|
from: <midrangel@xxxxxxxxxxxxxxxxx>--
subject: RE: Disable QSECOFR?
It's a great idea until you need QSECOFR to do something on the system
and all your other high authority profiles are disabled, and the
profile you have does not have sufficient authority.
So you can sign into DST to reset the IBM i QSECOFR profile, but damn
that just got disabled too. Now you don't have ANY high authority
profiles to fix whatever it is that requires high authority. If you
can't get one of those two profiles fixed then to recover them you
must reload the system
(entirely) from tape.
Yea, great idea. (OK I'm a bit snarky here but at some point you
gotta wonder who am I protecting?)
Yes long passwords
Yes restrict devices
Monitor security logs to look for attempts to hack it Make DANG sure
you have a profile (no Q in first position) that is a back up that is
as heavily protected/restricted.
Disabled, not on my systems.
--
Jim Oberholtzer
Agile Technology Architects
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.