SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - February 26, 2014 - Do you Ever Really Log-Off?

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i February 26, 2014 - Vol 4, Issue 3

	Feature Article Do you Ever Really Log-Off? By Dan Riehl - SecureMyi.com Most of us run IBM i Access for Windows. That's the newest name for what we used to call PC Support, Client Access and iSeries Access. You probably use the Personal Communications PC5250 emulation software to provide your workstation sessions. You may also use the IBM i Navigator (Operations Navigator, iSeries Navigator) portion of IBM i Access for Windows. There are several IBM supplied applications that are installed on your PC when you install IBM i Access for Windows. Included in these additional applications are the Remote Command facility, the ODBC Driver and various File Transfer programs and Service utilities. One critical piece of software that is installed is the command interface to Set or Flush the Signon Server cached User IDs and Passwords, which is the topic of our discussion here. When you run IBM i Access functions on your PC that require communications with the host, you must first authenticate to the host. To accomplish this authentication, IBM provides the Signon Server GUI window where you provide your credentials(i.e. UserID and Password) as shown here. Once you have successfully authenticated, your PC provides an open session to access the IBM i Without any further authentication! You can potentially transfer files, run remote commands, examine spooled files in IBM i Navigator, View and Change Database Records in Navigator, and more, without providing your logon credentials again. I know this is scary stuff, but with IBM i Access for Windows, it's the nature of the "Ease of Use" in having cached credentials. So, Do you Really Log-Off when you leave your desk to go to lunch or to go home for the day? Or, as most, do you only Log-Off of your Telnet Workstation session, and simply leave the fully authenticated connection open for file transfer, remote command, etc. This can allow for unsanctioned access to the IBM i for anyone that happens to 'Drive-by' your unattended PC? Since you will only get prompted to Log On to the Signon server after a PC Shutdown, IBM i Access for Windows serves as a continuously opened, and fully authenticated connection to your host system. So, how can you remediate these exposures and deal with these potentially damaging vulnerabilities? *Read More..*
In This Issue Featured Article - Do you Really Log-Off? Security Shorts - QPWDRQDDIF with QPWDCHGBLK Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i OSF - DataLoss DB PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Live Security Related Webcasts and Training for IBM i February Events Reduce the Cost and Effort of IBM i Auditing Live Webcast - Presented by Powertech - For UK Audience Thursday, February 27 1400 UK London More Information and Register to Attend March Events Coffee with Carol: I want my Privacy! with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, March 5 10:00am CDT More Information and Register to Attend Enforcing the Integrity of Your IBM i Data And Server Live Webcast - Presented by Powertech Thursday, March 6 1:00pm CT More Information and Register to Attend Live Hands-On - IBM i Concepts and Control Language Programming with Dan Riehl Training Workshop - March 3-7 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend April Events Coffee with Carol: Cloud Security Review with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, April 2 10:00am CDT More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Training Workshop - April 8-11 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend May Events May 4-7 - COMMON - A User Group 2014 Annual Conference and Exposition - Orlando, FL More Information and Register to Attend
Security Shorts - Using QPWDRQDDIF with QPWDCHGBLK to Enforce Stronger Password Protections By Dan Riehl The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently. The number specified in the System Value corresponds to the number of previous passwords that are checked. Value Specified Number of previous passwords checked 0 0 � No Previous passwords are checked, Can be the same 1 32 2 24 3 18 4 12 5 10 6 8 7 6 8 4 I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check? If I want to check the previous 6 passwords, I specify the number 7 for the System Value QPWDRQDDIF. Who thought this up? What if I want to check for the previous 5 passwords? It can't be done. hmmm. In IBM i 6.1, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked. The shipped value is NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism. Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know? The QPWDCHGBLK* System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value. For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired' using CHGUSRPRF. The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here: *CRT/CHGUSRPRF USRPRF(MYUSER) PWDCHGBLK(SYSVAL, or a number 1-99)**		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017