January 18, 2012 - Vol 2, Issue 2
Cilasoft Security Solutions

Expert Webinar - Integrating IBM i with Entrprise Siem and Monitoring Solutions

Feature Article

Protecting Your Security System Values from Modification

By Dan Riehl

The numerous System Values on the IBM i are the main controlling system settings that determine how your system operates. For example, the System Value QCRTAUT determines what the *PUBLIC authority will be for newly created objects. The System Value QALWOBJRST determines if there are any restrictions on the objects that can be restored onto the system. The System Values QTIME and QDATE store the current system time and date respectively.

When you aren't the only one at your company who has security officer privileges or high levels of authority, one of these other powerful users can change the settings stored in these System Values. In one particular case, an unwise change to the QCRTAUT System Value caused the system to assign the incorrect authority settings to newly created objects, leaving them open to abuse.

In order to protect these high-impact, Security-related System Values, IBM has provided a Lock/Unlock mechanism that's available only through System Service Tools (STRSST).

In order to access the Lock/Unlock setting, a user must have access to a Service Tools User ID and Password. These Service Tools User IDs and Passwords aren't the same as the operating system User IDs and Passwords. These are special Service Tools User IDs, like 11111111, 22222222 and, yes, QSECOFR. But the Service Tools user QSECOFR is a different user than the operating system's QSECOFR user profile, typically with a different password.

To access the System Values Lock/Unlock function, enter the command Start System Service Tools (STRSST) and, when prompted, enter QSECOFR as the User ID and supply the QSECOFR SST Password. You are then presented with the System Service Tools menu.

This article further explains the Pros and Cons of Setting the Security System Value Lock in SST.   Set it and forget it?

Read More.

In This Issue

Featured Article - Protecting System Values

Featured Video - Vulnerable User Profiles

Security Shorts - IBM i 6.1 Password Differences

Industry News and Calendar

Security Resources

Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives

Please Visit Our Sponsors

Platinum Sponsor
      Cilasoft Security Solutions

Gold Sponsor
      Software Engineering of America, Inc

      Skyview Partners, Inc

      The 400 School, Inc

IBM i Security and Audit Resources

Free Security Videos from Securemyi.com

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow securemyi on Twitter

Follow securemyi on YouTube

Security Compliance Automation Tools - Designed by Carol Woodbury - Security Policy Compliance - Vulnerability Assessments - Audit Journal Reporting - Register today for a FREE Trial! - Brought to you by SkyView Partners

Expert Webinar - Integrating IBM i with Entrprise SIEM and Monitoring Solutions

IBM i Security Calendar of Events

Live Security Webcasts for IBM i

Using Policy Minder for IBM i for PCI Compliance
Presented by Carol Woodbury - Sponsored by Skyview Partners
Wednesday January 26 10:00 a.m. PST
More Information and Register to Attend

Integrating IBM i Security with Enterprise SIEM and Monitoring Solutions
Expert Webinar Series - Sponsored by Software Engineering of America, Inc
Thursday February 2 1:00 p.m. EST
More Information and Register to Attend

Best Practices for Security and Compliance with IBM i
Featuring Jeff Uehling of IBM and Carol Woodbury of SkyView Partners
Sponsored by IBM
Thursday February 9 2:00 p.m EST
More Information and Register to Attend

More Relevant Events

March 21-22 - 27th Annual Spring Technical Conference
Wisconsin Midrange Computer Professional Association
The conference will be held at Grand Geneva in Lake Geneva, WI.
More Information and Register to Attend

May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA

Featured YouTube Educational Video

IBM i Security

How to Identify and Fix Your Vulnerable User Profiles

Featured Video - Misconceptions on Ownership and Authority to User Profiles

Security Shorts -
Stronger Enforcement of Password Differences in IBM i 6.1

By Dan Riehl

The System Value QPWDRQDDIF has been available for many years as a means of forcing users to choose new or previously 'unused' passwords when changing their password. The number you specify for the System Value determines 'How many previous passwords are checked' to ensure that the new password has not been used, or not been used recently.

The number specified in the System Value corresponds to the number of previous passwords that are checked.

Value  Specified Number of previous passwords checked
0      0  No Previous passwords are checked, Can be the same
1      32
2      24
3      18
4      12
5      10
6      8
7      6
8      4

I always wonder at "technology" like that exhibited in this System Value. Why not just allow me to specify the number of previous passwords to check, instead of a number that corresponds to a number of previous passwords to check?

If I want to check the previous 6 passwords, I specify the number 7 for the System Value. DOH!   Who thinks this stuff up?

What if I want to check for the previous 5 passwords? It can't be done. It reminds me of my first assembler programming class, in which I had severe brain freeze trying to comprehend how to resolve "The Address of the Address of TIME.".

In the 6.1 release of the IBM i operating system, IBM provided an additional system value that allows you to more strictly enforce the 'password difference' rule. The new system value is QPWDCHGBLK(Block Password Changes), which allows you to specify a number of hours in which a newly changed password cannot be changed again. A password change is temporarily blocked.

The shipped value is *NONE, which means that a newly changed password can be changed again immediately. That is also the behavior we have prior to 6.1. And that is where our users have taken advantage of the lack of a password change blocking mechanism.

Prior to 6.1, users can repeatedly change their password until they have exhausted your Password Difference System Value. Their goal, and the ultimate result is that they have been able to reset their password back to the same password that they have used for years. It's so much easier to remember, Ya Know?

The QPWDCHGBLK System Value allows you to enforce a timer which says 'You cannot change your password again for n number of hours'; where n is a number from 1 to 99. So, once a user has successfully changed their password, they are prohibited from changing their password again for the number of hours that you specify in the System Value.

For added security, a security administrator can always change a user's password using the CHGUSRPRF(Change User Profile) command. On another note; the password change block is not in effect when the user's password has been 'Set to Expired'.

The Password Change Block System Value can be overridden at the User Profile level using the PWDCHGBLK parameter of the CRTUSRPRF and CHGUSRPRF commands as shown here:


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i Security Workshop - Jan 17-20
Interactive COBOL Programming - Jan 23-27
System Operations Workshop-Feb 27-Mar 2
System Administration & Control - Mar 12-16
Interactive RPG IV Programming - Mar 26-30
Control Language Programming - April 9-13
Intro to RPG IV Programming - April 23-27

Expert Webinar - Integrating IBM i with Entrprise SIEM and Monitoring Solutions

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017