SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - January 18, 2012 - Protecting IBM i Security System Values - IBM i 6.1 Password Difference

Tweet
January 18, 2012 - Vol 2, Issue 2

	Feature Article Protecting Your Security System Values from Modification By Dan Riehl The numerous System Values on the IBM i are the main controlling system settings that determine how your system operates. For example, the System Value QCRTAUT determines what the PUBLIC authority will be for newly created objects. The System Value QALWOBJRST* determines if there are any restrictions on the objects that can be restored onto the system. The System Values QTIME and QDATE store the current system time and date respectively. When you aren't the only one at your company who has security officer privileges or high levels of authority, one of these other powerful users can change the settings stored in these System Values. In one particular case, an unwise change to the QCRTAUT System Value caused the system to assign the incorrect authority settings to newly created objects, leaving them open to abuse. In order to protect these high-impact, Security-related System Values, IBM has provided a Lock/Unlock mechanism that's available only through System Service Tools (STRSST). In order to access the Lock/Unlock setting, a user must have access to a Service Tools User ID and Password. These Service Tools User IDs and Passwords aren't the same as the operating system User IDs and Passwords. These are special Service Tools User IDs, like 11111111, 22222222 and, yes, QSECOFR. But the Service Tools user QSECOFR is a different user than the operating system's QSECOFR user profile, typically with a different password. To access the System Values Lock/Unlock function, enter the command Start System Service Tools (STRSST) and, when prompted, enter QSECOFR as the User ID and supply the QSECOFR SST Password. You are then presented with the System Service Tools menu. This article further explains the Pros and Cons of Setting the Security System Value Lock in SST. Set it and forget it? Read More.
In This Issue Featured Article - Protecting System Values Featured Video - Vulnerable User Profiles Security Shorts - IBM i 6.1 Password Differences Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home and Archives Please Visit Our Sponsors Platinum Sponsor Cilasoft Security Solutions Gold Sponsor Software Engineering of America, Inc Sponsor Skyview Partners, Inc The 400 School, Inc	IBM i Security and Audit Resources Free Security Videos from Securemyi.com IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security Calendar of Events Live Security Webcasts for IBM i Using Policy Minder for IBM i for PCI Compliance Presented by Carol Woodbury - Sponsored by Skyview Partners Wednesday January 26 10:00 a.m. PST More Information and Register to Attend Integrating IBM i Security with Enterprise SIEM and Monitoring Solutions Expert Webinar Series - Sponsored by Software Engineering of America, Inc Thursday February 2 1:00 p.m. EST More Information and Register to Attend Best Practices for Security and Compliance with IBM i Featuring Jeff Uehling of IBM and Carol Woodbury of SkyView Partners Sponsored by IBM Thursday February 9 2:00 p.m EST More Information and Register to Attend More Relevant Events March 21-22 - 27th Annual Spring Technical Conference Wisconsin Midrange Computer Professional Association The conference will be held at Grand Geneva in Lake Geneva, WI. More Information and Register to Attend May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA
Featured YouTube Educational Video IBM i Security How to Identify and Fix Your Vulnerable User Profiles
Security Shorts - Stronger Enforcement of Password Differences in IBM i 6.1 By Dan Riehl The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently. The number specified in the System Value corresponds to the number of previous passwords that are checked. Value Specified Number of previous passwords checked 0 0 � No Previous passwords are checked, Can be the same 1 32 2 24 3 18 4 12 5 10 6 8 7 6 8 4 I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check? If I want to check the previous 6 passwords, I specify the number 7 for the System Value. DOH! Who thinks this stuff up? What if I want to check for the previous 5 passwords? It can't be done. It reminds me of my first assembler programming class, in which I had severe brain freeze trying to comprehend how to resolve "The Address of the Address of TIME.". In the 6.1 release of the IBM i operating system, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked. The shipped value is NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism. Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know? The QPWDCHGBLK* System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value. For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired'. The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here: *CRT/CHGUSRPRF USRPRF(MYUSER) PWDCHGBLK(SYSVAL, or a number 1-99)**		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards IBM i Security Workshop - Jan 17-20 Interactive COBOL Programming - Jan 23-27 System Operations Workshop-Feb 27-Mar 2 System Administration & Control - Mar 12-16 Interactive RPG IV Programming - Mar 26-30 Control Language Programming - April 9-13 Intro to RPG IV Programming - April 23-27

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017