October 3, 2012 - Vol 2, Issue 17

Live Online Training from The 400 School


IBM i Snapshot from Powertech


Security Compliance Automation Tools - Designed by Carol Woodbury - Security Policy Compliance - Vulnerability Assessments - Audit Journal Reporting - Register today for a FREE Trial! - Brought to you by SkyView Partners

Feature Article

Avoid Unsanctioned 'Drive by' Access to IBM i

By Dan Riehl

Most of us run IBM i Access for Windows. That's the newest name for what we used to call PC Support, Client Access and iSeries Access. You probably use the Personal Communications PC5250 emulation software to provide your workstation sessions. You may also use the IBM i Navigator (Operations Navigator, iSeries Navigator) portion of IBM i Access for Windows.

There are several IBM supplied applications that are installed on your PC when you install IBM i Access for Windows. Included in these additional applications are the Remote Command facility, the ODBC Driver and various File Transfer programs and Service utilities. One critical piece of software that is installed is the command interface to Set or Flush the Signon Server cached User IDs and Passwords, which is the topic of our discussion here.

When you run IBM i Access functions on your PC that require communications with the host, you must first authenticate to the host. To accomplish this authentication, IBM provides the Signon Server GUI window where you provide your credentials(i.e. UserID and Password) as shown here.




Once you have successfully authenticated, your PC provides an open session to access the IBM i   without any further authentication!   You can transfer files, run remote commands, examine spooled files, and more.. . without providing your logon credentials again.

So, do you shut down your PC, or flush your cached credentials when you leave your desk? Or, as most, do your leave the session open, thus allowing unsanctioned access to the IBM i for anyone that happens to 'Drive-by' your unattended PC?

Read More.

In This Issue


Featured Article - Avoid Unsanctioned Access

Security Shorts - Library Authorities

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de


Thank You! To Our Great Sponsors


Platinum Sponsor
      The 400 School, Inc


Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

Sponsor
      Cilasoft Security Solutions

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter




Follow SecureMyi on YouTube









IBM i Security News Bytes

Linoma Announces Version 3.0 of GoAnywhere Services

Linoma Software's GoAnywhere Services is a Secure FTP Server and HTTPS File Transfer solution that now includes 'Virtual Folders' to help simplify data transfer between trading partners. Sensitive data can be protected using optional FIPS 140-2 encryption.
See more Information from Linoma.





IBM i Security Calendar of Events



Live Security Related Webcasts and Training for IBM i


2012: The State of IBM i Security
Live webcast - Sponsored by the Powertech Group
Wednesday, October 10 1:00 PM CDT
More Information and Register to Attend


10 Ways for Making Your IBM i Security Administration Easier
Live webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners
Thursday, October 25 10:00 AM CDT
More Information and Register to Attend



2012 IBM Power Systems Technical University
Featuring over 400 educational sessions and labs
October 29-November 2
Caesar's Palace - Las Vegas, NV
More Information and Register to Attend


Attaining and Maintaining the Compliance Lifestyle
Live webcast - Featuring J.D. Seal - Vice President - Skyview Partners
Sponsored by Skyview Partners
Wednesday, November 7 10:00 AM CDT
More Information and Register to Attend


Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - November 13-16 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend





IBM i Snapshot from Powertech





Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Training from The 400 School

Security Shorts -

Misconceptions on Authorities to Libraries

By Dan Riehl

A popular misconception held by many people is that if a library is secured as *PUBLIC AUT(*USE), then this library authority provides Read-Only access to the files that reside in the library. For most of us who read this newsletter, we know that this is not true.

Here are the rules for library authorities.

*EXCLUDE Authority

If a user has *EXCLUDE authority to a library, they cannot access the library, nor can they access the objects within the library.

*USE Authority

If a user has *USE authority to a library, they can access the library, but cannot change attributes of the library, such as the library text. The user cannot add new objects to the library.

When it comes to accessing the objects within the library, the object authority is the determining factor. For example, if a user has *EXCLUDE authority to a file in the library, they cannot access the file. If a user has *USE authority to a file in the library, they have read-only access to the file. If the user has *CHANGE authority to a file, they can open the file for update and manipulate the records in the file (add, change, delete). If the user has *ALL rights to the file in the library, the user may perform all operations on the file including deleting the file. Yes, that's right. If a user has *USE authority to a library, the user can delete an object from the library if the user has *ALL authority, which includes *OBJEXIST authority to the object.

*CHANGE Authority

If a user has *CHANGE authority to a library, they can access the library and can change some attributes of the library. Changes to some attributes require the additional *OBJMGT(Object Management) authority to the library.

All of the same object rules are in effect as when the user has *USE authority to the library, but there is one big difference. If a user has *CHANGE authority to a library, they can create new objects in the library. That is the only real difference between *USE and *CHANGE authority to a library. If you have *CHANGE authority, you can add new objects.

*ALL Authority

If a user has *ALL authority to the library, the user can access the library, and may even be able to delete the library and all the objects within the library.

However, if the user does not have *ALL authority, or a mixture of *OBJEXIST and *OBJOPR authority to the objects in the library, the user cannot delete those objects and therefore cannot delete the library.

If a user has the authority to delete all the objects in the library, then the library itself can be deleted. All of the same rules apply to object access as when the user has *USE or *CHANGE rights to the library.

What about *ALLOBJ Authority?

When dealing with library and object authorities, you always have to take into account that some user profiles have *ALLOBJ special authority. When a user has *ALLOBJ special authority, there are no restrictions on accessing objects in your user libraries. A user with *ALLOBJ special authority can read, change and even delete any object in any user library on the system.

(Note: There are some objects that may not be deleted even by a user with *ALLOBJ special authority. For example, user profiles cannot be deleted by an *ALLOBJ user, unless that user also has *SECADM special authority.)


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts


Now Accepting Credit Cards

IBM i Security Workshop Nov 13-16
Concepts & Control Language Oct 15-19
System Administration & Control Nov 5-9
Operations Workshop Oct 22-24
Expanded Operations Workshop
Oct 22-26




Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017