RE: iSeries Security in Computerworld

Or they are using a phone used by 20 people in a warehouse or production
environment ? Not disrespect intended by we have over half the people here
that do not have voice mail.

What we do is let the Branch Manager know and they go to the new user and
walk them through things.

Chuck

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jones, John (US)
Sent: Thursday, November 09, 2006 11:55 AM
To: Midrange Systems Technical Discussion
Subject: RE: iSeries Security in Computerworld

That hole can be crawled through for existing employees that watch for
new people.  Once the new ID is created, call the help desk and say
you're the new guy.  Get the temp pwd and use it to access the system.
Sign on and change the password.  No biggie.  Have fun with whatever
privs the new ID was granted.  When the new guy actually calls for their
password, which will likely be hours or days after the ID was created,
the profile will get changed but there is a window of opportunity that
can be exploited fairly easily.  Unless the help desk actually checked
for recent signon activity before changing the pwd the fact that the
profile was used may never come to light.

That risk can be mitigated, BTW.  When called for a password reset our
help desk will not give the new password to a human over the phone.
Instead, the user is asked to not answer the phone and the help desk
calls them back at the number listed in the corporate address book.  The
help desk leaves the temp password in the user's voicemail, which is
password/PIN protected.  (Of course this assumes the voicemail PIN is a
non-default value.)

John