Security and Systems Management Newsletter for the IBM i             February 26, 2014 - Vol 4, Issue 3
Security Training from

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Feature Article

Do you Ever Really Log-Off?

By Dan Riehl -

Most of us run IBM i Access for Windows. That's the newest name for what we used to call PC Support, Client Access and iSeries Access. You probably use the Personal Communications PC5250 emulation software to provide your workstation sessions. You may also use the IBM i Navigator (Operations Navigator, iSeries Navigator) portion of IBM i Access for Windows.

There are several IBM supplied applications that are installed on your PC when you install IBM i Access for Windows. Included in these additional applications are the Remote Command facility, the ODBC Driver and various File Transfer programs and Service utilities. One critical piece of software that is installed is the command interface to Set or Flush the Signon Server cached User IDs and Passwords, which is the topic of our discussion here.

When you run IBM i Access functions on your PC that require communications with the host, you must first authenticate to the host. To accomplish this authentication, IBM provides the Signon Server GUI window where you provide your credentials(i.e. UserID and Password) as shown here.

Once you have successfully authenticated, your PC provides an open session to access the IBM i   Without any further authentication!   You can potentially transfer files, run remote commands, examine spooled files in IBM i Navigator, View and Change Database Records in Navigator, and more, without providing your logon credentials again.

I know this is scary stuff, but with IBM i Access for Windows, it's the nature of the "Ease of Use" in having cached credentials.

So, Do you Really Log-Off when you leave your desk to go to lunch or to go home for the day? Or, as most, do you only Log-Off of your Telnet Workstation session, and simply leave the fully authenticated connection open for file transfer, remote command, etc. This can allow for unsanctioned access to the IBM i for anyone that happens to 'Drive-by' your unattended PC? Since you will only get prompted to Log On to the Signon server after a PC Shutdown, IBM i Access for Windows serves as a continuously opened, and fully authenticated connection to your host system.

So, how can you remediate these exposures and deal with these potentially damaging vulnerabilities?

Read More..

In This Issue

Featured Article - Do you Really Log-Off?

Security Shorts - QPWDRQDDIF with QPWDCHGBLK

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

OSF - DataLoss DB

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security Training from The 400 School
Security Services from
Security news and Events

Live Security Related Webcasts and Training for IBM i

February Events

Reduce the Cost and Effort of IBM i Auditing
Live Webcast - Presented by Powertech - For UK Audience
Thursday, February 27 1400 UK London
More Information and Register to Attend

March Events

Coffee with Carol: I want my Privacy!
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, March 5 10:00am CDT
More Information and Register to Attend

Enforcing the Integrity of Your IBM i Data And Server
Live Webcast - Presented by Powertech
Thursday, March 6 1:00pm CT
More Information and Register to Attend

Live Hands-On - IBM i Concepts and Control Language Programming
with Dan Riehl

Training Workshop - March 3-7
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

April Events

Coffee with Carol: Cloud Security Review
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, April 2 10:00am CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Training Workshop - April 8-11
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

May Events

May 4-7 - COMMON - A User Group
2014 Annual Conference and Exposition - Orlando, FL
More Information and Register to Attend

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Security Shorts - Using QPWDRQDDIF with QPWDCHGBLK

                              to Enforce Stronger Password Protections

By Dan Riehl

The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently.

The number specified in the System Value corresponds to the number of previous passwords that are checked.

Value  Specified Number of previous passwords checked
0      0  No Previous passwords are checked, Can be the same
1      32
2      24
3      18
4      12
5      10
6      8
7      6
8      4

I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check?

If I want to check the previous 6 passwords, I specify the number 7 for the System Value QPWDRQDDIF.   Who thought this up?

What if I want to check for the previous 5 passwords? It can't be done. hmmm.

In IBM i 6.1, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked.

The shipped value is *NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism.

Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know?

The QPWDCHGBLK System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value.

For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired' using CHGUSRPRF.

The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here:


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Security Training from The 400 School
Security Training from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017