× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2006

RE: User profile question

We use the ANZDFTPWD ACTION(*PWDEXP *DISABLE) command to test for
accounts with the same password and username and disable them.
 

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of fbocch2595@xxxxxxx
Sent: 25 January 2006 15:56
To: midrange-l@xxxxxxxxxxxx
Subject: Re: User profile question

Does that mean that if qsecofr is disabled, I can still sign on to it at
the console?   
 
-----Original Message-----
From: Ketzes, Larry <Larry.Ketzes@xxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Sent: Wed, 25 Jan 2006 09:11:56 -0600
Subject: RE: User profile question


Folks,
    This is quoted from Carol Woodbury's Security Book ( a bible in my
opinion).

You also want to ensure that the IBM supplied profiles aren't usable.
Allowing IBM supplied profiles  to sign on is a wide open door for
hackers to exploit.  Make sure QPGMR, QSRV QSRVBAS, QSYSOPR, AND QUSER
ARE SET TO *NONE.  Also make Qsecofr  *DISABLED .  You can always sign
on as Qsecofr at the console if you need to .

Larry Ketzes
Senior Security Project Analyst
American Life Insurance Company

One ALICO Plaza
600 King Street
Wilmington, DE 19801
Phone: 302-594-2146
Mobile: 302-559-1631
Email: larry.ketzes@xxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jerry Adams
Sent: Wednesday, January 25, 2006 9:43 AM
To: Midrange Systems Technical Discussion
Subject: Re: User profile question

Wayne Evans (www.woevans.com) has a list of IBM supplied profiles that
he recommends setting to *None.  You can even email him from there about
almost any security question.


Setting an IBM supplied profile to expired will, as Joel says, cause
jobs to crash and burn.  There are tons of server jobs that use these
profiles so you could, effectively, bring your system to its proverbial
knees by disabling or expiring them.


Carole Woodbury (www.skyviewpartners.com) is another iSeries security
expert that you might check with.


I mention both Wayne and Carole because, while the answers from this 
list might satisfy you, my experience has been that auditors want 
something "authoritative."  Wayne and Carole formerly designed iSeries 
(AS/400) security while with IBM.  They currently consult and teach 
security (and security auditing). 


Pat Botz at IBM Rochester would be another "authoritative" reference.  I

think Pat monitors the forum from time-to-time so he may chime in soon.


    * Jerry C. Adams
*iSeries Programmer/Analyst
B&W Wholesale Distributors, Inc.* *
voice
    615.893.8633x152
fax
    615.995.1201
email
    jerry@xxxxxxxxxxxxxxx <mailto:jerry@xxxxxxxxxxxxxxx>



Harvell, Joel wrote:

>If you set a user profile to *disabled it will cause programs that use
>that user profile to fail.  
>
>Not sure of the wisdom of setting any of the IBM Supplied user Profiles
>to password = *none.  I'm hoping that you haven't set any of the User
>Profiles that have *secadm access set to *none.  Have your SOX auditors
>called you to the carpet for that. 
>
>If you are using any of the IBM Supplied user profiles to run scheduled
>jobs, I would recommend setting up clones of those user profiles so
that
>you can disable your IBM supplied User Profiles, if your SOX Auditors
>recommend that.
> 
>Joel B. Harvell
>Food Lion, LLC
>(704) 633-8250 x2709
>jbharvell@xxxxxxxxxxxx
>
>-----Original Message-----
>From: midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx
>[mailto:midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx] On
>Behalf Of Greg Wenzloff
>Sent: Wednesday, January 25, 2006 8:56 AM
>To: midrange-l@xxxxxxxxxxxx
>Subject: User profile question
>
>Our SOX auditors are hounding me about User Profiles.    I set most of
>the IBM supplied profiles to Password = *none.   I did not change the
>Status to *Disabled because I don't know about all of the effects of
>doing that.
>
>The help window says:
>                       Status - Help                         
>                                                             
> Specifies whether the user profile is valid for sign on or  
> for getting a profile handle.                               
>                                                             
> The possible values are:                                    
>  o  *ENABLED: The user profile is valid.                    
>  o  *DISABLED: The user profile is not valid.  
>
>What does "getting a profile handle" mean?    Will a disabled profile
>prevent programs from running?
>
>Greg
>
>  
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.