November 22, 2011 - SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - Customize the IBM Create User Profile Function with Exit Program - CRTUSRPRF CRTPRFEXIT and Encryption

Tweet
November 22, 2011 - Vol 1, Issue 4

	Feature Article Customizing the IBM 'Create User Profile' Process by Adding Your Own Logic By Dan Riehl When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for windows interface, you have the option to include your own customized processing after the profile is created. IBM has established and documented an "exit point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks—in this case, when a user profile is created. Here are some examples of some useful functions that can be performed in the Create User Profile exit program: Change the owner of the newly created user profile to QSECOFR Add the user to the System Distribution Directory (WRKDIRE, ADDDIRE)) Send the information about the new user profile to another system Set the new password and password expiration interval to a mandated initial value and set the status and other profile attributes. (You can set any user profile attribute in the exit program.) Create a current library and home directory for the new user Add the user to your own Business Application Menu system Over the years I have advocated that all user profiles that we create should be owned by QSECOFR and that no user should have private authorities to other users' profiles. The October 25th issue of the SecureMyi Security Newsletter presented a YouTube Video that explains the vulnerabilities when your user profiles are not secured correctly and not owned in accordance to best security practices for IBM i. Presented here is a simple program that can be used as an exit program that will enforce the policy that all newly created user profiles will be owned by QSECOFR. You can add your own logic and rules as needed to support your policy. Read More.
In This Issue Featured Article - Customize CRTUSRPRF Featured Video - Using Authorization Lists Security Shorts - Watch out for CHGPRF! Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home and Archives Please Visit Our Sponsors Platinum Sponsor Townsend Security Gold Sponsors Vault 400 Skyview Partners, Inc. The 400 School, Inc.	IBM i Security and Audit Resources Free Security Videos from Securemyi.com IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Arpeggio Software Arpeggio Introduces IBM i Security Monitoring Solutions Arpeggio Software, a provider of security software solutions for the IBM i announces the release of SIFT-IT Free Edition. The SIFT-IT family of software enables companies to monitor the IBM i for important events and take action in real time. The 400 School, Inc. and SecureMyi.com Live Online Security Workshop from The 400 School and SecureMyi.com Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class. IBM i Security Calendar of Events Live Security Webcasts for IBM i Maintaining PCI 2.0 Compliance—Infrastructure required for PCI continuity with Mel Beckman - Sponsored by Enforcive Thursday, December 1, 2011 12:00 p.m. ET / 9:00 a.m. PT More Information and Register to Attend Automating IBM i Security Administration Tasks including Compliance with Carol Woodbury - Sponsored by Skyview Partners Wednesday December 7, 2011 11:00 a.m. ET / 8:00 a.m. PT More Information and Register to Attend More Security Events Jan 17-20 - The 400 School - Live Online Security Workshop May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA
Featured YouTube Educational Video IBM i Security - Common Misconceptions - Using Authorization Lists Cannot Access YouTube from your office? Download the video in wmv format.

Security Shorts - Watch out for CHGPRF! Did you know that your end users and IT staff members can change their own user profile? Just like users can run the CHGPWD(Change Password) command to change their own password, they can run the CHGPRF(Change Profile) command to change their own user profile. Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc. The CHGPRF command ships from IBM as PUBLIC use, so it is available for general use. As you might suspect, the user must have at least USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes. Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile. You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command: RMTCMD CHGPRF INLMNU(MAIN) JOBD(QGPL/HIGHPRI) TEXT('I am so cool')* The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity. My recommendation to you is to change the object authority of the CHGPRF command to make it PUBLIC AUT(EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards Introduction to COBOL for IBM i - Dec 5-9 System Operations Workshops - Dec 12-16 Interactive RPG IV Programming - Jan 9-13 Expanded Security Workshop - Jan 17-20 Interactive COBOL Programming - Jan 23-27

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2011 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017