SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - April 9, 2014 - The Reality of User Limited Capabilities LMTCPB(*YES)

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i April 9, 2014 - Vol 4, Issue 6

	Feature Article The Reality of User Limited Capabilities LMTCPB(YES)* By Dan Riehl - SecureMyi.com In speaking to many security analysts over the years, it is obvious that there is a BIG Disconnect on what the "Limited Capabilities" attribute of the user profile actually does. In this article, I hope to dispel these potentially dangerous misconceptions. In this issue of the SecureMyi Security Newsletter, the Featured YouTube Video presents a video discussion of this important topic. What IS Limited Capabilities? System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities. Allowing users to access a command line can be very dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your Customer file. A user who has command line access can run any CL command that he or she is authorized to run at the command line interface. IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here: *CRTUSRPRF... LMTCPB(YES)** The common misconception regarding users with limited capabilities( i.e. LMTCPB(YES) ) is that we think that these users cannot run any ad-hoc CL command, such as WRKSPLF* or DLTF CUSTOMER But, in reality, a user with limited capabilities CAN run CL commands using several methods which will be discussed in this article. Did you know that IBM ships certain CL commands with a special command attribute that specifies that Limited Capability users are allowed to run the command at a shell command line. These commands include: Sign Off (SIGNOFF) Send Message (SNDMSG) Display Messages (DSPMSG) Display Job (DSPJOB) Display Job Log (DSPJOBLOG) Work with Messages (WRKMSG) Work with Environment Variables (WRKENVVAR) *Read More*
In This Issue Featured Article - Limited Capabilities? Security Shorts - Viewing Group Profiles Featured Video - Limited Capabilities Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Educational Video IBM i Security Misconceptions on User Limited Capabilities LMTCPB(*YES)
Live Security Related Webcasts and Training for IBM i April Events The Hacker's View of Cyber Security With Mel Beckman and Robin Tatam Live Webcast - Presented by iProDeveloper Sponsored by Powertech Tuesday, April 29 1:00pm CDT More Information and Register to Attend April 29 - May 1 - InfoSecurity EUROPE 2014 Earl's Court, LONDON Free to Attendees - 325 Exhibitors Look for Cilasoft which is exhibiting at this event For More Information May Events May 4-7 - COMMON - A User Group 2014 Annual Conference and Exposition - Orlando, FL More Information and Register to Attend Coffee with Carol: with Carol Woodbury Security Considerations for Application Development including PCI Requirements Live Webcast - Presented by Skyview Partners Wednesday, May 14 10:00am CDT More Information and Register to Attend June Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - June 2-6 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Coffee with Carol: with guest presenter Patrick Townsend Encrypting Data with FIELDPROC - No Application Changes! Live Webcast - Presented by Skyview Partners Thursday, June 12 10:00am CDT More Information and Register to Attend
Security Shorts - Group Profiles - Who's Who? By Dan Riehl A User Profile can be a member of a Primary Group Profile, and also a member in up to 15 Supplemental Groups. Since a member of a Group inherits all authorities and special authorities from their Group(s), it's very important to know who is in what Groups. When you need a list of all the users who belong to a particular group profile, it's easy to get. Just use the DSPUSRPRF (Display User Profile) command as follows: *DSPUSRPRF USRPRF(GroupProfileName) TYPE(GRPMBR)** For GroupProfileName, substitute the name of the group profile for which you want to list the group members. If you want a full system listing of members of all group profiles you can use the command DSPAUTUSR(Display Authorized Users) as follows: *DSPAUTUSR SEQ(GRPPRF) OUTPUT(PRINT)* For a nice GUI look into your users and groups, IBM i Navigator for Windows( aka Operations Navigator) provides the nicest presentation.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming Workshop RPG/400 Programming Workshop IBM i COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Audit Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017