December 6, 2011 - SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - Virus, Worms - Securing CL Commands - Numeric Passwords and UserIDs

Tweet
December 6, 2011 - Vol 1, Issue 5

	Feature Article Correctly Securing Powerful and Sensitive Commands By Dan Riehl Several IBM supplied Control Language commands have restrictions on their use. Commands like CRTUSRPRF(Create User Profile) and CHGUSRPRF(Change User Profile) require that the user have, at the minimum, SECADM special authority. Other commands like PWRDWNSYS(Power Down System) and ENDSBS(End Subsystem) can only be used by users with JOBCTL special authority. Most commands, however, are available for use by any user on the system. Commands can be run directly from the command line, executed from within a program or batch job stream, or can be run through network interfaces like RMTCMD(Remote Command), FTP and ODBC/JDBC(using the QCMDEXC program). Each command has an attribute that specifies whether limited capabilities users can enter the command at the command line. A user is identified as 'limited' if their user profile specifies *LMTCPB(YES)*. There are only a handful of commands that allow 'limited' users to run the command at a command line. These are commands like DSPJOB(Display Job) and DSPMSG(Display Messages). We consider 'limited capability' users as being restricted from using the command line. In reality, they CAN enter commands at a command line, as long as the particular command allows for it. Since there are so many different methods to run commands, and so many different types of user capabilities and special authorities, it is important to tightly control some of the more powerful and sensitive commands. On most systems, a majority of the users have JOBCTL special authority. I have heard countless reasons for this configuration debacle, which I will not rehash here. The point here is that the powerful commands available to these JOBCTL users must be controlled. The ability to use commands like PWRDWNSYS, ENDSBS and ENDSYS should not be available to every user with JOBCTL, but should be restricted to a very small group of users. This article examines how you can intelligently control these sensitive commands, and presents the caveats and exceptions that you need to be aware of in order to secure the commands correctly. Read More.
In This Issue Featured Article - Securing CL Commands Featured Video - Is the IBM i Virus Proof? Security Shorts - Numeric Passwords and UserIDs Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home and Archives Please Visit Our Sponsors Platinum Sponsor Townsend Security Gold Sponsors Skyview Partners, Inc. The 400 School, Inc.	IBM i Security and Audit Resources Free Security Videos from Securemyi.com IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Digital Defense Announces Discovery Of IBM® WebSphere® Application Server Vulnerability Download the Press Release from Digitial Defense DDI announces the organization’s discovery of a vulnerability within the IBM WebSphere Application Server Administrative Console for IBM i and IBM z. DDI promptly notified IBM and an alert, including a patch to remediate the issue. Here is the IBM Response and PTF Information Raz-Lee's iSecurity Approved for IBM Tivoli Netcool/OMNIbus Certification More information on this Certification from Raz-Lee The 400 School, Inc. and SecureMyi.com Live Online Security Workshop from The 400 School and SecureMyi.com Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class. IBM i Security Calendar of Events Live Security Webcasts for IBM i Automating IBM i Security Administration Tasks including Compliance with Carol Woodbury - Sponsored by Skyview Partners Wednesday December 7, 2011 11:00 a.m. ET / 8:00 a.m. PST More Information and Register to Attend IBM i Viruses: Fact or Fiction Sponsored by Help Systems - Bytware Standguard Anti-Virus Wednesday, December 14, 2011 10:00 am CST More Information and Register to Attend More Security Events Jan 17-20 - The 400 School - Live Online Security Workshop May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA
Featured YouTube Educational Video IBM i Security Is the IBM i Vulnerable to Virus, Worms and other Malware? Cannot Access YouTube from your office? Download the video in wmv format.
Security Shorts - All Numeric Passwords and User IDs My UserID is 77 and My Password is 123456 Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive. However, when it comes to user profile names and passwords, an interesting phenomenon occurs. When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.) CRTUSRPRF USRPRF(BOBSMITH) PASSWORD(PASS1WORD5) Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward. But consider this next example: CRTUSRPRF USRPRF(Q12345) PASSWORD(Q11111) When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain. The user can log on with user Q12345 with a password or Q11111. The user can log on with user Q12345 with an all-numeric password of 11111. The user can log on with an all-numeric user 12345 with a password of Q11111. The user can log-on with an all-numeric user 12345 with an all-numeric password 11111. The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process. You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command. As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API. In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value DGTLMTAJC in the system value QPWDRULES*. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards System Operations Workshops - Dec 12-16 Interactive RPG IV Programming - Jan 9-13 Expanded Security Workshop - Jan 17-20 Interactive COBOL Programming - Jan 23-27

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2011 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017