SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - March 5, 2019 - Preventing Matching Passwords in IBM i V7R2M0

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i Issue Date: March 5, 2019

	Feature Article Preventing Matching Passwords in IBM i V7R2M0 By Dan Riehl - SecureMyi.com When you create a new user profile, the historical tendency is to use the IBM supplied default value for the User's new password. The password value is shown on the command prompt as USRPRF. (See Figure 1) When the value USRPRF is used to specify the password, the User's Password will be set to match the name of their User Profile. So, a User Profile of JSMITH, will have the password set to the value JSMITH. A snippet of the command prompt for the CRTUSRPRF(Create User Profile) command is shown below with the IBM supplied Password default setting of USRPRF. This tells the system to assign the password to be identical to the name of the User Profile being created. This is referred to as a 'Default Password'. Using this default setting opens obvious vulnerabilities for the User Profile. But, the ability to set a Default Password, or to use the default value USRPRF, can be totally rejected under some recent security updates discussed in this article. Figure 1) In my opinion, a proper security policy would prevent the use of any Default Password. Default Passwords should never be allowed. Please read this entire article to see how you can technically enforce a Total Ban on the use of all Default Passwords. Why is this a Big Deal? Let's consider for a moment the main pitfall of allowing Default Passwords. If I know your system’s User Profile naming convention (e.g. First Character of the First Name followed by the Last Name), I can know everyone's UserID by simply viewing the company employee directory. (e.g. ASMITH, BSMITH, CSMITH, DSMITH). I also know that, in numerous companies, a high percentage of these users will have a Default Password. It seems like an easy nut to crack. Default Passwords open up a world of vulnerabilities and exposures. Why even have a Password if everyone can know it? Restricting the use of Default Passwords with System Values We’ll now examine how to prevent the assignment of a Default Password. The key to this prevention is found in some recent updates in the Password related System Values. Examples for the QPWDRULES setting ALLCRTCHG The V7R2 update of the QPWDRULES System Value allows for the new setting of ALLCRTCHG, which specifies to enforce all password composition rules defined in the QPWDRULES system value when setting a password via the Create User Profile (CRTUSRPRF) command or the Change User Profile (CHGUSRPRF) command. Note that this setting has no effect when a user changes their own password using the CHGPWD command or the Change User Password (QSYCHGPW) API. It is a restriction only when creating and changing a user profile using the CRTUSRPRF and CHGUSRPRF commands. However, when this new IBM i V7R2 setting(ALLCRTCHG) is used in conjunction with the V6R1 Setting of LMTPRFNAME, it is impossible to assign a Default Password to a User Profile through ANY means. *Click - to Read the Entire Article for the details*

In This Issue Featured Article - Ban Default Passwords Featured Video - Limited Capabilities?? Security Shorts - Save All Spooled Files Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc	IBM i Security Resources IBM Security Incident Response BLOG IBM i Security Videos - from SecureMyi SecureMyi Newsletter Archives Search Security for IBM i - SecureMyi IBM i Security Reference - 6.1 IBM i Security Reference - 7.1 IBM i Security Reference - 7.2 IBM i Security Reference - 7.3 QAUDJRN Journal Entry Types 7.3 QAUDJRN Entry Layout 7.2 QAUDJRN Entry Layout 7.3 QAUDJRN Entries by AUDLVL 7.2 QAUDJRN Entries by AUDLVL 7.3 RedBook - Security Guide for IBM i 6.1 National Vulnerability Database - NIST PCI Security Standards Council COBIT - ISACA HIPAA Resources EU GDPR Information Portal CISSP - Certification
Featured YouTube Educational Video IBM i Security Misconceptions on User Limited Capabilities LMTCPB(*YES)

Security Shorts Security Shorts CL Program to Save All Your Spooled Files By Dan Riehl - SecureMyi.com Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue. Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue. The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library: *SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(ALL)** When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(ALL) is the key to saving the spooled files. I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine. Note: In this program you must replace 'TAP02' with the name of your backup device. PGM /* Save Spooled Files / DCL VAR(&MSGID) TYPE(CHAR) LEN(7) DCL VAR(&MSGF) TYPE(CHAR) LEN(10) DCL VAR(&MSGFLIB) TYPE(CHAR) LEN(10) DCL VAR(&MSGDTA) TYPE(CHAR) LEN(100) DCLF FILE(QADSPOBJ) MONMSG MSGID(CPF0000) EXEC(GOTO ERROR) DSPOBJD OBJ(ALL/ALL) OBJTYPE(OUTQ) + OUTPUT(OUTFILE) OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) LOOP: RCVF MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT)) SAVOBJ OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) + OBJTYPE(OUTQ) SPLFDTA(ALL) GOTO LOOP ENDIT: RETURN ERROR: RCVMSG MSGTYPE(LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) + MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB) MONMSG CPF0000 /* Just in case / SNDPGMMSG MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) + MSGTYPE(ESCAPE) MONMSG CPF0000 /* Just in case */ ENDPGM When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including all of the spooled files that are not found on the system at restore time.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming General Security and System Assistance LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops ILE RPG IV Programming RPG/400 and RPG III Programming ILE COBOL/400 Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014-2019 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017