• Subject: Re: Restricting User Access
  • From: LAN400GEEK@xxxxxxx
  • Date: Tue, 18 Nov 1997 23:22:59 -0500 (EST)

In a message dated 97-11-18 06:46:50 EST, you write:

<< 
 At 04:51 PM 11/17/97 PST, you wrote:
 >
 >What security level (QSECURITY) is your system at Chris?  Have you   
 >considered duplicating the QUSER profile.  That profile should have very   
 >little security assigned to it.  Aside from that, creating a user profile
  
 >with Limit Capabilities of *YES will restrict anyone who signs on with   
 >your newly created user profile from running commands or changing the   
 >user profile if your system is at Security level 30 or above.
 
>>Eric, 
>> 
>> Sadly even QUSER has too much authority on a default AS/400.  Through both
>> your shop's (really most shop's, I'm not picking on you) and OS/400's
>> liberal use of *PUBLIC access, QUSER is authorized to a number of things
>> that you wouldn't want the real *PUBLIC (remember in the internet world
>> *PUBLIC can now literally be the whole freaking world!) to have access to.
>> 
>> Also, sadly, LMTCPB does not prevent command execution from networked
>>users.
>> LMTCPB only works with QCMD.  Any networked system running Client
>>Access,
>> DDM, or FTP can slip right under the RMTCMD gate without being blocked, or
>> even logged.  What's amazing is that this means every /400 with PC's
>> attached has had this vulernability since the early days of PC support.
 It
>> just took the 'user friendlyness' of W95 to make it so hard to ignore.
>> 
>> (Hmmm... that may have been a thinly vailed plug for our product, guess I
>> should declare myself a vendor.  :)
>> 
>> 
>> HTH,
>> 
>> jte
>> 
  >>
Just wanted to mention that you can write an exit program to monitor what
access requests are coming into the AS/400 (and specify that PGM/LIB in your
AS/400 network attributes) and block any RMTCMD, DDM or ODBC or any other
kind of requests.  Please note: I have not tested this type of pgm to block
FTP, but I believe it can be done.  

Thanks

Reid Collier
Operations Manager
lan400geek@aol.com
  
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].