Security and Systems Management Newsletter for the IBM i             January 8, 2014 - Vol 4, Issue 1
Skyview Partners

Software from Cilasoft

Skyview Partners

Security Training from The 400 School

Feature Article

Checkup on your User Profiles for 2014 and Beyond

By Dan Riehl -

IBM i provides some great administration tools to help you manage the user profiles on your system. While there are scads of commands that can be used in user profile management, I have selected I few of my favorites that you may want to add to your security management 'bag of tricks'.

Finding User Profiles with Matching Passwords

The CL command ANZDFTPWD(Analyze default passwords) is a tool that allows you to easily generate a list of users who have passwords that exactly match the UserID name. These matching Passwords are called 'Default Passwords'. In addition, the command optionally allows you specify an action to be taken against those offending profiles. You can specify that the profiles are to be disabled(i.e. the user cannot sign on), or that you want to set the password to an expired state(i.e. the user must assign a new password next time they sign on.)

Here is the report generated by the ANZDFTPWD command.

             User profiles with default passwords	           Page    1
5770SS1 V7R1M0  100423	                        OPENSYS   01/03/14  09:51:19

Action taken against profiles  . . . . . . :   *NONE
Profile         STATUS         PWDEXP     Text
SDCXCADA        *ENABLED        *NO       Willy Singer
SDCXCCAA        *DISABLED       *NO       Garret Butcher
SDCXCCAF        *ENABLED        *NO       Charly Boller
SDCXCCMG        *DISABLED       *NO       Fark S. Barr
SDCYCCTH        *ENABLED        *NO       Mike K. Adams
SSDCYCDR        *DISABLED       *NO       N. K. Griffen
QSYSOPR         *ENABLED        *NO       System Operator	

When you run this command on your system, you may see similar results to this. Several user profiles have matching passwords, and many are enabled. One really nasty entry in the list is the one for QSYSOPR. The QSYSOPR profile has a matching password, and is enabled. Anyone trying to break into your system would most likely try to log-in with the default IBM supplied profiles like QSECOFR, QSYSOPR, etc.

I cannot stress the importance of making sure that no entries ever appear on this list. User profiles should never have matching passwords. If they do, your system security can easily be compromised.

Checking up on SST/DST UserID and Passwords

Prior to IBM i 6.1, if you wanted to check for Default Passwords for Service Tools UserIDs, and general Service Tools User Settings, you had to Start System Service Tools(STRSST), and provide a valid service tools UserID and Password. As of IBM i 6.1, IBM has provided the Control Language command Display System Service Tools Users(DSPSSTUSR), which allows you to view the settings of your Service Tools Users.

Read More about some Favorite Tools

In This Issue

Featured Article - Checkup on User Profiles

Featured Video - New Security Features

Security Shorts - Update on QINACTITV

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    Skyview Partners, Inc

Gold Sponsor

    Cilasoft Security Solutions

    The 400 School, Inc

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

OSF - DataLoss DB

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security Training from The 400 School
Security Training from
Security news and Events

Industry News

Kisco Releases New Self Service Password Reset Product

Kisco Information Systems has announced a new software product for the IBM i platform called iResetMe. It is an end-user password reset utility that addresses the issue of re-activating disabled and expired profiles from a secure browser session hosted directly on the IBM i.

More Information

Live Security Related Webcasts and Training for IBM i

January Events

Reduce the Cost and Effort of IBM i Auditing
Live Webcast - Presented by Powertech
Wednesday, January 15 1:00pm CST
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Training Workshop - January 21-24
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

February Events

Live Hands-On - IBM i Security and Vulnerability Assessment Workshop
with Dan Riehl

Training Workshop - February 10-13
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Training Workshop - February 19-20
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - February 24-28
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

May Events

May 4-7 - COMMON - A User Group
2014 Annual Conference and Exposition - Orlando, FL
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School

Security Training from The 400 School

IBM i Security Featured Video

"Top 10 New Features of IBM i Security"

By Carol Woodbury

Video Sponsored by Skyview Partners, Inc

Featured Video - IBM i Security

Security Training from

Security Shorts -

Update on the QINACTITV System Value

IBM i 7.1 PTFs make Big Changes

By Dan Riehl

In the December 11 issue of the SecureMyi Security Newsletter I discussed the topic of the System Value QINACTITV, the system's Workstation Inactivity Timer. This system value can be used to cause inactive interactive jobs to end or be disconnected. The action taken against an inactive interactive job is based upon the system value QINACTMSGQ.

By way of a few PTFs for IBM i 7.1, IBM has updated the functioning of the inactivity timer to make it smarter and more precise. If you are running on IBM i 6.1 or earlier, or have not installed the below listed PTFs for IBM i 7.1, the December 11 article applies to your system.

To Read about the PTFs and the updated functioning of the inactivity timer for IBM i 7.1, refer to Dawn May's IBM i Technical iCan Blog entries listed here.

iCan Blog Entry for IBM i 7.1 PTF SI46398
IBM Improves the handling of the Inactivity Timeout

iCan Blog Entry for IBM I 7.1 PTF SI50502
More Changes for the handling of QINACTITV

Thank you very much to Dawn May for providing this updated information for the PTFs for IBM i 7.1

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Security Training from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017