< SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - March 13, 2013 - Securing TCP/IP and Host Servers
SecureMyi.com Security and Systems Management Newsletter for the IBM i                 March 13, 2013 - Vol 3, Issue 25
Live Online Workshops - from The 400 School

Powertech - Control of your Powerful Users

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Feature Article

Securing TCP/IP and Host Servers

By Dan Riehl

Unless you have changed your network server startup defaults, a lot of network servers are starting on your system that you have no earthly need to run. Running servers that are not needed opens up additional network pathways to your system that results in increased vulnerability.

For example, why turn your IBM i into a mail server by starting POP3 and/or SMTP when your system will never process any e-mail? But, unless you have changed the IBM defaults, your system is running the servers to process email.

The IBM shipped defaults will automatically start a large number of servers when you start the Host servers and TCP/IP servers.

Here is a list of the servers that are set to automatically start in IBM i 6.1.
Central Server, Database Server, Database SSL Server, Data Queue Server, DRDA-DDM Server TCP/IP, File Server, File Server SSL, FTP Server, IBM Help Server, Tivoli Directory Server, i5/OS NetServer, Management Central Server, Network Print Server, On Demand Server, Remote Command Server, Server Port Mapper, Signon Server, SMTP(Simple Mail Transfer Protocol) Server, TELNET server, Transfer Function Server TCP/IP, Virtual Print Server.

Along with the servers that are automatically started, numerous server related clients and daemons are set to start when particular servers start.

Information on each IBM i 6.1 server, including server names, associated jobs and auto-start settings can be found here at the IBM i 6.1 Information Center.

Stark Terror when Starting and Ending TCP/IP servers

The IBM supplied default values when starting a TCP/IP server will cause all TCP/IP servers to attempt to start. That is one of the main problems we have in controlling the start of these servers. A well-meaning IT Staff member types "STRTCPSVR" and presses ENTER… All the TCP/IP servers will attempt to start. The STRTCPSVR(Start TCP/IP Server) command's default value of SERVER(*ALL) is not appropriate. It runs the command as shown here.


But, you can change this terrorizing default behavior, and help protect your system.

Read more.

In This Issue

Featured Article - Securing Servers

Security Shorts - More on Exit Points

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor
    The PowerTech Group

    Skyview Partners, Inc

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

PowerTech - Control of your Powerful Users

Security Assessment Workshop for IT Auditors - from The 400 School

IBM i Security and Systems Management News Bytes

PowerTech Adds New Auditing Capabilities in Authority Broker 4.0

PowerTech, a Help/Systems company, has announced a new version of their Authority Broker software that adds a Screen-Cam capability to audit user activity when using System Service Tools(SST), QSH, and other "Invisible" green screen based activity.

While the IBM i security infrastructure includes auditing capabilities for green screen commands, Authority Broker 4.0 extends IBM i auditing into non-command-based environments, including STRSQL, DFU, QSHELL, and System Service Tools (SST).

See more about the new version of Authority Broker.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Top 10 New Features of IBM i Security - Carol Woodbury
Live Webcast - Presented by Skyview Partners
Wednesday, March 13 10:00am CDT
More Information and Register to Attend

A Primer on IBM i User Profiles and How to Deploy Them Properly
Live Webcast - Sponsored by PowerTech
Wednesday, March 27 1:00 PM CDT
More Information and Register to Attend

Audit and Control of Powerful Users on IBM i - Dan Riehl and Robin Tatam
Live Webcast - Presented by iPro Developer Web Seminars
Sponsored by PowerTech
Speakers: Dan Riehl of SecureMyi.com and Robin Tatam of Powertech
Thursday, April 4 11:00 AM CDT
More Information and Register to Attend

April 7-10 - COMMON - A User Group
2013 Annual Conference and Exposition - Austin, TX
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop
Full Length Training Workshop - April 16 - April 19
Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop for the IBM i.
More Information and Register to Attend

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Security Shorts -

IBM i Registered Exit Programs – Vulnerabilities?

By Dan Riehl

Have you ever used the WRKREGINF command? It is the IBM i command to Work with Registration Information. So, you ask, "What is Registration Information anyway?" Simply put, it is the registered exit points and exit programs that allow IBM, third party vendors and you to do some custom processing when an event occurs on your system.

For example, IBM provides a registered exit point for the process of creating a user profile. It allows you to do some custom processing when a user profile is created. You accomplish your custom processing by writing a program, and registering the program using the WRKREGINF command or the ADDEXITPGM(Add Exit Program) command.

There are many categories of exit points. Some are for Backup and Recovery, User Profile maintenance, Network Access(Like FTP and ODBC), and many others. Thankfully, the ability to add an exit program to the registry is restricted to a user with Security Officer access. I say thankfully, because it is possible through adding exit programs to override or complement the normal functioning of the system. That’s what the exit points were designed for.

Now, please let me take you a step further

Several OS releases ago, IBM provided us with the capability to add exit programs to Control Language commands. These are referred to as Command Exit programs. So, if you wanted to add your own custom logic to a CL command, you could do that through registering your own custom written program to the IBM supplied exit points named QIBM_QCA_CHG_COMMAND and QIBM_QCA_RTV_COMMAND.

For information on using these CL Command exit points, see the two part series at Securemyi.com.

Please, just one more step with me

When installing third party vendor supplied packages you are often required to log-on to the system as QSECOFR, or similar powerful user profile. This, in itself, is not a bad thing. But, do you know what the vendor's install process is doing to your system?

I was recently at a customer site performing a security assessment and was running a standard audit report from my toolkit and discovered a little surprise deposited by a third party vendor’s install process. The vendor had added an exit program for the IBM supplied Control Language command APYPTF(Apply Program Temporary Fix). I was puzzled. Why would a well-respected software vendor want to hook their own logic into the PTF process, especially when the software product itself had absolutely NO relationship to system fixes or PTFs?

I called the vendor and questioned them about what this exit program was doing there. The vendor did not provide any kind of reasonable answer, and advised me that it was ok to remove the exit program if I wanted to, it would not affect their application. So why was it there in the first place? Hmmmm - very fishy.

So, What can I do?

You can review all the exit programs on your system by using the WRKREGINF command, and paging through all the screens, or you can print a report using the same command. You will find that the printed report is a bit complex, but look for exit programs, especially those in non-IBM supplied libraries. Make sure you know what the Non-IBM exit programs are, and why they are there.

I want to suggest something that may increase your comfort level when installing new software. Start the IBM i auditing function for the user doing the install, to include auditing command execution and system changes. When the install is complete, run some QAUDJRN auditing reports to see exactly what happened during the install process.

Here’s a command to start auditing a user’s actions before you start the install process.


(Note: If you are auditing some of these events at the system level(i.e. in the QAUDLVL system value, you do not need to include them at the User level. But you will want to include at least *CMD, since that cannot be specified at the system level. It will provide an audit trail of every CL command executed by that user.)

And for detailed information on auditing changes to the Exit Point Registry, see the February 27, 2013 issue of the SecureMyi Security and Systems Management Newsletter in the article Auditing Exit Point Changes.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017