SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - May 14, 2014 - The CHGPRF Command - Change My Own Profile - Really?

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i May 14, 2014 - Vol 4, Issue 8

	Feature Article The CHGPRF Command - Change My Own Profile - Really? By Dan Riehl - SecureMyi.com Did you know that your end users and IT staff members may be able to change their own User Profile settings? Just like users can run the CHGPWD(Change Password) command to change their own password, there is another command CHGPRF(Change Profile) that may be used to change their own user profile. Numerous User Profile attributes can be changed using this CHGPRF command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc. The CHGPRF command ships from IBM as PUBLIC use, so it is available for general use. As you might suspect, the user must have at least USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes. Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit Capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile. You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command: RMTCMD CHGPRF JOBD(QGPL/HIGHPRI) TEXT('I am so cool')* The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access for Windows, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity. My recommendation to you is to change the object authority of the CHGPRF command to make it PUBLIC AUT(EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command. And I really wonder, who came up with this CHGPRF command, which potentially allows users to skirt the settings set by the system administrator.
In This Issue Featured Article - CHGPRF Command Security Shorts - Numeric UserID Password Featured Video - Virus Worms Malware Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Educational Video IBM i Security Is the IBM i Vulnerable to Virus, Worms and other Malware? Cannot Access YouTube from your office? Download the video in wmv format.
Live Security Related Webcasts and Training for IBM i May Events Coffee with Carol: with Carol Woodbury Security Considerations for Application Development including PCI Requirements Live Webcast - Presented by Skyview Partners Friday, May 16 10:00am CDT More Information and Register to Attend The 2014 State of IBM i Security Live Webcast - Presented by Powertech Wednesday, May 21 1:00pm CT More Information and Register to Attend June Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - June 2-6 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Coffee with Carol: with guest presenter Patrick Townsend Encrypting Data with FIELDPROC - No Application Changes! Live Webcast - Presented by Skyview Partners Thursday, June 12 10:00am CDT More Information and Register to Attend
Security Shorts - All Numeric Passwords and User IDs By Dan Riehl - SecureMyi.com My UserID is 77 and My Password is 123456 Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive. However, when it comes to user profile names and passwords, an interesting phenomenon occurs. When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.) CRTUSRPRF USRPRF(BOBSMITH) PASSWORD(PASS1WORD5) Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward. But consider this next example: CRTUSRPRF USRPRF(Q12345) PASSWORD(Q11111) When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain. The user can log on with user Q12345 with a password or Q11111. The user can log on with user Q12345 with an all-numeric password of 11111. The user can log on with an all-numeric user 12345 with a password of Q11111. The user can log-on with an all-numeric user 12345 with an all-numeric password 11111. The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process. You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command. As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API. In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value DGTLMTAJC in the system value QPWDRULES*. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming Workshop RPG/400 Programming Workshop IBM i COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Audit Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017