December 6, 2011 - Vol 1, Issue 5
Townsend Security - Automatic Encryption - NIST Certified for IBM i
Townsend Security - Automatic Encryption - NIST Certified for IBM i

Security Workshop and Operations Workshops presented by The 400 School, Inc and

Feature Article

Correctly Securing Powerful and Sensitive Commands

By Dan Riehl

Several IBM supplied Control Language commands have restrictions on their use. Commands like CRTUSRPRF(Create User Profile) and CHGUSRPRF(Change User Profile) require that the user have, at the minimum, *SECADM special authority. Other commands like PWRDWNSYS(Power Down System) and ENDSBS(End Subsystem) can only be used by users with *JOBCTL special authority.

Most commands, however, are available for use by any user on the system. Commands can be run directly from the command line, executed from within a program or batch job stream, or can be run through network interfaces like RMTCMD(Remote Command), FTP and ODBC/JDBC(using the QCMDEXC program).

Each command has an attribute that specifies whether limited capabilities users can enter the command at the command line. A user is identified as 'limited' if their user profile specifies LMTCPB(*YES). There are only a handful of commands that allow 'limited' users to run the command at a command line. These are commands like DSPJOB(Display Job) and DSPMSG(Display Messages). We consider 'limited capability' users as being restricted from using the command line. In reality, they CAN enter commands at a command line, as long as the particular command allows for it.

Since there are so many different methods to run commands, and so many different types of user capabilities and special authorities, it is important to tightly control some of the more powerful and sensitive commands.

On most systems, a majority of the users have *JOBCTL special authority. I have heard countless reasons for this configuration debacle, which I will not rehash here. The point here is that the powerful commands available to these *JOBCTL users must be controlled.

The ability to use commands like PWRDWNSYS, ENDSBS and ENDSYS should not be available to every user with *JOBCTL, but should be restricted to a very small group of users.

This article examines how you can intelligently control these sensitive commands, and presents the caveats and exceptions that you need to be aware of in order to secure the commands correctly.

Read More.

In This Issue

Featured Article - Securing CL Commands

Featured Video - Is the IBM i Virus Proof?

Security Shorts - Numeric Passwords and UserIDs

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives

Please Visit Our Sponsors

Platinum Sponsor
      Townsend Security

Gold Sponsors
      Skyview Partners, Inc.

      The 400 School, Inc.

IBM i Security and Audit Resources

Free Security Videos from

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow securemyi on Twitter

Follow securemyi on YouTube
Carol Woodbury gives you seven quick tips for passing your audit. Download her white paper now! Brought to you by SkyView Partners

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

IBM i Security News Bytes

Digital Defense Announces Discovery
Of IBM® WebSphere® Application Server Vulnerability

Download the Press Release from Digitial Defense
DDI announces the organization’s discovery of a vulnerability within the IBM WebSphere Application Server Administrative Console for IBM i and IBM z. DDI promptly notified IBM and an alert, including a patch to remediate the issue.
Here is the IBM Response and PTF Information

Raz-Lee's iSecurity Approved for IBM Tivoli Netcool/OMNIbus Certification
More information on this Certification from Raz-Lee

The 400 School, Inc. and
Live Online Security Workshop from The 400 School and
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class.

IBM i Security Calendar of Events

Live Security Webcasts for IBM i

Automating IBM i Security Administration Tasks including Compliance
with Carol Woodbury - Sponsored by Skyview Partners
Wednesday December 7, 2011 11:00 a.m. ET / 8:00 a.m. PST
More Information and Register to Attend

IBM i Viruses: Fact or Fiction
Sponsored by Help Systems - Bytware Standguard Anti-Virus
Wednesday, December 14, 2011 10:00 am CST
More Information and Register to Attend

More Security Events

Jan 17-20 - The 400 School - Live Online Security Workshop

May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA

Townsend Security - Automatic Encryption - NIST Certified for IBM i

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Featured YouTube Educational Video

IBM i Security

Is the IBM i Vulnerable to Virus, Worms and other Malware?

Featured Video - IBM i Security - Is the IBM i Vulnerable to Virus, Worms and other Malware?

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file

Security Shorts - All Numeric Passwords and User IDs

My UserID is 77 and My Password is 123456

Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive.

However, when it comes to user profile names and passwords, an interesting phenomenon occurs.

When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.)


Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward.

But consider this next example:


When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain.

  • The user can log on with user Q12345 with a password or Q11111.
  • The user can log on with user Q12345 with an all-numeric password of 11111.
  • The user can log on with an all-numeric user 12345 with a password of Q11111.
  • The user can log-on with an all-numeric user 12345 with an all-numeric password 11111.

The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process.

You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command.

As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API.

In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value *DGTLMTAJC in the system value QPWDRULES. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

System Operations Workshops - Dec 12-16
Interactive RPG IV Programming - Jan 9-13
Expanded Security Workshop - Jan 17-20
Interactive COBOL Programming - Jan 23-27

Classes at your offices. IBM i, iSeries AS/400?  The 400 School, Inc.

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Send your IBM i Security Related News and Events!           Advertise in Security Newsletter

Copyright 2011 -, all rights reserved | St Louis MO 63017