify whether you will allow anonymous requests An anonymous request is a request with a uid that does not match any uid on your system If you choose to allow anonymous requests, the system maps the anonymous user to the IBM-supplied QNFSANON user profile This user profile does not have any special authorities or explicit authority On the export, you can specify a different user profile for anonymous requests if you want v When your
iSeries participates in an NFS network or any network with UNIX systems that depend on uids, you probably need to manage your own uids instead of letting the system assign them automatically You will need to coordinate uids with other systems in your network You might discover that you need to change uids even for IBM-supplied user profiles to have compatibility with other systems in your network Beginning with V3R7, a program is available to make it simpler to change the uid for a user profile When you change the uid for a user profile, you also need to change the uid for all the objects that the profile owns in either the root
Chapter 12 Using the Integrated File System to secure your files

137

directory or the QOpenSrv directory The QSYCHGID program automatically changes the uid in both the user profile and all the owned objects For information about how to use this program, see the iSeries 400 System API Reference book

138

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 13 Tips for Securing APPC Communications
When your system participates in a network with other systems, a new set of doors and windows to your system becomes available As security
administrator, you should be aware of the options that you can use to control the entrances to your system in an APPC environment Advanced program-to-program communications APPC is a way that computers, including personal computers, communicate with each other Display station passthrough, distributed data management, and Client Access can all use APPC communications The topics that follow provide some basic information about how APPC communications works and how you can set up appropriate security These topics concentrate primarily on the security-relevant elements of an APPC configuration To adapt this example to your situation, you will need to work with the people who manage your communications network and perhaps your application providers Use this information as a foundation to help you understand the security issues and the options that are available for APPC Security is never free Some suggestions for making network security easier may make network administration more difficult For example, this book does not emphasize APPN Advanced Peer-to-Peer Networking, because security is easier to understand and manage without APPN However, without APPN, the network administrator must
manually create configuration information that APPN creates automatically

PCs Use Communications, too Many methods for connecting PCs to your iSeries depend on communications, such as APPC or TCP/IP When you read the topics the following, be sure to consider the security issues for connecting both to other systems and to PCs When you plan your network protection, make sure that you do not adversely affect the PCs that are attached to your system

APPC Terminology
APPC provides the ability for a user on one system to perform work on another system The system from which the request starts is called any of the following: v Source system v Local system v Client The system that receives the request is called any of the following: v Target system v Remote system v Server

139

Basic Elements of APPC Communications
From the perspective of a security administrator, the following must happen before a user on one system SYSTEMA can perform meaningful work on another system SYSTEMB: v The source system SYSTEMA must provide a path to the target system SYSTEMB This path is called an APPC session v The target system must identify the user and associate the user
with a user profile The target system must support the encryption algorithm of the source system see Password Levels on page 26for more information v The target system must start a job for the user with an appropriate environment work management values The topics that follow discuss these elements and how they relate to security The security administrator on the target system has primary responsibility for ensuring that APPC users do not violate security However, when the security administrators on both systems work together, the job of managing APPC security is much easier

| | |

The Basics of an APPC Session
In an APPC environment, when a user or application on one system such as SYSTEMA in Figure 34 requests access to another system SYSTEMB, the two systems set up a session To establish the session, the systems must link two matching APPC device descriptions The remote location name RMTLOCNAME parameter in the SYSTEMA device description must match the local location name LCLLOCNAME parameter in the SYSTEMB device description and vice versa
APPC Device Description on SYSTEMA RMTLOCNAME: SYSTEMB LCLLOCNAME: SYSTEMA LOCPWD: X@6 SECURELOC: NO APPC Device Description on
SYSTEMB LCLLOCNAME: SYSTEMB RMTLOCNAME: SYSTEMA LOCPWD: X@6 SECURELOC: YES

Figure 34 APPC Device Description Parameters

For the two systems to establish an APPC session, the location passwords in the APPC device descriptions on SYSTEMA and SYSTEMB must be identical Both must specify NONE, or both must specify the same value If the passwords are a value other than NONE, they are stored and transmitted in encrypted format If the passwords match, the systems establish a session If the passwords do not match, the users request is rejected When systems specify location passwords to establish a session, this is called a secure bind Note: Not all computer systems provide support for the secure bind function

Tips for Restricting APPC Sessions
As security administrator on a source system, you can use object authority to control who can attempt to access other systems Set the public authority for APPC

140

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

device descriptions to EXCLUDE and give CHANGE authority to specific users Use the QLMTSECOFR system value to prevent users with ALLOBJ special authority from using APPC communications As security administrator on
a target system, you can also use authority to APPC devices to prevent users from starting an APPC session on your system However, you need to understand what user ID will be attempting to access the APPC device description How an APPC User Gains Entrance to the Target System describes how iSeries associates a user ID with a request for an APPC session Note: You can use the Print Publicly Authorized Objects PRTPUBAUT DEVD command and the Print Private Authorities PRTPVTAUT DEVD command to find out who has authority to device descriptions on your system When your system uses APPN, it automatically creates a new APPC device when no existing device is available for the route that the system has chosen One method for restricting access to APPC devices on a system that is using APPN is to create an authorization list The authorization list contains the list of users who should be authorized to APPC devices You then use the Change Command Default CHGCMDDFT command to change the CRTDEVAPPC command For the authority AUT parameter on the CRTDEVAPPC command, set the default value to the authorization list that you created Note: If your system has a language other than English, you need to
change the command default in the QSYSxxxx library for each national language that is on your system You use the location password LOCPWD parameter in the APPC device description to validate the identity of another system that is requesting a session on your system on behalf of a user or an application The location password can help you detect an imposter system When you use location passwords, you must coordinate with security administrators for other systems in the network You must also control who can create or change APPC device descriptions and configuration lists The system requires IOSYSCFG special authority to use the commands that work with APPC devices and configuration lists Note: When you use APPN, the location passwords are stored in the QAPPNRMT configuration list rather than in device descriptions

How an APPC User Gains Entrance to the Target System
When the systems establish the APPC session, they create a path for the requesting user to get to the door of the target system Several other elements determine what the user must do to gain entrance to the other system The topics that follow describe the elements that determine how an APPC user gains entrance to the
target system

Methods That the System Uses to Send Information about a User
APPC architecture provides three methods for sending security information about a user from the source system to the target system These methods are referred to as the architected security values Table 18 on page 142 shows these methods:
Chapter 13 Tips for Securing APPC Communications

141

Note: The APPC Programming book provides more information about the architected security values
Table 18 Security Values in the APPC Architecture User ID Sent to Target Architected Security Value System None Same Program Notes: 1 The source system sends the user ID if the target system specifies SECURELOCYES or SECURELOCVFYENCPWD 2 The user does not enter a password on the request because the password is already verified by the source system For SECURELOCYES and SECURELOCNO, the source system does not send the password For SECURELOCVFYENCPWD, the source system retrieves the stored, encrypted password and sends it in encrypted form 3 On V3R1 and later versions, the system sends the password in encrypted form if both the source and target systems support password encryption Otherwise, the password is not encrypted No
Yes1 Yes Password Sent to Target System No See note 2 Yes3

The application that the user requests determines the architected security value For example, SNADS always uses SECURITYNONE DDM uses SECURITYSAME With display station passthrough, the user specifies the security value by using parameters on the STRPASTHR command In all cases, the target system chooses whether to accept a request with the security value that is specified on the source system In some situations, the target system may reject the request completely In other situations, the target system may force a different security value For example, when a user specifies both a user ID and a password on the STRPASTHR command, the request uses SECURITYPGM However, if the QRMTSIGN system value is FRCSIGNON on the target system, the user still sees a Sign On display With the FRCSIGNON setting, the systems always use SECURITYNONE, which is the equivalent of the user entering no user ID and password on the STRPASTHR command Notes: 1 The source and target systems negotiate the security value before data is sent In the situation where the target system specifies SECURELOCNO and the request is SECURITYSAME, for example, the target
system tells the source system to use SECURITYNONE The source system does not send the user ID 2 Beginning with V4R2, the target system rejects a session request when the users password on the target system has expired This applies only to connection requests that send a password, including the following: v Session requests of type SECURITYPROGRAM v Session requests of type SECURITYSAME when the SECURELOC value is VFYENCPWD

Options for Dividing Security Responsibility in a Network
When your system participates in a network, you must decide whether to trust the other systems to validate the identity of a user who is trying to enter your system

142

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Will you trust SYSTEMA to ensure that USERA is really USERA or QSECOFR is really QSECOFR? Or will you require a user to provide a user ID and password again? The secure location SECURELOC parameter on the APPC device description on the target system specifies whether the source system is a secure trusted location For example, in Figure 34 on page 140, SYSTEMB trusts SYSTEMA to validate user identities the SECURELOC parameter in the device description on SYSTEMB is YES SYSTEMA
does not trust SYSTEMB to validate user identities When both systems are running a release that supports VFYENCPWD V3R2 or later, SECURELOCVFYENCPWD provides additional protection when applications use SECURITYSAME Although the requester does not enter a password on the request, the source system retrieves the users password and sends it with the request For the request to be successful, the user must have the same user ID and password on both systems When the target system specifies SECURELOCVFYENCPWD and the source system does not support this value, the target system handles the request as SECURITYNONE Table 19 shows how the architected security value and the SECURELOC value work together:
Table 19 How the APPC Security Value and the SECURELOC Value Work Together Source System Architected Security Value None Same SECURELOC Value User Profile for Job Any NO YES VFYENCPWD Default user1 Default user1 Same user profile name as requester from source system Same user profile name as requester from source system The user must have the same password on both systems The user profiles that is specified on the request from the source system Target System

Program

Any

Notes: 1 The default
user is determined by the communications entry in the subsystem description How the Target System Assigns a User Profile for the Job describes this

How the Target System Assigns a User Profile for the Job
When a user requests an APPC job on another system, the request has a mode name associated with it The mode name may come from the users request, or it may be a default value from the network attributes of the source system The target system uses the mode name and the APPC device name to determine how the job will run The target system searches the active subsystems for a communications entry that is the best match for the APPC device name and the mode name

Chapter 13 Tips for Securing APPC Communications

143

The communications entry specifies what user profile the system will use for SECURITYNONE requests Following is an example of a communications entry in a subsystem description:
Display Communications Entries Subsystem description: Device ALL ALL Mode ANY QPCSUPP QCMN Job Description USRPRF USRPRF Status: Library ACTIVE Default User SYS NONE Max Active NOMAX NOMAX

Table 20 shows the possible values for the default user parameter in a communications entry:
Table 20
Possible Values for the Default User Parameter Value Result NONE SYS user-name No default user is available If the source system does not supply a user ID on the request, the job will not run Only IBM-supplied programs system jobs will run No user applications will run If the source system does not send a user ID, the job runs under this user profile

You can use the Print Subsystem Description PRTSBSDAUT command to print a list of all subsystems that have communications entries with a default user profile

Options for Display Station Passthrough
Display station passthrough is an example of an application that uses APPC communications You can use display station passthrough to sign on to another system that is connected to your system through a network Table 21 shows examples of passthrough requests STRPASTHR command and how the target system handles them For display station passthrough, the system uses the basic elements of APPC communications and the remote sign-on QRMTSIGN system value Note: Display Station Passthrough requests are no longer routed through the QCMN or QBASE subsystems Beginning with V4R1, they are routed through the QSYSWRK subsystem Prior to V4R1 you could
assume that by not having QCMD or QBASE subsystems started, Display Station Passthrough would not work This is no longer true You can force Display Station Passthrough to go through QCMN or QBASE if it is active by changing the QPASTHRSVR system value to 0
Table 21 Sample Pass-Through Sign-On Requests Values on STRPASTHR Command User ID NONE A user profile name Password NONE Not entered SECURELOC Value Any Any Target System QRMTSIGN Value Result Any Any The user must sign on the target system The request fails

144

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 21 Sample Pass-Through Sign-On Requests continued Values on STRPASTHR Command User ID CURRENT Password Not entered SECURELOC Value NO YES Target System QRMTSIGN Value Result Any SAMEPRF The request fails An interactive job starts with the same user profile name as the user profile on the source system No password is passed to the remote system The user profile name must exist on the target system The user must sign on the target system An interactive job starts with the same user profile name as the user profile on the source system The source system retrieves the users password and sends it to the remote
system The user profile name must exist on the target system The user must sign on the target system An interactive job starts with the same user profile name as the user profile on the source system The password is sent to the remote system The user profile name must exist on the target system The user must sign on the target system The request fails An interactive job starts with the same user profile name as the user profile on the source system The password is sent to the remote system The user profile name must exist on the target system An interactive job starts with the specified user profile name The password is sent to the target system The user profile name must exist on the target system

VERIFY

FRCSIGNON VFYENCPWD SAMEPRF

VERIFY

FRCSIGNON CURRENT or the name of the current user profile for the job Entered Any SAMEPRF

VERIFY

FRCSIGNON A user profile name a name different from the current user profile for the job Entered Any SAMEPRF VERIFY

FRCSIGNON

Chapter 13 Tips for Securing APPC Communications

145

Tips for Avoiding Unexpected Device Assignments
When a failure occurs on an active device, the system attempts to recover In some circumstances, when the connection
is broken, another user can unintentionally reestablish the session that had the failure For example, assume that USERA powered off a workstation without signing off USERB could power on the workstation and restart USERAs session without signing on To prevent this possibility, set the Device I/O Error Action QDEVRCYACN system value to DSCMSG When a device fails, the system will end the users job

Tips for Controlling Remote Commands and Batch Jobs
Several options are available to help you control what remote commands and jobs can run on your system, including the following: v If your system uses DDM, you can restrict access to DDM files to prevent users from using the Submit Remote Command SBMRMTCMD command from another system To use the SBMRMTCMD, the user must be able to open a DDM file You also need to restrict the ability to create DDM files v You can specify an exit program for the DDM request access DDMACC system value In the exit program, you can evaluate all DDM requests before allowing them v You can use the network job action JOBACN network attribute to prevent network jobs from being submitted or to prevent them from running automatically v You can specify explicitly
which program requests can run in a communications environment by removing the PGMEVOKE routing entry from subsystem descriptions The PGMEVOKE routing entry allows the requester to specify the program that runs When you remove this routing entry from subsystem descriptions, such as the QCMN subsystem description, you must add routing entries for the communications requests that need to run successfully Architected TPN Requests on page 121 lists the program names for the communications requests by IBM-supplied applications For each request that you want to allow, you can add a routing entry with the compare value and the program name both equal to the program name When you use this method, you need to understand the work management environment on your system and the types of communications requests that occur on your system If possible, you should test all types of communications requests to ensure that they work properly after you change the routing entries When a communications request does not find an available routing entry, you receive a CPF1269 message Another alternative less error-prone but perhaps slightly less effective is to set the public authority to EXCLUDE for the
transaction programs that you do not want to run on your system Note: The Work Management book provides more information about routing entries and how the system handles program-start requests

Security Tips for Evaluating Your APPC Configuration
You can use the Print Communications Security PRTCMNSEC command or menu options to print the security-relevant values in your APPC configuration The topics that follow describe the information on the reports

146

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Security-Relevant Parameters for APPC Devices
Figure 35 shows an example of the Communications Information Report for device descriptions Figure 36 shows an example of the report for configuration lists Following the reports are explanations of fields on the reports
Communications Information Full Report Object type Object Name CDMDEV1 CDMDEV2 : Object Type DEVD DEVD DEVD Secure Location NO NO Location Password NO NO APPN Capable NO NO SYSTEM4 Single Session YES YES Establish Session NO NO Pre Program Start SNUF

Device Category APPC APPC

Figure 35 APPC Device Descriptions-Sample Report Display Configuration List Page SYSTEM4 12/17/95 07:24:36 Configuration list
: QAPPNRMT Configuration list type : APPNRMT Text : —————–APPN Remote Locations—————–Remote Remote Control Remote Network Local Control Point Secure Location ID Location Point Net ID Loc SYSTEM36 APPN SYSTEM4 SYSTEM36 APPN NO SYSTEM32 APPN SYSTEM4 SYSTEM32 APPN NO SYSTEMU APPN SYSTEM4 SYSTEM33 APPN YES SYSTEMJ APPN SYSTEM4 SYSTEMJ APPN NO SYSTEMR2 APPN SYSTEM4 SYSTEM1 APPN NO ————————–APPN Remote Locations————————–Remote Local PreRemote Network Local Single Number of Control established Location ID Location Session Conversations Point Session SYSTEM36 APPN SYSTEM4 NO 10 NO NO SYSTEM32 APPN SYSTEM4 NO 10 NO NO Figure 36 Configuration List Report-Example 1

Secure Location Field
The secure location SECURELOC field specifies whether the local system trusts the remote system to do password verification on behalf of the local system The SECURELOC field applies only to applications that use the SECURITYSAME value, such as DDM and applications that use the CPI-Communications API SECURELOCYES makes the local system vulnerable to possible weaknesses in the remote system Any user that exists on both systems can call
programs on the local system This is particularly dangerous because the QSECOFR security officer user profile exists on all iSeries systems and has ALLOBJ special authority If a system in the network does not do a good job of protecting the QSECOFR password, other systems that treat that system as a secure location are at risk When you use SECURELOCVFYENCPWD, your system is less vulnerable to other systems that do not adequately protect passwords A user who requests an application that uses SECURITYSAME must have the same user ID and password on both systems SECURELOCVFYENCPWD requires password administration policies across your network so that users have the same password on all systems Note: SECURELOCVFYENCPWD is supported only between systems that are running V3R2, V3R7, or V4R1 If the target system specifies
Chapter 13 Tips for Securing APPC Communications

147

SECURELOCVFYENCPWD and the source system does not support this function, the request is treated as SECURITYNONE If a system specifies SECURELOCNO, applications that use SECURITYSAME will need a default user to run programs The default user depends on both the device description and the mode that are associated with the
request See How the Target System Assigns a User Profile for the Job on page 143

Location Password Field
The location password field determines whether the two systems will exchange passwords to verify that the requesting system is not an imposter system The Basics of an APPC Session on page 140 provides more information about location passwords

APPN-Capable Field
The APPN-capable APPN field specifies whether the remote system can support advanced networking functions or is limited to single-hop connections APPNYES means the following: v If the remote system is a network node, the remote system may be capable of connecting the local system to other systems This is called intermediate node routing It means that users on your system may be able to use the remote system as a route to a larger network v If the local system is a network node, the remote system can use the local system to connect to other systems Users on the remote system may be able to use your system as a route to a larger network Note: You can use the DSPNETA command to determine whether a system is a network node or an end node

Single Session Field
The single session SNGSSN field specifies whether the remote
system can run more than one session at a time by using the same APPC device description SNGSSNNO is commonly used because it eliminates the need to create multiple device descriptions for a remote system For example, a PC user often wants more than one 5250-emulation session and sessions for file-server and print-server functions With SNGSSNNO, you can provide this function with one device description for the PC on the iSeries system SNGSSNNO means that you must rely on the security-conscious operating procedures of PC users and other APPC users Your system is vulnerable to someone on the remote system who starts an unauthorized session that uses the same device description as an existing session This practice is sometimes referred to as piggy-backing

Pre-Establish Session Field
The pre-establish PREESTSSN session field for a single-session device controls whether the local system starts a session with the remote system when the remote system first contacts the local system PREESTSSNNO means that the local system waits to start a session until an application requests a session with the system PREESTSSNYES is useful for minimizing how long it takes for an application program to
complete the connection PREESTSSNYES prevents the system from disconnecting a switched dial-up line that is no longer being used The application or the user must explicitly vary off the line PREESTSSNYES may lengthen the time that the local system is vulnerable to piggy-backing on the session

148

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

SNUF Program Start Field
The SNUF program start field specifies whether the remote system is allowed to start programs on the local system YES means that the object authority scheme on the local system must be adequate to protect objects when users on the remote system start jobs and run programs on the local system

Security-Relevant Parameters for APPC Controllers
Figure 37 shows an example of the Communications Information Report for controller descriptions Following the report, you will find explanations of fields on the report
Communications Information Full Report Object type : Object Name CTL01 CTL02 CTL03 Object Type CTLD CTLD CTLD Controller Category APPC APPC APPC CTLD Auto Create YES YES YES Switched Controller YES YES YES Call Direction DIAL DIAL DIAL APPN Capable YES YES YES CP Sessions YES YES YES SYSTEM4
Disconnect Timer 0 0 0 Delete Seconds 1440 1440 1440 Device Name AARON BASIC NONE

Figure 37 APPC Controller Descriptions-Sample Report

Auto-Create Field
On a line description, the auto-create AUTOCRTCTL field specifies whether the local system automatically creates a controller description when an incoming request cannot find a matching controller description On a controller description, the auto-create AUTOCRTDEV field specifies whether the local system automatically creates a device description when an incoming request cannot find a matching device description For controllers that are APPN-capable, the auto-create field has no effect The system automatically creates device descriptions when necessary, regardless of how you have set the auto-create field When you specify YES for a line description, anyone with access to the line can connect to your system This includes sites that are connected by bridges and routers

Control Point Sessions Field
For APPN-capable controllers, the control point sessions CPSSN field controls whether the system establishes an APPC connection with the remote system automatically The system uses the CP session to exchange network information and
status with the remote system The exchange of up-to-date information between APPN network nodes is particularly important so that your network functions smoothly When you specify YES, an idle switched line does not disconnect automatically This makes your system more vulnerable to a piggy-back session

Disconnect Timer Field
For an APPC controller, the disconnect timer field specifies how long a controller must be unused no active sessions before the system disconnects the line to the remote system This field has two values The first value specifies how long the controller will stay active from the time it is initially contacted The second value determines how long the system waits after the last session has ended on the controller before the system drops the line

Chapter 13 Tips for Securing APPC Communications

149

The system uses the disconnect timer only when the switched disconnect SWTDSC field is YES If you make these values large, your system is more vulnerable to piggy-back sessions

Security-Relevant Parameters for Line Descriptions
Figure 38 shows an example of the Communications Information Report for line descriptions Following the report, you will find explanations
of fields on the report
Communications Information Full Report Object type Auto Object Name LINE01 LINE02 LINE03 LINE04 : Object Type LIND LIND LIND LIND LIND Auto Create NO NO NO NO Delete Seconds 0 0 0 0 Auto Answer NO YES NO YES Auto Dial NO NO NO NO

Line Category SDLC SDLC SDLC SDLC

Figure 38 APPC Line Descriptions-Sample Report

Auto Answer Field
The auto answer AUTOANS field specifies whether the switched line will accept incoming calls without operator intervention When you specify YES, your system is less secure because it can be accessed more easily To minimize the security exposure when you specify YES, you should vary off the line when you do not need it

Auto Dial Field
The auto dial AUTODIAL field specifies whether the switched line can make outgoing calls without operator intervention When you specify YES, you allow local users who do not have physical access to communications lines and modems to connect to other systems

APPC, APPN, and HPR security considerations
The following are some aspects of security for iSeries systems communicating with each other using APPC, APPN, and HPR: v General security considerations: Consider the following measures when securing
your network: Note: The following password considerations only apply if password protection is not active When application program security is used, specify SECURELOCVFYENCPWD This means that you only get to log on if BOTH your user profile name AND password are the same on both systems The person responsible for network security ensures that each user has a unique user ID throughout the network Have your system administrator set a limit on the number of consecutive password attempts that are not valid for a given display device When this limit is reached, the device is then varied off Set the limit with the system value QMAXSIGN

150

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Note: This is only true for Display devices, not for APPC devices Users can sign on to more than one iSeries 400 system with the same profile To limit the user profile to one sign-on: - Set the system value SYSVAL for LMTDEVSSN parameter on either the Create User Profile CRTUSRPRF or Change User Profile CHGUSRPRF command v Physical security considerations: You are responsible for the physical security of your system when you specify NONE for the location password LOCPWD parameter during
APPC configuration In this case, the iSeries system does not validate the identity of a remote system when a session is being established However, you can still use application-level security if the remote system supports it For example, if the remote system is an iSeries system with security level 20 or above v Session-level security Only security for communications or multiple systems management is discussed on this page Security needs to be consistent across all the systems in a network if intersystem access is to be controlled and yet not unnecessarily restricted For security considerations specific to running APPN and HPR over your network, refer to Protecting your system in an APPN and HPR environment for more information

Session-level security for APPN and HPR
Session-level security is achieved by specifying a password on the LOCPWD parameter during configuration The iSeries 400 system uses the password to validate the identity of the remote system during session establishment The password must match the password specified on the remote system, or the connection is not allowed If the remote system does not support session level security Series/1 RPS version 71, CICS/VS
release 16: v Specify LOCPWDNONE to establish the connection, and provide the necessary physical security There is a security concern when you create device descriptions with APPNYES, and when APPN automatically creates and varies on a device description with the same remote network ID, location name, and local location name as the APPN remote location configuration list entry To compensate for remote locations using an independent device description with APPNYES: v Add an entry to the APPN remote location configuration list that includes security information Note: In order to avoid using security information that cannot be predicted, ensure that all the device descriptions, as described above, contain exactly the same security information

Protecting your system in an APPN and HPR environment
APPN networks provide open connectivity, and require minimal configuration by each system in the network When a system has a connection into an APPN network, it can establish sessions with other systems that are connected within that APPN network APPN reduces the physical, configuration barriers to communications However, you might want to build some logical barriers between systems in the
network for
Chapter 13 Tips for Securing APPC Communications

151

security reasons This ability to control which systems can connect to yours is often called firewall support Network administrators might use a variety of node types to specify which connections between APPC locations are allowed For example, you might want to allow SYSTEMB to communicate with SYSTEMA and SYSTEMD, but not with SYSTEMC The page, APPN filtering support gives an explanation of this For an example, see creating a session endpoint filter To expand on this, administrators can use class of service COS routing to select nodes and transmission groups that are eligible for inclusion in network session routes

APPN filtering support
Before we discuss APPN filtering support, an explanation of node types in an APPN network is needed: v A peripheral node is at the edge of a network It can participate in the network, but it cannot provide intermediate routing to other systems in the network A peripheral node can be an end node EN such as MADISON and PARIS in the figure below A peripheral node can be a low-entry networking node LEN, such as CHICPC1 and CHICPC2 A peripheral node can also be a network node in a
different network NETID From CHICAGOs perspective, LONDON is a peripheral node v A network node NN provides routing services among systems in the network In CHICAGO, and ATLANTA are examples of network nodes v A Branch Extender node is an extension to the APPN network architecture that appears as a network node NN to the Local Area Network LAN, and as an end node EN to the Wide Area Network WAN This reduces topology flows about resources in the LAN from being disconnected from the WAN APPN filtering support provides the ability to create a firewall that is based on APPC location names You use two different types of filter lists: v A session-endpoint filter controls access to and from a location For example, in the session endpoint filter on the CHICAGO system in the figure below, it specifies which locations can establish a session with CHICAGO or with PAYROLL CHICAGO and PAYROLL are two different locations on the CHICAGO system Similarly, the session endpoint filter on the MADISON system specifies which locations can establish a session with the MADISON location
Figure 39 Two connected APPN networks

On iSeries, you can use the new QAPPNSSN configuration list, by itself or in
conjunction with the QAPPNRMT configuration list, to create a session endpoint filter v A directory search filter on a network node determines the following for its associated peripheral nodes: Access from the peripheral node when the peripheral node is the requester For example, in you can use the directory search filter on LONDON to control the possible destinations for users on the PARIS system Similarly, you can use the directory search filter on CHICAGO to control the possible destinations for users on CHICPC1 and CHICPC2 Access to the peripheral node when the peripheral node is the destination In for example, you can use the directory search filter on CHICAGO to determine which locations can access CHICPC1 Because both CHICAGO and DALLAS provide connections to MADISON, you must set up the directory search filters on both CHICAGO and DALLAS to restrict connections to MADISON

152

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Similarly, you can use the directory search filter on CHICAGO to specify which USANET locations are permissible destinations for EURONET users To create a directory search filter use the QAPPNDIR configuration list

Creating a session
endpoint filter
The following are two different methods for creating a session endpoint filter on the CHICAGO system in the figure below They must satisfy the following requirements: v Only the FINANCE location can establish a session with the PAYROLL location v The CHICAGO location can communicate with any USANET location except PAYROLL v The CHICAGO location can communicate with LONDON

Figure 40 Two connected APPN networks

v Using the QAPPNSSN and QAPPNRMT configuration lists together: The most secure method for creating a session endpoint filter is to use the QAPPNSSN configuration list and the QAPPNRMT configuration list together The QAPPNRMT configuration list provides password security between systems, which helps to protect from an imposter system a system or user that is pretending to be another system When you use this method, you create the QAPPNSSN configuration list that does not specify any remote locations It points to the QAPPNRMT configuration list The drawback to this method is that you must explicitly define each location pair on the QAPPNRMT configuration list If you want the CHICAGO location

Chapter 13 Tips for Securing APPC Communications

153

which is on
the same system as the PAYROLL location to communicate with other locations, you need to add an entry for each pair v Using the QAPPNSSN configuration list by itself: When you specify remote locations in the QAPPNSSN configuration list, your configuration task is simpler because you can use generic names and wildcard entries However, when you use this method, you do not have the protection of password verification between locations In addition, when you use generic names and wildcards, the system might accept or reject requests in a different way than you intended

Class of service COS routing
Network nodes maintain information about all network nodes and links between network nodes When a session is requested, a mode is specified Each node contains a class of service COS parameter that specifies the class of service description that will be used to calculate the route the session will take The class of service also specifies the transmission priority that will govern the rate of data transfer after the session has been established The following class-of-service descriptions are shipped with the iSeries system: v CONNECT: the default class of service v BATCH: a class of service
that is tailored for batch communications v BATCHSC: is the same as BATCH except that a data link security level of at least PKTSWTNWK is required v INTER: a class of service that is tailored for interactive communications v INTERSC: is the same as INTER except that a data link security level of at least PKTSWTNWK is required

154

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Chapter 14 Tips for Securing TCP/IP Communications
TCP/IP Transmission Control Protocol/Internet Protocol is a common way that computers of all types communicate with each other TCP/IP applications are well-known and widely used throughout the information highway This chapter provides tips for the following: v Preventing TCP/IP applications from running on your system v Protecting system resources when you allow TCP/IP applications to run on your system The TCP/IP Configuration and Reference book has complete information about all the TCP/IP applications SecureWay: Internet Tips and Tools found in Appendix A, describes security considerations when you connect your iSeries either to the Internet a very large TCP/IP network or to an intranet Keep in mind that iSeries supports many possible TCP/IP
applications When you decide to allow one TCP/IP application on your system, you may also be enabling other TCP/IP applications As security administrator, you need to be aware of the range of TCP/IP applications and the security implications of these applications

Tips for Preventing Any TCP/IP Processing
TCP/IP server jobs run in the QSYSWRK subsystem You use the Start TCP/IP STRTCP command to start TCP/IP on your system If you do not want any TCP/IP processing or applications to run, do not use the STRTCP command Your system ships with the public authority for the STRTCP command set to EXCLUDE If you suspect that someone with access to the command is starting TCP/IP during off-hours, for example, you can set up object auditing on the STRTCP command The system will write an audit journal entry whenever a user runs the command

TCP/IP Security Components
As of Version 4 Release 3, you can take advantage of several TCP/IP security components that enhance your network security and add flexibility Though some of these technologies are also found in firewall products such as the IBM Firewall for iSeries 400, these TCP/IP security components for OS/400 are not intended to be used as a
firewall However, you may be able to use some of these features, in some instances to eliminate the need for a separate firewall product You also may be able to use these TCP/IP features to provide additional security in environments where you already use a firewall | | | The following components can be utilized to enhance TCP/IP Security: v Packet Security v HTTP Proxy Server

155

Packet Security Features for Securing TCP/IP Traffic
The Packet Security feature is available through iSeries Operations Navigator It allows you to create Internet Protocol IP filtering rules and Network Address Translation NAT settings With these, you can control TCP/IP traffic into and out of your iSeries system Internet Protocol IP Packet Filtering Internet Protocol IP packet filtering provides the ability to selectively block IP traffic based on information in the IP and protocol specific packet headers You can create a set of filter rules to specify which IP packets to permit into your network and which to deny access into your network When you create filter rules, you apply them to a physical interface for example, a Token ring or Ethernet line You can apply the
rules to multiple physical interfaces, or you can apply different rules to each interface Based on the following header information, you can create rules to either permit or deny specific packets : v Destination IP address v Source IP address Protocol for example, TCP, UDP, and so forth v Destination port for example, port 80 for HTTP v Source port v IP datagram direction inbound or outbound v Forwarded or Local You can use IP packet filtering to prevent undesirable or unneeded traffic from reaching applications on the system or being forwarded to other systems This includes low-level ICMP packets for example, PING packets for which no specific application server is required You can specify whether a filter rule creates a log entry with information about packets matching the rule in a system journal Once the information is written in a system journal, you cannot change the log entry Consequently, the log is an ideal tool for auditing network activity You can use OS/400 IP packet filtering to provide additional protection for a particular iSeries system For example, this system might be running sensitive applications or performing Web serving to the Internet You can also use packet
filtering to protect an entire subnet when the iSeries is acting in the role of a casual router You can find more information about using OS/400 IP Packet Filtering in the Information Center Network Address Translation NAT Network Address Translation NAT changes the source, the destination IP addresses, or both the source and destination IP addresses, of packets that flow through the system Using NAT, you can use the iSeries system as a gateway between two networks which have conflicting or incompatible addressing schemes You can also use NAT to hide the real IP addresses of one network by dynamically substituting a different address

156

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

To use NAT, you must create a set of rules to specify how address translation will work A Map rule translates one static address to another for example abcd translates to efgh You can use a map rule when the system with a real address of efgh provides services that you want to access from another network At that other network, it is necessary or desirable to know the system by address abcd A Hide rule translates all addresses in a subnetwork to a specific IP address You can use a hide
rule when client systems need to access services in another network and it is necessary or desirable to use an alternative addressing structure Note: Because IP Packet Filtering and Network Address Translation complement each other, you will often use them together to enhance network security You should consider using Network Address Translation NAT functions of OS/400 when connecting two previously disjoint networks that have inconsistent or incompatible IP addressing structures You can find more information about using OS/400 Network Address Translation in the Information Center

HTTP Proxy Server
The HTTP proxy server comes with the IBM HTTP Server for iSeries 400 The HTTP Server is part of OS/400 The proxy server receives HTTP requests from Web browsers and resends them to Web servers Web servers that receive the requests are only aware of the IP address of the proxy server and cannot determine the names or addresses of the PCs that originated the requests The proxy server can handle URL requests for HTTP, FTP, Gopher and WAIS The proxy server caches returned Web pages from requests made by all proxy server users Consequently, when users request a page, the proxy server checks
whether the page is in the cache If it is, the proxy server returns the cached page By using cached pages, the proxy server is able to server Web pages more quickly, which eliminates potentially time-consuming requests to the Web server The proxy server can also log all URL requests for tracking purposes You can then review the logs to monitor use and misuse of network resources You can use the HTTP proxy support in the IBM HTTP Server to consolidate Web access Addresses of PC clients are hidden from the Web servers they access; only the IP address of the proxy server is known Web page caching can also reduce communication bandwidth requirements and firewall workload

General Tips for Securing Your TCP/IP Environment
This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system These tips apply to your entire TCP/IP environment rather than to the specific applications that are discussed in the topics that follow v When you write an application for a TCP/IP port, make sure that the application is properly secure You should assume that an outsider might try to access that application through that port A
knowledgeable outsider may attempt to TELNET to that application v Monitor the use of TCP/IP ports on your system A user application that is associated with a TCP/IP port can provide back-door entry to your system without a user ID or a password Someone with sufficient authority on your system can associate an application with a TCP or UDP port
Chapter 14 Tips for Securing TCP/IP Communications

157

v As a security administrator, you should be aware of a technique called IP spoofing that is used by hackers Every system in a TCP/IP network has an IP address Someone who uses IP spoofing sets up a system usually a PC to pretend to be an existing IP address or a trusted IP address Thus, the imposter can establish a connection with your system by pretending to be a system that you normally connect with If you run TCP/IP on your system and your system participates in a network that is not physically protected all nonswitched lines and predefined links, you are vulnerable to IP spoofing To protect your system from damage by a spoofer, start with the suggestions in this chapter, such as sign-on protection and object security You should also ensure that your system has reasonable auxiliary
storage limits set This prevents a spoofer from flooding your system with mail or spooled files to the point that your system becomes inoperable In addition, you should regularly monitor TCP/IP activity on your system If you detect IP spoofing, you can try to discover the weak points in your TCP/IP setup and to make adjustments v For your intranet network of systems that do not need to connect directly to the outside, use IP addresses that are reusable Reusable addresses are intended for use within a private network The Internet backbone does not route packets that have a reusable IP address Therefore, reusable addresses provide an added layer of protection inside your firewall The TCP/IP Configuration and Reference provides more information about how IP addresses are assigned and about the ranges of IP addresses v If you are considering connecting your system to the Internet or an intranet, review the security information in SecureWay: Internet Tips and Tools found in Appendix A v The TCP/IP Configuration and Reference book has an appendix that provides security information about TCP/IP Review the information in the appendix

Controlling Which TCP/IP Servers Start Automatically
As
security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP Two commands are available for starting TCP/IP For each command, the system uses a different method to determine which applications servers to start Table 22 shows the two commands and security recommendations for them Table 23 on page 159 shows the default autostart values for the servers To change the autostart value for a server, use the CHGxxxA Change xxx Attributes command for the server For example, the command for TELNET is CHGTELNA
Table 22 How TCP/IP Commands Determine Which Servers to Start Command Start TCP/IP STRTCP What Servers Start Security Recommendations

The system starts every server v Assign IOSYSCFG special authority carefully to control that specifies AUTOSTARTYES who can change the autostart settings Table 23 on page 159 shows the v Carefully control who has authority to use the STRTCP shipped value for each TCP/IP command The default public authority for the command is server EXCLUDE v Set up object auditing for the Change server-name Attributes commands such as CHGTELNA to monitor users who attempt to change the AUTOSTART value for a
server

158

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Table 22 How TCP/IP Commands Determine Which Servers to Start continued Command Start TCP/IP Server STRTCPSVR What Servers Start Security Recommendations

You use a parameter to specify v Use the Change Command Default CHGCMDDFT which servers to start The command to set up the STRTCPSVR command to start only default when this command ships a specific server This does not prevent users from starting is to start all servers other servers However, by changing the command default, you make it less likely that users will start all servers by accident For example, use the following command to set the default to start only the TELNET server:CHGCMDDFT CMDSTRTCPSVR NEWDFTSERVERTELNET Note: When you change the default value, you can specify only a single server Choose either a server that you use regularly or a server that is least likely to cause security exposures such as TFTP v Carefully control who has authority to use the STRTCPSVR command The default public authority for the command is EXCLUDE

Table 23 Autostart Values for TCP/IP Servers Server TELNET FTP file transfer protocol BOOTP Bootstrap Protocol TFTP
trivial file transfer protocol REXEC Remote EXECution server RouteD Route Daemon SMTP simple mail transfer protocol POP Post Office Protocol HTTP Hypertext Transfer Protocol
1

Default Value AUTOSTARTYES AUTOSTARTYES AUTOSTARTNO AUTOSTARTNO AUTOSTARTNO AUTOSTARTNO AUTOSTARTYES AUTOSTARTNO AUTOSTARTNO AUTOSTARTNO AUTOSTARTNO AUTOSTARTYES AUTOSTARTYES

Your Value

Where to Read about Security Considerations for the Server Security Tips for Telnet on page 165 Security Tips for File Transfer Protocol on page 169 Security Tips for the Bootstrap Protocol Server on page 172 Security Tips for the Trivial File Transfer Protocol Server on page 175 Security Tips for the Remote EXECution Server on page 176 Security Tips for the Route Daemon on page 178 Security Tips for Simple Mail Transfer Protocol on page 179 Security Tips for Post Office Protocol on page 183 Security Tips for Web Serving from iSeries 400 on page 185 Security Tips for Web Serving from iSeries 400 on page 185 Security Tips for Workstation Gateway Server on page 196 Security Tips for Line Printer Daemon on page 198 Security Tips for Simple Network Management Protocol on page 199 Security Tips for the Domain Name System Server
on page 178

ICS Internet Connection Server1 WSG Workstation Gateway Server LPD line printer daemon SNMP Simple Network Management Protocol SNMP DNS domain name system DDM

AUTOSTARTNO AUTOSTARTNO

Chapter 14 Tips for Securing TCP/IP Communications

159

Table 23 Autostart Values for TCP/IP Servers continued Server DHCP dynamic host configuration protocol NSMI INETD Default Value AUTOSTARTNO Your Value Where to Read about Security Considerations for the Server Security Tips for the Dynamic Host Configuration Protocol Server on page 173

AUTOSTARTNO AUTOSTARTNO Security Tips for the INETD Server on page 201

Notes: 1 Beginning with V4R1, with the IBM HTTP Server for iSeries 400, you use the CHGHTTPA command to set the AUTOSTART value

Tips for Controlling the Use of SLIP
iSeries TCP/IP support includes Serial Interface Line Protocol SLIP SLIP provides low-cost point-to-point connectivity A SLIP user can connect to a LAN or a WAN by establishing a point-to-point connection with a system that is part of the LAN or WAN SLIP runs on an asynchronous connection You can use SLIP for dial-up connection to and from iSeries For example, you might use SLIP to dial in from your PC to an iSeries
system After the connection is established, you can use the TELNET application on your PC to connect to the iSeries TELNET server Or, you can use the FTP application to transfer files between the two systems No SLIP configuration exists on your system when it ships Therefore, if you do not want SLIP and dial-up TCP/IP to run on your system, do not configure any configuration profiles for SLIP You use the Work with TCP/IP Point-to-Point WRKTCPPTP command to create SLIP configurations You must have IOSYSCFG special authority to use the WRKTCPPTP command If you want SLIP to run on your system, you create one or more SLIP point-to-point configuration profiles You can create configuration profiles with the following operating modes: v Dial in ANS v Dial out DIAL The topics that follow discuss how you can set up security for SLIP configuration profiles Note: A user profile is an iSeries object that allows sign-on Every iSeries job must have a user profile to run A configuration profile stores information that is used to establish a SLIP connection with an iSeries system When you start a SLIP connection to iSeries, you are simply establishing a link You have not yet signed on and started
an iSeries job Therefore, you do not necessarily need an iSeries user profile to start a SLIP connection to iSeries However, as you will see in the discussions that follow, the SLIP configuration profile may require an iSeries user profile to determine whether to allow the connection

160

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Controlling Dial-In SLIP Connections
Before someone can establish a dial-in connection to your system with SLIP, you must start a SLIP ANS configuration profile To create or change a SLIP configuration profile, you use the Work with TCP/IP Point-to-Point WRKTCPPTP command To start a configuration profile, you use either the Start TCP/IP Point-to-Point STRTCPPTP command or an option from the WRKTCPPTP display When your system ships, the public authority for the STRTCPPTP and ENDTCPPTP commands are EXCLUDE The options to add, change, and delete SLIP configuration profiles are available only if you have IOSYSCFG special authority As security administrator, you can use both command authority and special authority determine who can set up your system to allow dial-in connections

Securing a Dial-In SLIP Connection
If you want to validate
systems that dial in to your system, then you want the requesting system to send a user ID and a password Your system can then verify the user ID and password If the user ID and password are not valid, your system can reject the session request To set up dial-in validation, do the following: __ Step 1 Create a user profile that the requesting system can use to establish the connection The user ID and password that the requester sends must match this user profile name and password Note: For the system to perform password validation, the QSECURITY system value must be set to 20 or higher As additional protection, you probably want to create user profiles specifically for establishing SLIP connections The user profiles should have limited authority on the system If you do not plan to use the profiles for any function except establishing SLIP connections, you can set the following values in the user profiles: v An initial menu INLMNU of SIGNOFF v An initial program INLPGM of NONE v Limit capabilities LMTCPB of YES These values prevent anyone from signing on interactively with the user profile __ Step 2 Create an authorization list for the system to check when a requester tries to
establish a SLIP connection Note: You specify this authorization list in the System access authorization list field when you create or change the SLIP profile See step 4 __ Step 3 Use the Add Authorization Entry ADDAUTLE command to add the user profile that you created in step 1 to the authorization list You can create a unique authorization list for each point-to-point configuration profile, or you can create an authorization list that several configuration profiles share __ Step 4 Use the WRKTCPPTP command to set up a TCP/IP point-to-point ANS profile that has the following characteristics: v The configuration profile must use a connection dialog script that includes the user-validation function User validation includes

Chapter 14 Tips for Securing TCP/IP Communications

161

accepting a user ID and password from the requester and validating them The system ships with several sample dialog scripts that provide this function v The configuration profile must specify the name of the authorization list that you created in step 2 The user ID that the connection dialog script receives must be in the authorization list Keep in mind that the value of setting up dial-in security is
affected by the security practices and capabilities of the systems that dial in If you require a user ID and password, then the connection dialog script on the requesting system must send that user ID and password Some systems, such as iSeries, provide a secure method for storing the user IDs and passwords Security and Dial-Out Sessions describes the method Other systems store the user ID and password in the script which might be accessible to anyone who knows where to find the script on the system Because of the differing security practices and capabilities of your communications partners, you might want to create different configuration profiles for different requesting environments You use STRTCPPTP command to set your system up to accept a session for a specific configuration profile You can start sessions for some configuration profiles only at certain times of the day, for example You might use security auditing to log the activity for the associated user profiles

Preventing Dial-In Users from Accessing Other Systems
Depending on your system and network configuration, a user who starts a SLIP connection might be able to access another system in your network without signing
on to your system For example, a user could establish a SLIP connection to your system Then the user could establish an FTP connection to another system in your network that does not allow dial-in You can prevent a SLIP user from accessing other systems in your network by specifying N No for the Allow IP datagram forwarding field in the configuration profile This prevents a user from accessing your network before the user logs on to your system However, after the user has successfully logged on to your system, the datagram forwarding value has no effect It does not limit the users ability to use a TCP/IP application on your iSeries system such as FTP or TELNET, to establish a connection with another system in your network

Controlling Dial-Out Sessions
Before someone can use SLIP to establish a dial-out connection from your system, you must start a SLIP DIAL configuration profile To create or change a SLIP configuration profile, you use the WRKTCPPTP command To start a configuration profile, you use either the Start TCP/IP Point-to-Point STRTCPPTP command or an option from the WRKTCPPTP display When your system ships, the public authority for the STRTCPPTP and ENDTCPPTP commands
are EXCLUDE The options to add, change, and delete SLIP configuration profiles are available only if you have IOSYSCFG special authority As security administrator, you can use both command authority and special authority determine who can set up your system to allow dial-out connections

Security and Dial-Out Sessions
Users on your iSeries system might want to establish dial-out connections to systems that require user validation The connection dialog script on your iSeries must send a user ID and a password to the remote system iSeries provides a secure method for storing that password The password does not need to be stored in the connection dialog script

162

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Notes: 1 Even though your system stores the connection password in encrypted form, your system decrypts the password before sending it SLIP passwords, like FTP and TELNET passwords, are sent unencrypted in the clear However, unlike with FTP and TELNET, the SLIP password is sent before the systems establish TCP/IP mode Because SLIP uses a point-to-point connection in asynchronous mode, the security exposure when sending unencrypted passwords is different from the
exposure with FTP and TELNET passwords Unencrypted FTP and TELNET passwords might be sent as IP traffic on a network and are, therefore, vulnerable to electronic sniffing The transmission of your SLIP password is as secure as the telephone connection between the two systems 2 The default file for storing SLIP connection dialog scripts is QUSRSYS/QATOCPPSCR The public authority for this file is USE, which prevents public users from changing the default connection dialog scripts When you create a connection profile for a remote session that requires validation, do the following: __ Step 1 Ensure that the Retain Server Security Data QRETSVRSEC system value is 1 Yes This system value determines whether you will allow passwords that can be decrypted to be stored in a protected area on your system __ Step 2 Use the WRKTCPPTP command to create a configuration profile that has the following characteristics: v For the mode of the configuration profile, specify DIAL v For the Remote service access name, specify the user ID that the remote system expects For example, if you are connecting to another iSeries, specify the user profile name on that iSeries v For the Remote service access
password, specify the password that the remote system expects for this user ID On your iSeries, this password is stored in a protected area in a form that can be decrypted The names and passwords that you assign for configuration profiles are associated with the QTCP user profile The names and passwords are not accessible with any user commands or interfaces Only registered system programs can access this password information Note: Keep in mind that the passwords for your connection profiles are not saved when your save the TCP/IP configuration files To save SLIP passwords, you need to use the Save Security Data SAVSECDTA command to save the QTCP user profile v For the connection dialog script, specify a script that sends the user ID and password The system ships with several sample dialog scripts that provide this function When the system runs the script, the system retrieves the password, decrypts it, and sends it to the remote system

Security Considerations for Point-to-Point Protocol
Beginning with V4R2, point-to-point protocol PPP is available as part of TCP/IP PPP is an industry standard for point-to-point connections that provides additional function over what is available
with SLIP

Chapter 14 Tips for Securing TCP/IP Communications

163

With PPP, your iSeries can have high-speed connections directly to an Internet Service Provider or to other systems in an intranet or extranet Remote LANs can realistically make dial-in connections to your iSeries Remember that PPP, like SLIP, provides a network connection to your iSeries A PPP connection essentially brings the requester to your systems door The requester still needs a user ID and password to enter your system and connect to a TCP/IP server like TELNET or FTP Following are security considerations with this new connection capability: Note: You configure PPP by using Operations Navigator on a AS/400 Client Access for Windows 95/NT workstation v PPP provides the ability to have dedicated connections where the same user always has the same IP address With a dedicated address, you have the potential for IP spoofing an imposter system that pretends to be a trusted system with a known IP address However, the enhanced authentication capabilities that PPP provides help protect against IP spoofing v With PPP, as with SLIP, you create connection profiles that have a user name and an associated password
However, unlike SLIP, the user does not need to have a valid iSeries 400 user profile and password The user name and password are not associated with an iSeries 400 user profile Instead, validation lists are used for PPP authentication Additionally, PPP does not require a connection script The authentication exchange of user name and password is part of the PPP architecture and happens at a lower level than with SLIP v With PPP, you have the option to use CHAP challenge handshake authentication protocol You will no longer need to worry about an eavesdropper sniffing passwords because CHAP encrypts user names and passwords Your PPP connection uses CHAP only if both sides have CHAP support During the exchange signals to set up communications between two modems, the two systems negotiate For example, if SYSTEMA supports CHAP and SYSTEMB does not, SYSTEMA can either deny the session or agree to use an unencrypted user name and password Agreeing to use an unencrypted user name and password is referred to as negotiating down The decision to negotiate down is a configuration option On your intranet, for example, where you know that all your systems have CHAP capability, you should
configure your connection profile so that it will not negotiate down On a public connection where your system is dialing out, you might be willing to negotiate down The connection profile for PPP provides the ability to specify valid IP addresses You can, for example, indicate that you expect a specific address or range of addresses for a specific user This capability, together with the ability for encrypted passwords, provides further protection against spoofing As additional protection against spoofing or piggy-backing on an active session, you can configure PPP to rechallenge at designated intervals For example, while a PPP session is active, your iSeries might challenge the other system for a user and password It does this every 15 minutes to ensure that it is the same connection profile The end-user will not be aware of this rechallenge activity The systems exchange names and passwords below the level that the end-user sees With PPP, it is realistic to expect that remote LANs might establish a dial-in connection to your iSeries and to your extended network In this environment, having IP forwarding turned on is probably a requirement IP forwarding has the potential to allow an
intruder to roam through your network However, PPP

164

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

has stronger protections such as encryption of passwords and IP address validation This makes it less likely that an intruder can establish a network connection in the first place For more information about PPP, see the TCP/IP Configuration and Reference book

Security Tips for Telnet
TELNET provides an interactive session on your system Your system presents the Sign On display to anyone who attempts to enter your system by using TELNET TELNET requires a password if your system is running security level 20 or higher | | | Note: When you have Network Stations attached to your iSeries, you must have TELNET running Network Stations use TN5250E TELNET for iSeries sessions

Tips for Preventing Telnet Access
If you do not want anyone to use TELNET to access your system, you should prevent the TELNET server from running Do the following: __ Step 1 To prevent TELNET server jobs from starting automatically when you start TCP/IP, type the following:
CHGTELNA AUTOSTARTNO

Notes: a AUTOSTARTYES is the default value b Controlling Which TCP/IP Servers Start Automatically on page
158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for TELNET, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 23 for non-SSL TELNET or 992 for SSL TELNET Note: These port numbers are specified in the Work with Service Table Entries WRKSRVTBLE table under telnet and telnet-ssl They may be mapped to ports other than 23 and 992 __ Step e For the upper port range, specify ONLY Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a
Chapter 14
Tips for Securing TCP/IP Communications

165

user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users If the port is restricted to profile QTCP, then TELNET servers can run If restricted to a profile other than QTCP, then TELNET servers cannot use that port Note: If you want to prevent access to both non-SSL TELNET and SSL TELNET, repeat step 2 on page 165 and specify the other port in part 2d on page 165

Tips for Controlling Telnet Access
Following are security considerations and suggestions when you want TELNET clients to access your system: | Client Authentication: Starting in V4R4 PTF enabled TELNET server supports client authentication in addition to the SSL server authentication that is currently supported When enabled, the iSeries TELNET server will authenticate both server and client certificates when TELNET clients connect to the TELNET SSL port TELNET clients that do not send a valid client certificate when attempting connect to the TELNET SSL port will fail to establish a display or printer session More information can be
found at http://wwwas400ibmcom/tcpip/telnet/sslhtm Protecting passwords: TELNET passwords are not encrypted when they are sent between the traditional client and the server Depending on your connection methods, your system may be vulnerable to password theft through line sniffing Telnet passwords are encrypted if TN5250E negotiations are used to exchange an encrypted password In such a case, the sign-on panel can be bypassed and no clear-text password is sent over the network Only the password is encrypted with TN5250E, SSL is required to encrypt all traffic Note: Monitoring a line by using electronic equipment is often referred to as sniffing However, if you use the SSL TELNET server new in V4R4 and an SSL-enabled TELNET client, then all transactions, including passwords, are encrypted and protected The Telnet SSL port is defined in the WRKSRVTBLE entry under telnet-ssl Limiting the number of sign-on attempts: Although the QMAXSIGN system value applies to TELNET, you reduce the effectiveness of this system value if you set up your system to configure virtual devices automatically When the QAUTOVRT system value has a value greater than 0, the unsuccessful TELNET user can reconnect
and attach to a newly-created virtual device This can continue until one of the following occurs: v All virtual devices are disabled, and the system has exceeded the limit for creating new virtual devices v All user profiles are disabled v The hacker succeeds in signing on to your system Automatically configuring virtual devices multiplies the number of TELNET attempts that are available Note: To make it easier to control virtual devices, you might want to set the QAUTOVRT system value to a value that is greater than 0 for a short period

166

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

of time Either use TELNET yourself to force the system to create devices or wait until other users have caused the system to create sufficient virtual devices Then set the QAUTOVRT system value to 0 The V4R2 TELNET enhancements provide an option for limiting the number of times a hacker can attempt to enter your system You can create an exit program that the system calls whenever a client attempts to start a TELNET session The exit program receives the IP address of the requester If your program sees a series of requests from the same IP address within a short time span, your program
can take action, such as denying further requests from the address and sending a message to the QSYSOPR message queue Overview of the TELNET Exit Program Capability on page 169 provides an overview of the TELNET exit program capability Note: Alternatively, you could use your TELNET exit program to provide logging Rather than having your program make decisions about potential break-in attempts, you could use the logging capability to monitor attempts to start TELNET sessions Ending inactive sessions: You can use the Inactivity timeout INACTTIMO parameter on the TELNET configuration to reduce the exposure when a user leaves a TELNET session unattended Be sure to read the documentation or online help to understand how the INACTTIMO parameter and the connection timer for server startup work together Note: INACTTIMO support is no longer provided beginning with V4R4 This parameter has been removed from the CHGTELNA panel Beginning with V4R3, TELNET sessions are included in the systems QINACTITV processing The QINACTMSGQ system value defines the action for the interactive TELNET sessions that are inactive when the inactive job time-out interval expires If the QINACTMSGQ specifies that the
job should be disconnected, the session must support the disconnect job function Otherwise, the job will end rather than be disconnected TELNET sessions that continue to use device descriptions that are named QPDEVxxxx will not allow users to disconnect from those jobs Disconnection from these jobs is not allowed because the device description to which a user is reconnected is unpredictable Disconnecting a job requires the same device description for the user when the job is reconnected The inactive job time-out is supported for all types of TELNET, including TCP/IP TELNET, IPX TELNET, and Workstation Gateway If you are using the TELNET or INACTTIMO parameter to time-out sessions, you should change to use the QINACTITV system value The Workstation Gateway uses an independent timer in the INACTTIMO value that functions in addition to the QINACTITV value Either value can trigger a session time-out in Workstation Gateway Restricting powerful user profiles: You can use the QLMTSECOFR system value to restrict users with ALLOBJ or SERVICE special authority The user or QSECOFR must be explicitly authorized to a device to sign on Thus, you can prevent anyone with ALLOBJ special authority
from using TELNET to access your system by ensuring that QSECOFR does not have authority to any virtual devices Rather than preventing any TELNET users who have ALLOBJ special authority, you might to restrict powerful TELNET users by location With the TELNET

Chapter 14 Tips for Securing TCP/IP Communications

167

initiation exit point in V4R2, you can create an exit program that assigns a specific iSeries device description to a session request based on the IP address of the requester Controlling function by location: You might want to control what functions you allow or what menu the user sees based on the location where the TELNET request originates The QDCRDEVD API application programming interface provides you with access to the IP address of the requester Following are some suggestions for using this support: v For V4R1, you might use the API in an initial program for all users if TELNET activity is significant in your environment Based on the IP address of the user who requests sign-on, you could set the menu for the user or even swap to a specific user profile v Beginning with V4R2, you can use the TELNET exit program to make decisions based on the IP address of the
requester This eliminates the need to define an initial program in every user profile You can, for example, set the initial menu for the user, set the initial program for the user, or specify what user profile the TELNET session will run under Note: In addition, with access to the IP address of the user, you can now provide dynamic printing to a printer associated with the users IP address The QDCRDEVD API will also return IP addresses for printers, as well as for displays Select the DEVD1100 format for printers, and DEVD0600 for displays Controlling automatic sign-on: Beginning with V4R2, TELNET supports the capability for a Client Access user to bypass the Sign On display by sending a user profile name and password with the TELNET session request The system uses the setting for the QRMTSIGN Remote sign-on system value to determine how to handle requests for automatic sign-on Table 24 shows the options These options apply only when the TELNET request includes a user ID and password
Table 24 How QRMTSIGN Works with TELNET REJECT VERIFY SAMEPRF FRCSIGNON TELNET sessions that request automatic sign-on are not allowed If the user profile and password combination is valid, the TELNET
session starts1 If the user profile and password combination is valid, the TELNET session starts1 The system ignores the user profile and password The user sees the Sign-On display

Notes: 1 This validation occurs before the TELNET exit program runs The exit program receives an indication that the validation was successful or unsuccessful The exit program can still allow or deny the session, regardless of the indicator The indication has one of the following values: v Value 0, Client password not validated or no password received v Value 1, Client clear-text password validated v Value 2, Client encrypted password validated

Note: A registered TELNET exit program can override the setting of QRMTSIGN by choosing whether or not to allow automatic sign-on for a requester probably based on IP address

168

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Allowing anonymous sign-on: Beginning with V4R2, you can use the TELNET exit programs to provide anonymous or guest TELNET on your system With your exit program, you can detect the IP address of the requester If the IP address comes from outside your organization, you can assign the TELNET session to a user profile that
has limited authority on your system and a specific menu You can bypass the Sign-On display so the visitor does not have the opportunity to use another, more powerful user profile With this option, the user does not need to provide a user ID and password

Overview of the TELNET Exit Program Capability
Beginning with V4R2, you can register user-written exit programs that run both when a TELNET session starts and when it ends Following are examples of what you can do when you start the exit program: v If you are at V4R4 and have installed the PTFs mentioned above, you can use the new Server local IP address on multi-homed iSeries 400 servers to route connections to different subsystems based on the network interface IP address v Allow or deny the session, based on any known criteria, such as the users IP address, the time of day, and the requested user profile v Assign a specific iSeries device description for the session This allows routing of the interactive job to any sub-system set up to receive those devices v Assign specific National Language values for the session, such as keyboard and character set v Assign a specific user profile for the session v Automatically sign on the
requestor without displaying a Sign On display v Set up audit logging for the session For more information about the TELNET exit programs, see Appendix E, TCP/IP Application Exit Points and Programs in the TCP/IP Configuration and Reference book You can find a sample program at the following Web location:
http://wwwas400ibmcom/tstudio/tech_ref/tcp/indexfrhtm

or go to the Information Center, select Networking — TCP/IP TCP/IP Services and Applications — Telnet — sample Telnet exit programs

Security Tips for File Transfer Protocol
FTP file transfer protocol provides the capability of transferring files between the client a user on another system and the server your system You can also use the remote command capability of FTP to submit commands to the server system FTP requires a user ID and a password However, you can use the FTP Server exit points to provide an anonymous FTP function for guest users users who do not have a user ID and password on your system For secure anonymous FTP, you must write exit programs for both the FTP Server Logon and FTP Server Request Validation exit points

Tips for Preventing FTP Access
If you do not want anyone to use FTP to access your system,
you should prevent the FTP server from running Do the following: __ Step 1 To prevent FTP server jobs from starting automatically when you start TCP/IP, type the following:
CHGFTPA AUTOSTARTNO

Chapter 14 Tips for Securing TCP/IP Communications

169

Notes: a AUTOSTARTYES is the default value b Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for FTP, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 20 __ Step e For the upper port range, specify 21 __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users
By restricting the port to a specific user, you automatically exclude all other users Notes: a The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again b RFC1700 provides information about assigned port numbers c If ports 20 or 21 are restricted to a user profile other than QTCP, attempting to start the FTP server will cause it to immediately end with errors d This method works only for completely restricting an application such as the FTP server It does not work for restricting specific users When a user connects to the FTP server, the request uses the QTCP profile initially The system changes to the individual user profile after the connection is successful Every user of the FTP server uses QTCPs authority to the port

Tips for Controlling FTP Access
If you want to allow FTP clients to access your system, be aware of the following security issues: v Your object authority scheme might not provide detailed enough protection when you allow FTP on your system For example, when a user has the authority to view a file USE authority, the user can also copy the file to a PC or to
another system You might want to protect some files from being copied to another system You can use FTP exit programs to restrict the FTP operations that users can perform You can use the FTP Request Validation Exit to control what operations you allow For example, you can reject GET requests for specific database files You can use the FTP Server Logon Exit to authenticate users who log on to the FTP server TCP/IP User Exits in the TCP/IP Configuration and Reference book describes this exit point and provides sample programs

170

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

The TCP/IP User Exits appendix of the book TCP/IP Configuration and Reference also describes how to use exit programs to set up support for anonymous FTP on your system v FTP passwords are not encrypted when they are sent between the client system and the server system Depending on your connection methods, your system may be vulnerable to password theft through line sniffing v If the QMAXSGNACN system value is set to 1, the QMAXSIGN system value applies to TELNET but not to FTP If QMAXSGNACN is set to 2 or 3 values which disable the profile if the maximum sign on count is reached, FTP logon
attempts are counted In this case, a hacker can mount a denial of service attack through FTP by repeatedly attempting to log on with an incorrect password until the user profile is disabled For each unsuccessful attempt, the system writes message CPF2234 to the QHST log You can write a program to monitor the QHST log for the message If the program detects repeated attempts, it can end the FTP servers v You can use the Inactivity timeout INACTTIMO parameter on the FTP configuration to reduce the exposure when a user leaves an FTP session unattended Be sure to read the documentation or online help to understand how the INACTTIMO parameter and the connection timer for server startup work together Note: The QINACTITV system value does not affect FTP sessions v The TCP/IP Configuration and Reference book describes how to use FTP batch support, for example, to send files between systems at night When you use FTP batch support, the program must send both the user ID and the password to the server system Either the user ID and password must be coded in the program, or the program must retrieve them from a file Both these options for storing passwords and user IDs represent a potential
security exposure If you use FTP batch, you must ensure that you use object security to protect the user ID and password information You should also use a single user ID that has very limited authority on the target system It should have only enough authority to perform the function that you want, such as file transfer v FTP provides remote-command capability, just as advanced program-to-program communications APPC and Client Access do The RCMD Remote Command FTP-server subcommand is the equivalent of having a command line on the system Before you allow FTP, you must ensure that your object security scheme is adequate You can also use the FTP exit program to limit or reject attempts to use the RCMD subcommand TCP/IP User Exits in the TCP/IP Configuration and Reference book describes this exit point and provides sample programs v Beginning with V3R2 and V3R7, a user can access objects in the integrated file system with FTP Therefore, you need to ensure that your authority scheme for the integrated file system is adequate when you run the FTP server on your system Chapter 12 Using the Integrated File System to secure your files on page 127 provides suggestions for securing the
integrated file system v A popular hacker activity is to set up an unsuspecting site as a repository for information Sometimes, the information might be illegal or pornographic If a hacker gains access to your site through FTP, the hacker uploads this undesirable information to your system The hacker then informs other hackers of your systems address They in turn access your system with FTP and download the undesirable information You can use the FTP exit programs to help protect against this type of attack For example, you might direct all requests to upload information to a directory that is write-only This defeats the hackers objective because the hackers friends will not be able to download the information in the directory AS/400 Internet
Chapter 14 Tips for Securing TCP/IP Communications

171

Security: Protecting Your AS/400 from HARM on the Internet provides more information about the risks and possible solutions when you allow uploading through FTP

Security Tips for the Bootstrap Protocol Server
Bootstrap Protocol BOOTP provides a dynamic method for associating workstations with servers and assigning workstation IP addresses and initial program load IPL sources BOOTP and
trivial file transfer protocol TFTP together provide support for the IBM Network Station for AS/400 BOOTP is a TCP/IP protocol used to allow a media-less workstation client to request a file containing initial code from a server on the network The BOOTP server listens on the well known BOOTP server port 67 When a client request is received, the server looks up the IP address defined for the client and returns a reply to the client with the clients IP address and the name of the load file The client then initiates a TFTP request to the server for the load file The mapping between the client hardware address and IP address is kept in the BOOTP table on the iSeries

Tips for Preventing BOOTP Access
If you do not have any Network Stations attached to your iSeries, you do not need to run the BOOTP server on your system It can be used for other devices, but the preferred solution for those devices is to use DHCP Do the following to prevent the BOOTP server from running: __ Step 1 To prevent BOOTP server jobs from starting automatically when you start TCP/IP, type the following:
CHGBPA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value b Controlling Which TCP/IP Servers Start
Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for BOOTP, do the following: Note: Because DHCP and BOOTP use the same port number, this will also inhibit the port that is used by DHCP Do not restrict the port if you want to use DHCP __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 67 __ Step e For the upper port range, specify ONLY Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again

172

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify UCD __ Step g For the user profile field, specify a user profile name that is protected on your system A protected
user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users

Tips for Securing the BOOTP Server
The BOOTP server does not provide direct access to your iSeries system, and thus represents a limited security exposure Your primary concern as a security administrator is to ensure that the correct information is associated with the correct Network Station In other words, a mischief-maker could alter the BOOTP table and cause your Network Stations to work incorrectly or not at all To administer the BOOTP server and the BOOTP table, you must have IOSYSCFG special authority You need to carefully control the user profiles that have IOSYSCFG special authority on your system The IBM Network Station Manager for AS/400 book describes the procedures for working with the BOOTP table

Security Tips for the Dynamic Host Configuration Protocol Server
Dynamic host configuration protocol DHCP provides a framework for passing configuration information to hosts on a TCP/IP network For your client workstations, DHCP can provide a function
similar to auto configuration A DHCP-enabled program on the client workstation broadcasts a request for configuration information If the DHCP server is running on your iSeries, the server responds to the request by sending the information that the client workstation needs to correctly configure TCP/IP You can use DHCP to make it simpler for users to connect to your iSeries for the first time This is because the user does not need to enter TCP/IP configuration information You can also use DHCP to reduce the number of internal TCP/IP addresses that you need in a subnetwork The DHCP server can temporarily allocate IP addresses to active users from its pool of IP addresses For Network Stations, you can use DHCP in place of BOOTP DHCP provides more function than BOOTP, and it can support dynamic configuration of both Network Stations and PCs

Tips for Preventing DHCP Access
If you do not want anyone to use the DHCP server on your system, do the following: 1 To prevent DHCP server jobs from starting automatically when you start TCP/IP, type the following:
CHGDHCPA AUTOSTARTNO

173

2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for DHCP, do the following: a b c d e Type GO CFGTCP to display the Configure TCP/IP menu Select option 4 Work with TCP/IP port restrictions On the Work with TCP/IP Port Restrictions display, specify option 1 Add For the lower port range, specify 67 For the upper port range, specify 68 Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments f For the protocol, specify UDP g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users

Tips for Securing the DHCP
Server
Following are security considerations when you choose to run DHCP on your iSeries system: v Restrict the number of users who have authority to administer DHCP Administering DHCP requires the following authority: IOSYSCFG special authority RW authority to the following files:
/QIBM/UserData/OS400/DHCP/dhcpsdcfg /QIBM/UserData/OS400/DHCP/dhcprdcfg

v Evaluate how physically accessible your LAN is Could an outsider easily walk into your location with a laptop and physically connect it to your LAN? If this is an exposure, DHCP provides the capability to create a list of clients hardware addresses that the DHCP server will configure When you use this feature, you remove some of the productivity benefit that DHCP provides to your network administrators However, you prevent the system from configuring unknown workstations v If possible, use a pool of IP addresses that is reusable not architected for the Internet This helps prevent a workstation from outside your network from gaining usable configuration information from the server v Use the DHCP exit points if you need additional security protection Following is an overview of the exit points and their capabilities The iSeries
System API Reference describes how to use these exit points Port entry The system calls your exit program whenever it reads a data packet from port 67 the DHCP port Your exit program receives the full data packet It can decide whether the system should process or discard the packet You can use this exit point when existing DHCP screening features are not sufficient for your needs

174

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Address assignment The system calls your exit program whenever DHCP formally assigns an address to a client Address release The system calls your exit program whenever DHCP formally releases an address and places it back in the address pool

Security Tips for the Trivial File Transfer Protocol Server
Trivial file transfer protocol TFTP provides basic file transfer with no user authentication TFTP works with either Bootstrap Protocol BOOTP or Dynamic Host Configuration Protocol DHCP to provide support for the IBM Network Station for AS/400 The IBM Network Station for AS/400 a media-less workstation client connects initially to either the BOOTP server or the DHCP server The BOOTP server or the DHCP server replies with the clients IP address and
the name of the load file The client then initiates a TFTP request to the server for the load file When the client completes downloading of the load file, it ends the TFTP session

Tips for Preventing TFTP Access
If you do not have any Network Stations attached to your iSeries, you probably do not need to run the TFTP server on your system Do the following to prevent the TFTP server from running: __ Step 1 To prevent TFTP server jobs from starting automatically when you start TCP/IP, type the following:
CHGTFTPA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value b Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for TFTP, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 69 __ Step e For the upper port range, specify ONLY Notes:
1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify UCD __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a
Chapter 14 Tips for Securing TCP/IP Communications

175

Tips for Securing the TFTP Server
By default, the TFTP server provides very limited access to your iSeries system It is specifically configured to provide the initial code for Network Stations As a security administrator, you should be aware of the following characteristics of the TFTP server: v The TFTP server does not require authentication a user ID and password All TFTP jobs run under the QTFTP user profile The QTFTP user profile does not have a password Therefore, it is not available for interactive sign-on The QTFTP
user profile does not have any special authorities, nor is it explicitly authorized to system resources It uses public authority to access the resources that it needs for the Network Stations v When the TFTP server arrives, it is configured to access the directory that contains Network Station information You must have PUBLIC or QTFTP authorized to read or write to that directory To write to the directory you must have CREATE specified on the Allow file writes parameter of the CHGTFTPA command To write to an existing file you must have the REPLACE specified on the Allow file writes parameter of CHGTFTPA CREATE allows you to replace existing files or create new files REPLACE only allows you to replace existing files A TFTP client cannot access any other directory unless you explicitly define the directory with the Change TFTP Attributes CHGTFTPA command Therefore, if a local or remote user does attempt to start a TFTP session to your system, the users ability to access information or cause damage is extremely limited v If you choose to configure your TFTP server to provide other services in addition to handling Network Stations, you can define an exit program to evaluate and
authorize every TFTP request The TFTP server provides a request validation exit similar to the exit that is available for the FTP server Note: TCP/IP User Exits in the TCP/IP Configuration and Reference book describes the FTP exit point and provides sample programs You can use this same technique for the TFTP exit point

Security Tips for the Remote EXECution Server
The Remote EXECution server REXEC receives and runs commands from an REXEC client A REXEC client is typically a PC or UNIX application that supports sending REXEC commands The support that this server provides is similar to the capability that is available when you use the RCMD Remote Command sub-command for the FTP server

Tips for Preventing REXEC Access
If you do not want your iSeries to accept commands from an REXEC client, do the following to prevent the REXEC server from running: __ Step 1 To prevent REXEC server jobs from starting automatically when you start TCP/IP, type the following:
CHGRXCA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value

176

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

b Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about
controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for REXEC, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 512 __ Step e For the upper port range, specify ONLY __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users Notes: a The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again b RFC1700 provides information about common port number assignments

Tips for Securing the REXEC Server
Following are
considerations when you choose to run the Remote EXECution server on your system: v An REXCD request includes a user ID, a password, and the command to run Normal iSeries authentication and authority checking applies: The user profile and password combination must be valid The system enforces the Limit capabilities LMTCPB value for the user profile The user must be authorized to the command and to all of the resources that the command uses v The REXEC server provides exit points similar to the exit points that are available for the FTP server You can use the Validation exit point to evaluate the command and decide whether to allow it Note: TCP/IP User Exits in the TCP/IP Configuration and Reference book describes the FTP exit point and provides sample programs You can use this same technique for the REXEC exit point v When you choose to run the REXEC server, you are running outside any menu access control that you have on your system You must ensure that your object authority scheme is adequate to protect your resources

Chapter 14 Tips for Securing TCP/IP Communications

177

Security Tips for the Route Daemon
The Route Daemon RouteD server provides support for the Routing
Information Protocol RIP on iSeries RIP is the most widely used of routing protocols It is an Interior Gateway Protocol that assists TCP/IP in the routing of IP packets within an autonomous system RouteD is intended to increase the efficiency of network traffic by allowing systems within a trusted network to update each other with current route information When you run RouteD, your system can receive updates from other participating systems about how transmissions packets should be routed Therefore, if your RouteD server is accessible to a hacker, the hacker might use it to reroute your packets through a system that can sniff or modify those packets Following are suggestions for RouteD security: v For V4R1, iSeries uses RIPv1, which does not provide any method for authenticating routers It is intended for use within a trusted network If your system is in a network with other systems that you do not trust, you should not run the RouteD server To ensure that the RouteD server does not start automatically, type the following:
CHGRTDA AUTOSTARTNO

Notes: 1 AUTOSTARTNO is the default value 2 Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about
controlling which TCP/IP servers start automatically v Make sure that you control who can change the RouteD configuration, which requires IOSYSCFG special authority v If your system participates in more than one network for example, an intranet and the Internet, you can configure the RouteD server to send and accept updates only with the secure network

Security Tips for the Domain Name System Server
| | | The Domain Name System DNS server provides translation of host name to IP addresses and vice versa On iSeries, the DNS server is intended to provide address translation for the internal, secure network intranet

Tips for Preventing DNS Access
If you do not want anyone to use the DNS server on your system, do the following: 1 To prevent DNS server jobs from starting automatically when you start TCP/IP, type the following:
CHGDNSA AUTOSTARTNO

178

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

a b c d e

Type GO CFGTCP to display the Configure TCP/IP menu Select option 4 Work with TCP/IP port restrictions On the Work with TCP/IP Port Restrictions display, specify option 1 Add For the lower port range, specify 53 For the upper port range, specify ONLY

Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments f For the protocol, specify TCP g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users h Repeat steps 2c through 2g for the UDP User datagram protocol

Tips for Securing the DNS Server
Following are security considerations when you choose to run DNS on your iSeries system: v The function that the DNS server provides is IP address translation
and name translation It does not provide any access to objects on your iSeries system Your risk when an outsider accesses your DNS server is that the server provides an easy way to view the topology of your network Your DNS might save a hacker some effort in determining the addresses of potential targets However, your DNS does not provide information that will help to break into those target systems v Typically, you use the iSeries DNS server for your intranet Therefore, you probably do not have a need to restrict the ability to query the DNS However, you might, for example, have several subnetworks within your intranet You might not want users from a different subnetwork to be able to query the DNS on your iSeries A security option of DNS lets you limit access to a primary domain Use Operations Navigator to specify IP addresses to which the DNS server should respond Another security option lets you specify which secondary servers can copy information from your primary DNS server When you use this option, your server will accept zone transfer requests a request to copy information only from the secondary servers that you explicitly list v Be sure to carefully restrict the ability
to change the configuration file for your DNS server Someone with malicious intent could, for example, change your DNS file to point to an IP address outside your network They could simulate a server in your network and, perhaps, gain access to confidential information from users that visit the server

Security Tips for Simple Mail Transfer Protocol
Simple Mail Transfer Protocol SMTP provides the capability to distribute documents and e-mail messages to and from other systems The system does not perform any sign-on processing for SMTP

Chapter 14 Tips for Securing TCP/IP Communications

179

Tips for Preventing SMTP Access
If you do not want anyone to use SMTP to distribute mail to or from your system, you should prevent the SMTP server from running Do the following: __ Step 1 If you do not plan to use SMTP at all, do not configure it on your system or allow anyone else to configure it If you need SMTP occasionally, but you normally do not want it to run, continue with the next steps __ Step 2 To prevent SMTP server jobs from starting automatically when you start TCP/IP, type the following:
CHGSMTPA AUTOSTARTNO

Notes: a AUTOSTARTYES is the default value b Controlling Which TCP/IP
Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 3 To prevent SMTP from starting and to prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for SMTP, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 25 __ Step e For the upper port range, specify ONLY Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific
user, you automatically exclude all other users __ Step h Repeat steps 3c through 3g for the UDP protocol __ Step 4 To provide extra protection, hold the SNADS distribution queues that the SMTP application uses by typing the following commands:
HLDDSTQ DSTQQSMTPQ PTYNORMAL HLDDSTQ DSTQQSMTPQ PTYHIGH

Tips for Controlling SMTP Access
If you want to allow SMTP clients to access your system, be aware of the following security issues: v If possible, avoid using an ANY ANY entry in the system distribution directory When your system does not have an ANY ANY entry, it is more difficult for someone to attempt to use SMTP to flood your system or

180

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

overwhelm your network Flooding occurs when your auxiliary storage is filled with unwanted mail that is being routed through your system to another system v To prevent a user from swamping your system with unwanted objects, be sure that you have set adequate threshold limits for your auxiliary storage pools ASPs You can display and set the thresholds for ASPs by using either system service tools SST or dedicated service tools DST The Backup and Recovery book provides more information
about ASP thresholds v In V4R4, it is also possible to tune the maximum number of prestart jobs that will be created by doing a CHGPJE see the TCP/IP Config and Ref, Email section This will limit the number of jobs created during a denial of service attack The default is 256 for the maximum threshold v The AS/400 Internet Security: Protecting Your AS/400 from HARM on the Internet book describes steps for cleaning up your iSeries if your system is the victim of a flooding attack The new function PTF SMTP was introduced in V4R2, V4R3, and V4R4 for controlling spam mail SMTP Special Instructions for SPAM The SPAM code was added in the following releases: v V4R2 5769TC1 SF52864 v V4R3 5769TC1 SF53421 v V4R4 5769TC1 SF54014 Special instructions for controlling RELAY and CONNECTIONS If you do not choose to take advantage of this enhanced function, nothing needs to be done If you want to take advantage of this enhanced function, you should do the following: v Create a Source Physical File QUSRSYS/QTMSADRLST record length 92 12 characters for line count and change information The file must be ccsid 500 v Create a Source Physical File member ACCEPTRLY To create a member for a file that
already exists and go into edit v Add a record with the dotted decimal address of the ALLOWED user Only addresses in the list will be allowed to relay Put one address and mask per line, a mask is optional An example entry would be:
1234 25525500 STRSEU SRCFILEQUSRSYS/QTMSADRLST SRCMBRACCEPTRLY CRTSRCPF FILEQUSRSYS/QTMSADRLST CCSID500

In this example the mask and the address would be combined AND to reject all address starting with 12 eg 1256 Another example:
7893 255255255255

This would reject only one address, 7893 It is the same as 7893 Instructions for activating relay and connection lists v End the smtp server
ENDTCPSVR SERVERSMTP
Chapter 14 Tips for Securing TCP/IP Communications

181

v If data area for blocking all relays exists, delete it To see if the data area exists:
DSPDTAARA DTAARAQUSRSYS/QTMSNORLY

To delete the data area: v Start the smtp server
DLTDTAARA DTAARAQUSRSYS/QTMSNORLY STRTCPSVR SERVERSMTP

NOTE: v If the data area for blocking relays is used QUSRSYS/QTMSNORLY, ALL relays will be blocked If the data area is not there, but QUSRSYS/QTMSADRLSTACCEPTRLY exists and has at least one entry, then only addresses in the list will be allowed to relay v If the
address is in QUSRSYS/QTMSADRLSTREJECTCNN it will not be allowed to connect This blocks relay and mail delivery from this address If QUSRSYS/QTMSADRLSTREJECTCNN does not exist or has no valid entries, then all connections will be allowed v If journaling is on, rejected addresses will be journaled To find out if journaling is on: Use PF4 on command CHGSMTPA, look for parameter Journal which would be YES for on To display journal,sues/jrnl is your library and file, dec14 is the name of the member you are creating:
DSPJRN JRNQZMF OUTPUTOUTFILE OUTFILEsues/jrnl OUTMBRdec14 ENTDTALEN512

| | | | | | | | | |

DSPPFM FILEsues/jrnl MBRdec14 Rejected connections will have the entry, starting in column 195: 9S CONNECTION REFUSED 1234 Rejected relays will have the entry, starting in column 195: 9V RELAY REFUSED 1234 1234 is the dotted decimal address rejected These journal entries will have a message id of 0 Relays will be rejected with the SMTP protocol response, in the SMTP client to SMTP server conversation: - 553 Relaying blocked at this site Connections will be rejected with the SMTP protocol response, in the SMTP client to SMTP server conversation: 421 Service not available, access
denied Only the first 10,000 entries in each table will be read Lines beginning with will be treated as comments The file must be ccsid 500 Only put one address and mask per line If you FTP your file between systems, make sure it is created as a source physical file on the receiving system first Error messages will appear in the QTSMTPSRVR joblog as follows: Entries in the QUSRSYS/QTMSADRLST that are not valid: TCP9508 Internet address not valid

182

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Note: The above message will always be followed by the following message to indicate which file member has problems The entries not in error will still be used Any error with file QUSRSYS/QTMSADRLST: TCP2062 SMTP job not able to use file QTMSADRLST Except for entry errors, the above message will result in the actions that would occur if there were no file Error getting temporary space for lists, which will result in actions that would occur if there were no file: TCP1062 Not enough storage available Read errors on file QUSRSYS/QTMSADRLST, may result in a partial file being used: TCP12B5 Unable to read data from file QTMSADRLST If changes are made to QUSRSYS/QTMSADRLST,
the SMTP Server must be restarted for the changes to take effect:
ENDTCPSVR SERVERSMTP STRTCPSVR SERVERSMTP

For more information on Subnet masks, please see the TCP/IP Configuration and Reference book, chapter 2, section Subnetworks

Security Tips for Post Office Protocol
The POP Post Office Protocol server provides a simple store-and-forward mail system The POP server holds mail temporarily until a mail client retrieves it The client/server interface of the POP server requires the services of the SMTP server A mail client must have a user ID and a password to retrieve mail from the POP server

Tips for Preventing POP Access
If you do not want anyone to use POP to access your system, you should prevent the POP server from running Do the following: __ Step 1 If you do not plan to use POP at all, do not configure it on your system or allow anyone else to configure it If you need POP occasionally, but you normally do not want the POP server to run, continue with the next steps __ Step 2 To prevent POP server jobs from starting automatically when you start TCP/IP, type the following:
CHGPOPA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value b Controlling Which TCP/IP Servers
Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically

Chapter 14 Tips for Securing TCP/IP Communications

183

__ Step 3 To prevent POP from starting and to prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for POP, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 109 __ Step e For the upper port range, specify 110 Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by
other users By restricting the port to a specific user, you automatically exclude all other users __ Step h Repeat steps 3c through 3g for the UDP protocol __ Step 4 Review Security Tips for Simple Mail Transfer Protocol on page 179 for suggestions for protecting the SMTP server The POP server requires the services of the SMTP server

Tips for Controlling POP Access
If you want to allow POP clients to access your system, be aware of the following security issues: v The POP mail server provides authentication for clients who attempt to access their mailboxes The client sends a user ID and password to the server Note: The password is sent in the clear and can be vunerable The POP mail server verifies the user ID and password against the iSeries user profile and password for that user Because you do not have control over how the user ID and password are stored on the POP client, you might want to create a special user profile that has very limited authority on your iSeries system To prevent anyone from using the user profile for an interactive session, you can set the following values in the user profile: Set initial menu INLMNU to SIGNOFF Set initial program INLPGM to NONE Set
limit capabilities LMTCPB to YES v To prevent a malicious intruder from flooding your system with unwanted objects, be sure that you have set adequate threshold limits for your auxiliary storage pools ASPs The ASP storage threshold prevents your system from stopping because the operating system does not have sufficient working space You can display and set the thresholds for ASPs by using either system service tools SST or dedicated service tools DST The Backup and Recovery book provides more information about ASP thresholds

184

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

v Although you need to ensure that your ASP threshold prevents your system from being flooded, you also need to ensure that your system has adequate space to properly store and deliver mail If your system cannot deliver mail because the system does not have adequate storage for transient mail, this is an integrity problem for your users Note: Usually storage space is not a significant problem When a client receives mail, the system deletes the mail from the server

Security Tips for Web Serving from iSeries 400
In V4R1 and V4R2, the Internet Connection Server product provided web serving
capability to iSeries 400 In V4R3, the IBM HTTP Server for AS/400 product replaced Internet Connection Server Each product provides a Hypertext Transfer Protocol HTTP server on iSeries 400 The two products share many security issues, though there are also some differences between them In this section, the general terms HTTP server and Internet server are used to describe issues that pertain to both products When an issue applies specifically to either Internet Connection Server or IBM HTTP Server for AS/400, its full name is used The HTTP server provides World Wide Web browser clients with access to iSeries multimedia objects, such as HTML Hypertext Markup Language documents It also supports the Common Gateway Interface CGI specification Application programmers can write CGI programs to extend the functionality of the server The administrator can use Internet Connection Server or IBM HTTP Server for AS/400 to run multiple servers concurrently on the same iSeries Each server that is running is called a server instance Each server instance has a unique name The administrator controls which instances are started and what each instance can do Note: You must have the ADMIN instance of
the HTTP server running when you use a Web browser to configure or administer any of the following: v v v v v Firewall for iSeries Network Station Internet Connection Server Internet Connection Secure Server IBM HTTP Server for AS/400

A user Web site visitor never sees an iSeries Sign On display However, the administrator on iSeries must explicitly authorize all HTML documents and CGI programs by defining them in HTTP directives In addition, the administrator can set up both resource security and user authentication user ID and password for some or all requests An attack by a hacker could result in a denial of service to your Web server Your server can detect a denial-of-service attack by measuring the time-out of certain clients requests If the server does not receive a request from the client, then your server determines that a denial-of-service attack is in progress This occurs after making the initial client connection to your server The servers default is to perform attack detection and penalization

Tips for Preventing Access
If you do not want anyone to use the program to access your system, you should prevent the HTTP server from running Do the following:
Chapter 14 Tips
for Securing TCP/IP Communications

185

__ Step 1 To prevent HTTP server jobs from starting automatically when you start TCP/IP, type the following:
CHGHTTPA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value b Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 By default, the HTTP server job uses the QTMHHTTP user profile To prevent the HTTP server from starting, set the status of the QTMHHTTP user profile to DISABLED

Tips for Controlling Access
The primary purpose of running an HTTP server is to provide access for visitors to a Web site on your iSeries system You might think of someone who visits your Web site as you would think of someone who views an advertisement in a trade journal The visitor is not aware of the hardware and software running your Web site, such as the type of server you are using, and where your server is physically located Usually, you do not want to put any barrier such as a Sign On display between a potential visitor and your Web site However, you might want to restrict access to some of the documents or CGI programs that your Web site
provides You might also want a single iSeries system to provide multiple logical Web sites For example, your iSeries system might support different branches of your business that have different customer sets For each of these branches of the business, you want a unique Web site that appears totally independent to the visitor Additionally, you might want to provide internal Web sites an intranet with confidential information about your business As a security administrator, you need to protect the contents of your Web site while, at the same time, you need to ensure that your security practices do not negatively affect the value of your Web site In addition, you need to ensure that HTTP activity does not jeopardize the integrity of your system or your network The topics that follow provide security suggestions when you use the program

Administration Considerations
Following are some security considerations for administering your Internet server v You perform setup and configuration functions by using a Web browser and the ADMIN instance For some functions, such as creating additional instances on the server, you must use the ADMIN server v The default URL for the administration home
page the home page for the ADMIN server is published in the documentation for products that provide browser administration functions Therefore, the default URL will probably be known by hackers and published in hacker forums, just like the default passwords for IBM-supplied user profiles are known and published You can protect yourself from this exposure in several ways: Only run the ADMIN instance of the HTTP server when you need to perform administrative functions Do not have the ADMIN instance running all the time Activate SSL support for the ADMIN instance by using Digital Certificate Manager The ADMIN instance uses HTTP protection directives to require a

186

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

user ID and password When you use SSL, your user ID and password are encrypted along with all the other information about your configuration that appears on the administration forms Use a firewall both to prevent access to the ADMIN server from the Internet and to hide your system and domain names, which are part of the URL v When you perform administration functions, you must sign on with a user profile that has IOSYSCFG special authority You might also need
authority to specific objects on the system, such as the following: The libraries or directories that contain your HTML documents and CGI programs Any user profiles that you plan to swap to within the directives for the server The Access Control Lists ACLs for any directories that your directives use A validation list object for creating and maintaining user IDs and passwords With both the ADMIN server and TELNET, you have the capability to perform administration functions remotely, perhaps over an Internet connection Be aware that if you perform administration over a public link the Internet, you might be exposing a powerful user ID and password to sniffing The sniffer can then use this user ID and password to attempt to access your system using, for example, TELNET or FTP Notes: 1 With TELNET, the Sign On display is treated like any other display Although the password does not display when you type it, the system transmits it without any encryption or encoding 2 With the ADMIN server, the password is encoded not encrypted The encoding scheme is an industry standard, and thus commonly known among the hacker community Although the encoding is not easily understood by the casual
sniffer, a sophisticated sniffer probably has tools to attempt to decode the password

Security Tip If you plan to perform remote administration over the Internet, you should use the ADMIN instance with SSL, so that your transmissions are encrypted Do not use an insecure application, such as a pre-V4R4 version of TELNET TELNET supports SSL beginning with V4R4 If you are using the ADMIN server across an intranet of trusted users, you can probably safely use this for administration v The HTTP directives provide the foundation for all activity on your server The shipped configuration provides the capability to serve a default Welcome page A client cannot view any documents except the Welcome page until the server administrator defines directives for the server To define directives, use a Web browser and the ADMIN server or the Work with HTTP Configuration WRKHTTPCFG command Both methods require IOSYSCFG special authority When you connect your iSeries to the Internet, it becomes even more critical to evaluate and control the number of users in your organization who have IOSYSCFG special authority

Protecting Resources
Internet Connection Server and IBM HTTP Server for AS/400 both
include HTTP directives that can provide detailed control of the information assets that the server
Chapter 14 Tips for Securing TCP/IP Communications

187

uses You can use directives to swap to other iSeries user profiles and to require authentication for some resources Following are some suggestions and considerations for using this support: Note: The Web serving with your IBM HTTP Server in the Information Center provides complete descriptions of the available HTTP directives and how to use them It includes security examples and considerations v The HTTP server starts from the basis of explicit authority The server does not accept a request unless that request is explicitly defined in the directives In other words, the server immediately rejects any request for a URL unless that URL is defined in the directives either by name or generically To take advantage of this initial protection that the directives provide, consider the following: When you add a directive to the HTTP server, make the template value for the path as specific as possible This reduces the chance that someone can browse through your system and discover files Avoid using generic file names and wildcards Use
Map or Pass directives to mask the file names on your iSeries web server Both Map and Pass directives are methods for equating the URL that the client sends with a different name or resource on the server For example, the client browser might issue a URL that looks like the following:
http://hostname/webdata/products

Use the browser-based configuration and administration forms or the WRKHTTPCFG command to add a Pass directive to HTTP server configuration that looks like the following:
Pass /webdata/products /QSYSLIB/WEBDATALIB/WWWDATAFILE/PRODUCTSMBR

The requester who sees this URL has no idea that the product data is in the WWWDATA file in the WEBDATA library on your iSeries system This method protects hides your iSeries file names and library names from potential hackers It also gives you the flexibility to change your iSeries application without having to change the URL v You can use protection directives to require a user ID and password before accepting a request for some or all of your resources Following are some considerations for using this support: When a user client requests a protected resource, the server challenges the browser for a user ID and password The
browser prompts the user to enter a user ID and password, and then sends the information to the server Some browsers store the user ID and password and send them automatically with subsequent requests This frees the user from repeatedly entering the same user ID and password on each request Because some browsers store the user ID and password, you have the same user education task that you have when users enter your system through the iSeries Sign On display or through a router An unattended browser session represents a potential security exposure You have three options for how the system handles user IDs and passwords specified in the protection directives: 1 You can use normal iSeries user profile and password validation This is most commonly used to protect resources in an intranet secure network 2 You can create Internet users: users that can be validated but do not have a user profile on the iSeries 400 system Internet users are implemented through an iSeries 400 object called a validation list

188

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | | |

Validation list objects contain lists of users and passwords that are specifically defined for use with a
particular application You decide how Internet user IDs and passwords are supplied such as by an application, or by an administrator in response to an e-mail request, as well as how to manage Internet users Use the HTTP servers browser-based interface to set this up For nonsecure networks the Internet, using Internet users provides better overall protection than using normal iSeries user profiles and passwords The unique set of user IDs and passwords creates a built-in limitation on what those users can do The user IDs and passwords are not available for normal sign-on such as with TELNET or FTP In addition, you are not exposing normal iSeries user IDs and passwords to sniffing 3 Lightweight directory access protocol LDAP is a directory service protocol that provides access to a directory over a Transmission Control Protocol TCP It lets you store information in that directory service and query it LDAP is now supported as a choice for user authentication Notes: 1 When the browser sends the user ID and the password whether for an iSeries 400 user profile or an Internet user, they are encoded, not encrypted The encoding scheme is an industry standard, and thus commonly known among the
hacker community Although the encoding is not easily understood by the casual sniffer, a sophisticated sniffer probably has tools to attempt to decode them 2 iSeries stores the validation object in a protected system area You can access it only with defined system interfaces APIs and proper authorization You can use Digital Certificate Manager DCM to create your own intranet Certificate Authority Digital Certificate automatically associates a certificate with the owners iSeries user profile The certificate has the same authorizations and permissions as the associated profile v When the server accepts a request, normal iSeries resource security takes over The iSeries user profile that requests the resource must have authority to the resource such as the folder or source physical file that contains the HTML document By default, jobs run under the QTMHHTTP user profile You can use a directive to swap to a different iSeries user profile The system then uses that user profiles authority to access objects Following are some considerations for this support: Swapping user profiles can be particularly useful when your server provides more than one logical Web site You can associate a
different user profile with the directives for each Web site, and thus use normal iSeries resource security to protect the documents for each site You can use the ability to swap user profiles in combination with the validation object The server uses a unique user ID and password separate from your normal iSeries user ID and password to evaluate the initial request After the server has authenticated the user, the system then swaps to a different iSeries user profile and thus takes advantage of iSeries resource security The user is, thus, not aware of the true user profile name and cannot attempt to use it in other ways such as FTP v Some HTTP server requests need to run a program on the HTTP server For example, a program might access data on your system Before the program can run, the server administrator must map the request URL to a specific user-defined program that conforms to CGI user-interface standards Following are some considerations for CGI programs:
Chapter 14 Tips for Securing TCP/IP Communications

189

You can use the protection directives for CGI programs just as you do for HTML documents Thus, you can require a user ID and password before running the program By
default, CGI programs run under the QTMHHTP1 user profile You can swap to a different iSeries user profile before running the program Therefore, you can set up normal iSeries resource security for the resources that your CGI programs access As security administrator, you should perform a security review before authorizing the use of any CGI program on your system You should know where the program came from and what functions the CGI program performs You should also monitor the capabilities of the user profiles under which you run CGI programs You should also perform testing with CGI programs to determine, for example, whether you can gain access to a command line Treat CGI programs with the same vigilance that you treat programs that adopt authority In addition, be sure to evaluate what sensitive objects might have inappropriate public authority A poorly designed CGI program might, in rare cases, allow a knowledgeable, devious user to attempt to roam your system Use a specific user library, such as CGILIB, to hold all your CGI programs Use object authority to control both who can place new objects in this library and who can run programs in this library Use the directives to
limit the HTTP server to running CGI programs that are in this library Note: If your server provides multiple logical Web sites, you might want to set up a separate library for the CGI programs for each site

Other Security Considerations
Following are additional security considerations: v HTTP provides read-only access to your iSeries system HTTP server requests cannot update or delete data on your system directly However, you might have CGI programs that update data Additionally, you can enable the NetData CGI program to access your iSeries database The system uses a script which is similar to an exit program to evaluate requests to the NetData program Therefore, the system administrator can control what actions the NetData program can take Note: Prior to V4R3, the DB2WWW program provided the function that NetData provides v The HTTP server provides an access log that you can use to monitor both accesses and attempted accesses through the server v The HTTP Server for iSeries Webmasters Guide provides more information about security considerations

Security Tips for Using SSL with IBM HTTP Server for iSeries 400
| | | | | | | IBM HTTP Server for iSeries can provide secure Web
connections to your iSeries A secure Web site means that transmissions between the client and the server in both directions are encrypted These encrypted transmissions are safe both from the scrutiny of sniffers and from those who attempt either to capture or to alter the transmissions Note: Keep in mind that a secure Web site applies strictly to the security of the information that passes between client and server The intent of this is not to

190

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

| | |

reduce your servers vulnerability to hackers However, it certainly limits the information that a would-be hacker can obtain easily through sniffing The topics on SSL and Webserving HTTP in the information center provides complete information for installing, configuring, and managing the encryption process These topics provide both an overview of the server features and some considerations for using the server Internet Connection Server provides http and https support when one of the following licensed programs is installed: v 5722NC1 v 5722NCE When these options are installed, the product is referred to as the Internet Connection Secure Server

| | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |

IBM HTTP Server for iSeries 5722DG1 provides both http and https support You must install one of the following cryptographic products to enable SSL: v 5722AC2 v 5722AC3 Security that depends on encryption has several requirements: v Both the sender and receiver server and client must understand the encryption mechanism and be able to perform encryption and decryption The HTTP server requires an SSL-enabled client Most popular Web browsers are SSL-enabled The iSeries encryption licensed programs support several industry-standard encryption methods When a client attempts to establish a secure session, the server and client negotiate to find the most secure encryption method that both of them support v The transmission must not be able to be decrypted by an eavesdropper Thus, encryption methods require both parties to have an encryption/decryption private key that only they know If you want to have a secure external Web site, you should use an independent certificate authority CA to create and issue digital certificates to users and servers The certificate authority is known as a trusted party Encryption protects the confidentiality of
transmitted information However, for sensitive information, such as financial information, you want integrity and authenticity in addition to confidentiality In other words, the client and optionally the server must trust the party on the other end through an independent reference and they must be sure that the transmission has not been altered The digital signature that is provided by a certification authority CA provides these assurances of authenticity and integrity The SSL protocol provides authentication by verifying the digital signature of the servers certificate and optionally the clients certificate Encryption and decryption require processing time and will affect the performance of your transmissions Therefore, iSeries provides the capability to run both the programs for secure and insecure serving at the same time You can use the insecure HTTP server to serve documents that do not require security, such as your product catalog These documents will have a URL that starts with http:// You can use a secure HTTP server for sensitive information such as the form where the customer enters credit card information The program can serve documents whose URL starts either with
http:// or with https://

Chapter 14 Tips for Securing TCP/IP Communications

191

| | | | | | | | | | | | | | | | | | | | | Reminder It is good Internet etiquette to inform your clients when transmissions are secure and not secure, particularly when your Web site only uses a secure server for some documents Keep in mind that encryption requires both a secure client and a secure server Secure browsers HTTP clients have become fairly common

Lightweight Directory Access Protocol Security
OS/400Directory Services provides a Lightweight Directory Access Protocol LDAP server on iSeries 400 LDAP runs over Transmission Control Protocol/Internet Protocol TCP/IP, and is gaining popularity as a directory service for both Internet and non-Internet applications You perform most setup and administering tasks of the LDAP directory server on iSeries 400 through the graphical user interface GUI of iSeries 400 Operations Navigator To administer Directory Services, you must have Operations Navigator installed on a PC that is connected to your iSeries You can use Directory Services with LDAP-enabled applications, such as mail applications that look up e-mail addresses from LDAP servers Besides the
LDAP server, Directory Services also includes: v An LDAP client This client includes a set of application program interfaces APIs that you can use in OS/400 programs to create your own client applications For information about these APIs, see the Directory Services page under Programming in the iSeries Information Center v A Windows 95 and Windows NT LDAP client This client includes the IBM SecureWay Directory Management Tool, which provides you with a graphical user interface for managing directory content The Windows LDAP client also includes a set of application programming interfaces APIs that you can use in your own applications For more information about these APIs, see the pages under Networking in the iSeries Information Center The LDAP server that Directory Services provides is an IBM SecureWay Directory product

| | | |

LDAP basics
The Lightweight Directory Access Protocol LDAP is a directory service protocol that runs over Transmission Control Protocol/Internet Protocol TCP/IP LDAP version 2 is formally defined in Internet Engineering Task Force IETF Request for Comments RFC 1777, Lightweight Directory Access Protocol LDAP version 3 is formally defined in IETF RFC 2251,
Lightweight Directory Access Protocol v3You can view these RFCs on the Internet at the following URL: http://wwwietforg The LDAP directory service follows a client/server model One or more LDAP servers contain the directory data An LDAP client connects to an LDAP Server and makes a request The server responds with a reply, or with a pointer a referral to another LDAP server

192

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Uses of LDAP: Because LDAP is a directory service, rather than a database, the information in an LDAP directory is usually descriptive, attribute-based information LDAP users generally read the information in the directory much more often than they change it Updates are typically simple all-or-nothing changes Common uses of LDAP directories include online telephone directories and e-mail directories LDAP directory structure: The LDAP directory service model is based on entries which are also referred to as objects Each entry consists of one or more attributes, such as a name or address, and a type The types typically consist of mnemonic strings, such as cn for common name or mail for e-mail address The example directory in Figure 41 on page 194
shows an entry for Tim Jones that includes mail and telephoneNumber attributes Some other possible attributes include fax, title, sn for surname, and jpegPhoto | | | | | | | Each directory has a schema, which is a set of rules that determine the structure and contents of the directory You should use the IBM SecureWay Directory Management Tool DMT to edit the schema files for your LDAP server Note: Original copies of the default schema files are located at /QIBM/ProdData/OS400/DirSrv If you need to replace the files in the UserData directory, you can copy these files to that directory Each directory entry has a special attribute called objectClass This attribute controls which attributes are required and allowed in an entry In other words, the values of the objectClass attribute determine the schema rules the entry must obey Each directory entry also has the following operational attributes, which the LDAP server automatically maintains: v CreatorsName, which contains the bind DN used when creating the entry v CreateTimestamp, which contains the time at which the entry was created v modifiersName, which contains the bind DN used when the entry was last modified initially this is the
same as CreatorsName v modifyTimestamp, which contains the time at which the entry was last modified initially this is the same as CreateTimestamp Traditionally, LDAP directory entries are arranged in a hierarchical structure that reflects political, geographic, or organizational boundaries see Figure 41 on page 194 Entries that represent countries appear at the top of the hierarchy Entries representing states or national organizations occupy the second level down in the hierarchy The entries below that can then represent people, organizational units, printers, documents, or other items You are not limited to the traditional hierarchy when structuring your directory The domain component structure, for example, is gaining popularity With this structure, entries are composed of the parts of TCP/IP domain names For example, dcibm,dccom may be preferable to oibm,cus LDAP refers to entries with Distinguished Names DNs Distinguished names consist of the name of the entry itself as well as the names, in order from bottom to top, of the objects above it in the directory For example, the complete DN for
Chapter 14 Tips for Securing TCP/IP Communications

193

the entry in the bottom left
corner of Figure 41 is cnTim Jones, oIBM, cUS Each entry has at least one attribute that is used to name the entry This naming attribute is called the Relative Distinguished Name RDN of the entry The entry above a given RDN is called its parent Distinguished Name In the example above, cnTim Jones names the entry, so it is the RDN oIBM, cUS is the parent DN for the cnTim Jones To give an LDAP server the capability to manage part of an LDAP directory, you specify the highest level parent distinguished names in the configuration of the server These distinguished names are called suffixes The server can access all objects in the directory that are below the specified suffix in the directory hierarchy For example, if an LDAP server contained the directory shown in Figure 41, it would need to have the suffix oibm, cus specified in its configuration in order to be able to answer client queries regarding Tim Jones

Figure 41 A basic LDAP directory structure

A few notes about LDAP and iSeries Directory Services: v Beginning with V4R5, both the OS/400 LDAP server and the OS/400 LDAP client are based on LDAP Version 3 You can use a V2 client with a V3 server

194

iSeries 400 Tips and Tools
for Securing Your iSeries V5R1

However, you cannot use a V3 client with a V2 server unless you bind as a V2 client and use only V2 APIs See LDAP V2/V3 considerations for more details v The Windows LDAP client is also based on LDAP Version 3 v Because LDAP is a standard, all LDAP servers share many basic characteristics However, due to implementation differences, they are not all completely compatible with each other The LDAP server provided by Directory Services is closely compatible with other LDAP directory servers in the IBM SecureWay product group However, it may not be as compatible with other LDAP servers v The data for the LDAP server that Directory Services provides resides in an OS/400 database More information: For examples of using LDAP directories, see Example of using Directory Services | | | To learn about more LDAP concepts, see the Network Directory Services LDAP in the Information Center see Prerequisite and related information on page xii for details

Example of using Directory Services
You can use Directory Services and its features in a variety of ways The following fictitious example shows just one possible implementation of LDAP directory servers on iSeries
Jonathon is the director of the Alumni Association at a small college in Minnesota In the past, he has maintained a file cabinet full of information on the names and addresses of alumni He wants to move this information to a computer to make it possible for alumni at remote locations to look up information He calls Michelle at the colleges Information Services department and asks for her help She tells him that he can set up an LDAP directory on the same iSeries on which he runs the Alumni Associations Web server Michelle and Jonathon plan an LDAP directory that will include the country, state, and name of each alumnus It also will include each alumnuss e-mail address, telephone number, and mailing address They configure the Directory Services LDAP directory server, specifying suffixes such as stMN, cUS and cCanada, as well as similar entries for other states and countries | | | | | | | | | | | | | | | Next, Michelle and Jonathon plan the security of their LDAP directory The information on the server is not confidential or sensitive, so they do not have concerns about hackers intercepting information during transmission Therefore, they decide that they do not need to use Secure
Sockets Layer SSL security see Using Secure Sockets Layer SSL security with the LDAP directory server in the Networking Directory Services LDAP topic in the Information Center They do not want to go so far as to have completely open access to all directory data, however Jonathon contacts each alumni to see if they are willing to have the information about them publicly available Most do not care, but a few prefer to keep the information private For those users, Michelle and Jonathon create access control lists that limit access to their information, so that only Jonathon and other members of the Alumni Association staff can view or change it For more information on creating and using access control lists, refer to the Networking Directory Services LDAP topic in the Information Center see Prerequisite and related information on page xii for details

Chapter 14 Tips for Securing TCP/IP Communications

195

| | | | | | | | | | | |

The directory is ready to accept data Jonathon will be in charge of this He could use the shell utilities that are included with Directory Services to populate the directory However, he does not have much experience using command line interfaces, so he
prefers to use the graphical IBM SecureWay Directory Management Tool With this interface, Jonathon can easily add, search, and change directory entries Over the summer, he uses the Directory Management Tool to add the information for the most recent graduates Meanwhile, Michelle uses the application program interfaces APIs included with the Windows LDAP client to create a custom graphical interface The Alumni Associations student employees can use this interface without having any knowledge about the structure of the directory When the student employees return to campus in the fall, they use the custom interface to add the remaining alumni to the directory

Considerations for using LDAP V2 with LDAP V3
Beginning with V4R5, both the OS/400 LDAP server and the OS/400 LDAP client are based on LDAP Version 3 You cannot use a V3 client with a V2 server However, you can use the ldap_set_option API to change the version of a V3 client to V2 Then you can successfully send in client requests to a V2 server You can use a V2 client with a V3 server Be aware that on a search request, however, the V3 server may send back data in the full range of UTF-8 format, while a V2 client may be only able
to handle data in the IA5 character set Note: LDAP version 2 is formally defined in Internet Engineering Task Force IETF Request for Comments RFC 1777, Lightweight Directory Access Protocol LDAP version 3 is formally defined in IETF RFC 2251, Lightweight Directory Access Protocol v3 You can view these RFCs on the Internet at the following URL: http://wwwietforg | | | | | | | |

LDAP Security Features
Lightweight Directory Access Protocol LDAP security features include Secure Sockets Layer SSL, Acess Control Lists, and CRAM-MD5 password encryption In V5R1, Kerberos connections and Security auditing support have also been added to enhance LDAP security For more information on these topics, refer to the Networking Directory Services LDAP topic in the Information Center see Prerequisite and related information on page xii for details

Security Tips for Workstation Gateway Server
The Workstation Gateway Server WSG provides a TCP/IP application that transforms iSeries 5250 applications to Hypertext Markup Language HTML for dynamic display on Web browsers When you set up the Workstation Gateway Server, you control whether users see a Sign On display or whether an exit program handles
sign-on Note: iSeries does not offer a secure version of the Workstation Gateway Server Therefore, if your program gives control to the WSG server perhaps for forms fill-in, remember that the WSG transmission is not encrypted

196

iSeries 400 Tips and Tools for Securing Your iSeries V5R1

Tips for Preventing WSG Access
If you do not want anyone to use WSG to access your system, you should prevent the WSG server from running Do the following: __ Step 1 To prevent WSG server jobs from starting automatically when you start TCP/IP, type the following:
CHGWSGA AUTOSTARTNO

Notes: a AUTOSTARTNO is the default value b The DSPSGN attribute controls whether the system can display sign-on panels DSPSGNNO is the default value c Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent WSG from starting and to prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for HTTP, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port
restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 5061 __ Step e For the upper port range, specify ONLY Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a password that is known by other users By restricting the port to a specific user, you automatically exclude all other users

Tips for Controlling WSG Access
As security administrator, you need to understand the purposes for the WSG server on your system and the client environments that will use the WSG server For example, some users of the WSG server might be travelling employees who are using an intranet and accessing your system from inside a firewall Other users might be anonymous visitors to your WEB
site who want to request additional information about something they have seen Users can access the WSG server in these ways: v From a direct request by a client browser v From an indirect request, when the HTTP server gives control to the WSG server v From a specific HTTP connect request For example, a WEB site visitor might select an area of the WEB site that says Send me additional information The
Chapter 14 Tips for Securing TCP/IP Communications

197

HTTP server can send a request to the WSG server to display a panel that asks for the name and mailing address of the visitor Following are security considerations when you allow the WSG server to run on your system: v To configure the WSG server, you use the Change Workstation Gateway Attributes CHGWSGA command This command requires IOSYSCFG special authority One configuration controls all WSG sessions on your system You can specify the following security-relevant values: Inactivity timeout The WSG server does not use the QINACTITV system value The WSG server has its own value for determining how long the system will wait before it ends an inactive session This value is particularly important in an environment where you may
have WSG users who have more than minimum authority on your system Display sign on panel When a WSG request comes from a World Wide Web browser, this value controls whether the system sends your system-defined sign-on display You can use a WSG logon exit program to bypass the sign-on process and perform user validation Often, a request to the WSG server performs a specific, limited function, such as presenting a form for completion The Sign On display is not necessary in this environment In fact, the Sign On display provides an opportunity for hacking that is not available when your exit program bypasses sign-on and uses a user profile with very limited authority Instead, bypass the Sign On display and run WSG under a user profile that has limited authority on your system Access logging You may find it useful to have your system keep a record of the accesses to your WSG server, particularly when you provide a new application v Some requests to the WSG server include a user ID and password You have the same issues here that you have with SLIP connection scripts Your security is dependent on the practices and capabilities of your communications partners If the user ID and password
are stored in a document on the client, they may be accessible to potential intruders into your system In addition, when the WSG session is an unsecure Internet session, the user ID and password are subject to sniffing v You can use the QLMTSECOFR system value as one method to limit the capability of WSG users When the QLMTSECOFR value is 1, you can prevent any user with ALLOBJ special authority from signing on to the WSG virtual workstations unless the user or QSECOFR is explicitly authorized v Remember that iSeries does not provide a secure WSG server Therefore, even if the Internet Connection Secure Server passes a request to the WSG server, the WSG transmission is not secure encrypted

Security Tips for Line Printer Daemon
LPD line printer daemon provides the capability to distribute printer output to your system The system does not perform any sign-on processing for LPD

Tips for Preventing LPD Access
If you do not want anyone to use LPD to access your system, you should prevent the LPD server from running Do the following: __ Step 1 To prevent LPD server jobs from starting automatically when you start TCP/IP, type the following:

198

iSeries 400 Tips and Tools for Securing
Your iSeries V5R1

CHGLPDA AUTOSTARTNO

Notes: a AUTOSTARTYES is the default value b Controlling Which TCP/IP Servers Start Automatically on page 158 provides more information about controlling which TCP/IP servers start automatically __ Step 2 To prevent someone from associating a user application, such as a socket application, with the port that the system normally uses for LPD, do the following: __ Step a Type GO CFGTCP to display the Configure TCP/IP menu __ Step b Select option 4 Work with TCP/IP port restrictions __ Step c On the Work with TCP/IP Port Restrictions display, specify option 1 Add __ Step d For the lower port range, specify 515 __ Step e For the upper port range, specify ONLY Notes: 1 The port restriction takes effect the next time that you start TCP/IP If TCP/IP is active when you set the port restrictions, you should end TCP/IP and start it again 2 RFC1700 provides information about common port number assignments __ Step f For the protocol, specify TCP __ Step g For the user profile field, specify a user profile name that is protected on your system A protected user profile is a user profile that does not own programs that adopt authority and does not have a
password that is known by other users By restricting the port to a specific user, you automatically exclude all other users __ Step h Repeat steps 2c through 2g for the UDP protocol

Tips for Controlling LPD Access
If you want to allow LPD clients to access your system, be aware of the following security issues: v To prevent a user from swamping your system with unwanted objects, be sure that you have set adequate threshold limits for your auxiliary storage pools ASPs You can display and set the thresholds for ASPs by using either system service tools SST or dedicated service tools DST The Backup and Recovery book provides more information about ASP thresholds v You can use the authority to output queues to restrict who can send spooled files to your system LPD users without an iSeries user ID use the QTMPLPD user profile You can give this user profile access to only a few output queues

Security Tips for Simple Network Management Protocol
iSeries 400 can act as a simple network management protocol SNMP agent in a network SNMP provides a means for managing the gateways, routers, and hosts in a network environment An SNMP agent gathers information about the system and performs
functions that remote SNMP network managers request

Chapter 14 Tips for Securing TCP/IP Communications

199

Tips for Preventing SNMP Access
If you do not want anyone to use SNMP to access your system, you should prevent the SNMP server from running Do the following: __ Step 1 To prevent SNMP server jobs from starting automatically when you start TCP/IP, type the

How-To-Tips.net

Tips for Enhancing Menu Access Control with. Object Security . . 59 98. Chapter 9. Tips for using AS/400. Operations Console. …