• Subject: RE: Fw: Rewarding challenge AS/400...
  • From: "Kahn, David [JNJFR]" <DKahn1@xxxxxxxxxxxxx>
  • Date: Tue, 21 Sep 1999 10:20:58 +0200

Jim,

I think the only thing you can do is to audit your user profiles on an
on-going basis. Set yourself a timescale to get through them all, then
parcel them up into so many per week or per month. When you get to the end
start again at the beginning and repeat indefinitely. It's a PITA for you
and irritating for your users but in the light of...

>I then took a list of our users to our head accounting person/person
>in charge and asked them who still worked here.  She didn't know.

... I don't see any realistic alternative. You might be able to verify
against active security badges or something like that, but that's just
another system with its own set of holes.

John Earl's recent posting "AS/400 on alt.hacker" graphically illustrates
the weakness inherent in assuming active account = good account. It might
also be a good idea to check for multiple concurrent sessions by user
profile. This can also give you an indication that profiles are being
shared.

Dave Kahn
Johnson & Johnson International (Ethicon) France
Phone : +33 1 55 00 3180
Email :  dkahn1@jnjfr.jnj.com (work)
           dkahn@cix.co.uk      (home)


-----Message d'origine-----
De: Jim Langston [mailto:jlangston@conexfreight.com]
Date: 20 September 1999 20:06
: MIDRANGE-L@midrange.com
Objet: Re: Fw: Rewarding challenge AS/400...


Well, usually no one tells me they left.  And if I find out later, I delete
them,

or I find out when I analyze user passwords, and see the last date they
changed
their password was over 30 days ago.

But if someone is using some else's account...

There was a case, for instance.  Someone had left before I had came here,
analyzing passwords was fine.  The, this person came back. And then I see
the message in QSYSMSG that their password was disabled.

Looking at the display station it was disabled from I quickly figured out
what had happened.  There was a user who did not have the authority to
do something years ago, call them UserA, so this other user, UserB,  let
them use their account.  UserB then left the company.  No one was around
to delete UserB's account, and UserA continued to use it.  UserB comes
back to the company, and changes their password (how they figured out
what their current password was, I don't know, as they must change it
every 30 days).  UserA then tries to log in to UserB's account, and disables
it since the password was changed.

UserA was talken to (talked to?) and told this was a definite no no, never
do
it again, UserB was talken to and told never to give anyone their password,
a message was broadcast that everyone is to use their log in and no one
else's,
if they needed authority have their manager contact me or they weren't
supposed
to be doing it in the first place.

I then took a list of our users to our head accounting person/person in
charge
and
asked them who still worked here.  She didn't know.

So what to do?
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact [javascript protected email address].