Here are five security checks you can perform on your IBM i. They are simple and can be completed in 30 minutes.
1. Run the Analyze Default Passwords command with Action *None. The ANZDFTPWD ACTION(*NONE) command will provide a report of IBM i User profiles that have a password that matches the name of the user profile User=JDOE Password=JDOE. The report will show if the user account is enabled or disabled. User accounts that are enabled need to be fixed. The command can be run with two other options. *DISABLE and *PWDEXP. *Disable will disable the user account (the user will not be able to log in). *PwdExp will set the password to expired make the user change the password on their next log in.
2. If you are not using the IBM Navigator for i website, end it. The Navigator for i Website provides a web interface for performing system administration functions. If you are not using it, end the web instance with the command ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN). Starting it is easy with the similar command STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN). You may also want to consider ending the FTP server if you are not using it. ENDTCPSVR SERVER(*FTP)
3. Review the security system values. The security system vales should be given a regular review to ensure the settings haven’t been changed for a temporary task and then forgotten. A lot of consideration can be needed for some of the security settings. To view all the security-related system values, use the command WRKSYSVAL SYSVAL(*SEC). Here are a few that I think are a priority and have a low risk for modifying.
QMAXSIGN – Maximum sign-on attempts allowed. I recommend a value of five. It is a reasonable number for users who forgot their passwords and does not give an unauthorized user too many attempts.
QMAXSGNACN – Action to take for failed sign-on attempts. This defines what the system will do when the maximum number of invalid password attempts is reached. I recommend the device and the user profile be disabled with a value of 3. This may increase your support calls, but you will know when there is an issue.
QLMTSECOFR – Limit security officer device access. This will limit users with all object authority or service authority to explicitly authorized devices. Make sure you grant the user to the specific devices before enabling this. Here is an example command authorizing user QSECOFR to the DSP01 workstation GRTOBJAUT OBJ(DSP01) OBJTYPE(*DEVD) USER(QSECOFR) AUT(*CHANGE).
4. Review user profile authorities. What users have special or administrative authorities? This command creates a quick report PRTUSRPRF.
5. Do end-users need the ability to run commands from an IBM I command line? If the answer is no, change their user profile to limit capabilities CHGUSRPRF USRPRF(xxxxx) LMTCPB(*YES). The report from the PRTUSRPRF command includes information on what users have limited capabilities.
Joe Hainey is a former IBM Business partner with over sixteen IBM AS400/iSeries certifications. He has been helping clients with the IBM i platform for over fifteen years. He has performed IBM i recovery of four different IBM servers for clients and provided training and DR testing for other clients. He is the founder of Inspire Technologies, an IT consulting firm that specializes in IBM i, e-commerce, and EDI solutions.
Joe can be reached at email@example.com