SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - January 8, 2013 - Checkup on your User Profiles for 2014 and Beyond

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i January 8, 2014 - Vol 4, Issue 1

	Feature Article Checkup on your User Profiles for 2014 and Beyond By Dan Riehl - SecureMyi.com IBM i provides some great administration tools to help you manage the user profiles on your system. While there are scads of commands that can be used in user profile management, I have selected I few of my favorites that you may want to add to your security management 'bag of tricks'. Finding User Profiles with Matching Passwords The CL command ANZDFTPWD(Analyze default passwords) is a tool that allows you to easily generate a list of users who have passwords that exactly match the UserID name. These matching Passwords are called 'Default Passwords'. In addition, the command optionally allows you specify an action to be taken against those offending profiles. You can specify that the profiles are to be disabled(i.e. the user cannot sign on), or that you want to set the password to an expired state(i.e. the user must assign a new password next time they sign on.) Here is the report generated by the ANZDFTPWD command. User profiles with default passwords Page 1 5770SS1 V7R1M0 100423 OPENSYS 01/03/14 09:51:19 Action taken against profiles . . . . . . : NONE User Profile STATUS PWDEXP Text SDCXCADA ENABLED NO Willy Singer SDCXCCAA DISABLED NO Garret Butcher SDCXCCAF ENABLED NO Charly Boller SDCXCCMG DISABLED NO Fark S. Barr SDCYCCTH ENABLED NO Mike K. Adams SSDCYCDR DISABLED NO N. K. Griffen QSYSOPR ENABLED NO System Operator When you run this command on your system, you may see similar results to this. Several user profiles have matching passwords, and many are enabled. One really nasty entry in the list is the one for QSYSOPR. The QSYSOPR profile has a matching password, and is enabled. Anyone trying to break into your system would most likely try to log-in with the default IBM supplied profiles like QSECOFR, QSYSOPR, etc. I cannot stress the importance of making sure that no entries ever appear on this list. User profiles should never have matching passwords. If they do, your system security can easily be compromised. Checking up on SST/DST UserID and Passwords Prior to IBM i 6.1, if you wanted to check for Default Passwords for Service Tools UserIDs, and general Service Tools User Settings, you had to Start System Service Tools(STRSST), and provide a valid service tools UserID and Password. As of IBM i 6.1, IBM has provided the Control Language command Display System Service Tools Users(DSPSSTUSR), which allows you to view the settings of your Service Tools Users. Read More about some Favorite Tools*
In This Issue Featured Article - Checkup on User Profiles Featured Video - New Security Features Security Shorts - Update on QINACTITV Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor Skyview Partners, Inc Gold Sponsor Cilasoft Security Solutions The 400 School, Inc	IBM i Security Resources John Earl Memorial Tribute IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i OSF - DataLoss DB PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Industry News Kisco Releases New Self Service Password Reset Product Kisco Information Systems has announced a new software product for the IBM i platform called iResetMe. It is an end-user password reset utility that addresses the issue of re-activating disabled and expired profiles from a secure browser session hosted directly on the IBM i. More Information Live Security Related Webcasts and Training for IBM i January Events Reduce the Cost and Effort of IBM i Auditing Live Webcast - Presented by Powertech Wednesday, January 15 1:00pm CST More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Training Workshop - January 21-24 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend February Events Live Hands-On - IBM i Security and Vulnerability Assessment Workshop with Dan Riehl Training Workshop - February 10-13 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i with Dan Riehl Training Workshop - February 19-20 Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - February 24-28 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend May Events May 4-7 - COMMON - A User Group 2014 Annual Conference and Exposition - Orlando, FL More Information and Register to Attend
IBM i Security Featured Video "Top 10 New Features of IBM i Security" By Carol Woodbury Video Sponsored by Skyview Partners, Inc

Security Shorts - Update on the QINACTITV System Value IBM i 7.1 PTFs make Big Changes By Dan Riehl In the December 11 issue of the SecureMyi Security Newsletter I discussed the topic of the System Value QINACTITV, the system's Workstation Inactivity Timer. This system value can be used to cause inactive interactive jobs to end or be disconnected. The action taken against an inactive interactive job is based upon the system value QINACTMSGQ. By way of a few PTFs for IBM i 7.1, IBM has updated the functioning of the inactivity timer to make it smarter and more precise. If you are running on IBM i 6.1 or earlier, or have not installed the below listed PTFs for IBM i 7.1, the December 11 article applies to your system. To Read about the PTFs and the updated functioning of the inactivity timer for IBM i 7.1, refer to Dawn May's IBM i Technical iCan Blog entries listed here. iCan Blog Entry for IBM i 7.1 PTF SI46398 IBM Improves the handling of the Inactivity Timeout iCan Blog Entry for IBM I 7.1 PTF SI50502 More Changes for the handling of QINACTITV Thank you very much to Dawn May for providing this updated information for the PTFs for IBM i 7.1		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017