SecureMyi.com Security and Systems Management Newsletter for the IBM i             July 9, 2014 - Vol 4, Issue 11
Security Training from SecureMyi.com

Security software from Powertech


Skyview Partners


Security Training from The 400 School

Feature Article

I Know Your Password! The Default is at Fault

By Dan Riehl - SecureMyi.com

When you create a new user profile, the historical tendency is to use the IBM supplied default value for the User's new password. The password value is shown on the command prompt as *USRPRF. We know that when this value is used, the user's password will be set to the same characters that make up the name of their User Profile. So, if the User Profile name is JSMITH, the password will also be set to JSMITH.

Well, if IBM set the default to *USRPRF, they must know what they are doing, right? Well, IBM also use to ship the AS/400 and iSeries from the factory at QSECURITY Level 10, which in effect says "No Security". While IBM has now changed to shipping new IBM i systems at QSECURITY Level 40, they have not, as yet, changed the password default for newly created user profiles. In my opinion, there should not be a default value for the User's Password, it should always be a required entry. (i.e. You must specify a value).

A snippet of the the command prompt for the CRTUSRPRF(Create User Profile) command is shown below, with the IBM supplied Password Default Value of *USRPRF. This tells the system to assign the password to be identical to the name of the User Profile being created. This is referred to as a Default Password.




Each year PowerTech publishes their "State of IBM i Security Study". The 2014 PowerTech Study evaluated 233 servers/partitions. You can download your copy of the 2014 Study here. It is a great resource for security administrators.

Here is a quote from the just released 2014 study, courtesy of PowerTech.

"In one interesting statistic in the study, nearly 5 percent of enabled user profiles have default passwords. More than half (53 percent) of the systems in the study have more than 30 user profilesó15 percent have more than 100 user profilesówith default passwords."

The problem of Default Passwords that PowerTech points out in their study is a problem I have also seen in my own security assessments of both large and small organizations. In many instances, it is the company security policy that allows these default passwords to be used. I suggest that the policy that allows for default passwords needs to be revised, so that default passwords are never allowed.

To evaluate your own IBM i system to see what, and how many, User Profiles have Default Passwords, you use the command ANZDFTPWD(Analyze Default Passwords). A printed list of offending profiles will be generated. You may be VERY surprised to see what User Profiles show up in the printed report. These are Users that have a password that exactly matches their UserID.

Why is this a Big Deal?

Let's consider for a moment the pitfalls of using the IBM supplied Password default *USRPRF, thus making the user password the same as the user profile name.

If I know your user profile naming convention(e.g. First Character of the First Name followed by the Last Name), I know everyone's UserID by simply viewing the company employee directory. And I know that, in many cases, a high percentage of these users will have a default password. I just keep trying each userID, one at a time, until I find one with a default password. I'm in!

Let's consider a typical business scenario.

Read More . .

In This Issue


Featured Article - I Know your Password

Security Shorts - Activating User Profiles

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech
Security news and Events


Live Security Related Webcasts and Training for IBM i

July Events

Security Alerts: IBM i
Live Webcast - Presented by CCSS
Thursday, July 10 9:00am CDT
More Information and Register to Attend

IBM i Audit Capabilities
With Jeff Uehling

Live Webcast - Presented by PowerTech
Thursday, July 10 10:00am CDT
More Information and Register to Attend

Coffee with Carol Woodbury:   Book a Meeting with your DR Plan
           with guest presenter Richard Dolewski

Live Webcast - Presented by Skyview Partners
Wednesday, July 23 10:00am CDT
More Information and Register to Attend

5 Ways to Secure your IBM i Today from Cyber Attacks
Live Webcast - Presented by PowerTech
Tuesday, July 29 2:00pm BST (British Summer Time)
More Information and Register to Attend


August Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - Aug 18-22 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend


September Events

Live Hands-On - Expanded Security Workshop for IBM i, iSeries AS/400
with Dan Riehl

Training Workshop - Sep 8-11 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - Sep 25-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend


Skyview Partners


Security Training from The 400 School


Security Training from The 400 School

Security Shorts - Activating User Profiles Only When Needed

By Dan Riehl - SecureMyi.com

To enable a user profile, and disable it at a particular time on specific days, you can use the command CHGACTSCDE(Change Profile Activation Schedule Entry).

For example, to enable the user profile BOB from 11:00am, and disable it at 5:00pm, on Wednesday, you could use the following command.

CHGACTSCDE USRPRF(BOB) ENBTIME('11:00') DSBTIME('17:00') DAYS(*WED)

However, if you do not remove this activation schedule entry, the profile will be enabled each Wednesday at the specified time. So, you will manually need to remove the entry after each usage.

To remove a user profile from the activation schedule, run the command

CHGACTSCDE USRPRF(BOB) ENBTIME(*NONE) DSBTIME(*NONE) DAYS(*WED)

You should note, that even though you disable a user profile, any job using that profile currently active or on a job queue will not be effected. (i.e. It will not kill jobs, even though you disable the profile.) This is always the case of disabling User Profiles. They will not be able to start a new Log-on session, but running sessions are not affected.

The Activation Schedule is actually implemented in the basic Job Scheduler, accessed using the command WRKJOBSCDE(Work with Job Schedule Entries). You can manage the enable and disable processes from WRKJOBSCDE. You can also hold and release the jobs also using HLDJOBSCDE and RLSJOBSCDE commands. The Job Names for the Activation Schedule are named QSECACT1.

The GO SECTOOLS Menu also has an interface to the commands used for the user disable and enable processes. So, you can just GO SECTOOLS and set up the processes from there.

IBM i 7.1 Update - You can now use the CRTUSRPRF or CHGUSRPRF command to set an expiration date on a User Profile. When that date is reached, the Profile will be set to disabled. Here is an example in which the user BOB will be disabled on December 31, 2014.

CRTUSRPRF USRPRF(BOB) USREXPDATE('12/31/2014')

While IBM i 7.1 incorporates the Expiration date in a User Profile display, this feature has long been available through the CHGEXPSCDE(Change Expiration Schedule Entry) command. GO SECTOOLS Option 8. On the CHGEXPSCDE command, you can specify that the user profile will be Disabled, or Deleted on the date specified. The new 7.1 support in the user profile attribute, only allows for disabling the user on the specified date.

Here is an example of setting the User Profile to be Deleted on December 31, 2014, and all owned objects transferred to MYOWNER.

CHGEXPSCDE   USRPRF(BOB) EXPDATE('12/31/2014') ACTION(*DELETE)   +
                          OWNOBJOPT(*CHGOWN MYOWNER)

The Jobs that expire User Profiles are also set in the basic Job Scheduler WRKJOBSCDE. The job name for the Expiration Schedule jobs are named QSECEXP1.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming




Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Training from The 400 School
Security Services from SecureMyi.com

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017