• Subject: Re: Security <was RE: Fw: Rewarding challenge AS/400...>
  • From: Jim Langston <jlangston@xxxxxxxxxxxxxxxx>
  • Date: Wed, 22 Sep 1999 07:53:53 -0700
  • Organization: Conex Global Logistics Services, Inc.

They write it in... a book?!?

I tell all my users not to give anyone their password, not even me.  When I show
them how to log on for the first time (they have expired set to yes) and explain
to them how to change their password, I tell them not to give it to anyone.

It sounds like that Supervisor needs to be explained what he whole idea of
passwords is.  About that time I think I would broadcast a message to *ALLWS
restating the policy of the IS department that people not give their password 
out
to anyone, including their supervisor.  Then I would go and set all passwords to
expired.

Regards,

Jim Langston

Eric wrote:

>         Being that many users do not know that they should not be signing on 
>as
> other people, one option would be to present a screen to users every so
> often.  State that payroll wants the correct spelling of their name and
> what department that they are working in.  You could also specify that the
> name that they fill is not their USER ID.  This tends to weed out some of
> the culprits.
>         Nothing is full proof though.  At a company that I worked at once, I
> turned on password expiration in hopes of keeping people from using each
> other's passwords.  I thought I had it all worked out until one day while I
> was in the sales department I heard someone yell, "It's time for me to
> change my password.  Who has the book?".  I asked the person what book they
> were looking for.  She said that whenever an employee changes their
> password, their supervisor makes them write their name and new password in
> a book for employee reference.  They keep by the printer so everyone can
> access it.
>
> Eric Kempter
>
> -----Original Message-----
> From:   Jim Langston [SMTP:jlangston@conexfreight.com]
> Sent:   Tuesday, September 21, 1999 8:17 AM
> To:     MIDRANGE-L@midrange.com
> Subject:        Re: Fw: Rewarding challenge AS/400...
>
> One of my biggest headaches is that we have 3 remote sites on our WAN.
> Atlanta, San Diego and Atlanta (and I'm in Los Angeles).  I can fairly
> easily
> confirm who works here, but it is harder out there.
>
> I know when I started creating user profiles I would put descriptions in
> the
> text field explaining what their position was and where they were located
> I.E. LA Counter Supervisor (Counter)
> so that I could determine at least where to find someone.
>
> The older profiles, on the other hand, give no indication of who they are
> or where they work.  I.E.  System User (Anna)
>
> The name in parenthesis is the name of the group profile they are under.
>
> I guess I'll just have to start from #1 and confirm everyone, and then fill
> out the comments.
>
> One of my many, many, many projects I need to do.
>
> Regards,
>
> Jim Langston
>
> "Kahn, David [JNJFR]" wrote:
>
> > Jim,
> >
> > I think the only thing you can do is to audit your user profiles on an
> > on-going basis. Set yourself a timescale to get through them all, then
> > parcel them up into so many per week or per month. When you get to the
> end
> > start again at the beginning and repeat indefinitely. It's a PITA for you
> > and irritating for your users but in the light of...
> >
> > >I then took a list of our users to our head accounting person/person
> > >in charge and asked them who still worked here.  She didn't know.
> >
> > ... I don't see any realistic alternative. You might be able to verify
> > against active security badges or something like that, but that's just
> > another system with its own set of holes.
> >
> > John Earl's recent posting "AS/400 on alt.hacker" graphically illustrates
> > the weakness inherent in assuming active account = good account. It might
> > also be a good idea to check for multiple concurrent sessions by user
> > profile. This can also give you an indication that profiles are being
> > shared.
> >
> > Dave Kahn
> > Johnson & Johnson International (Ethicon) France
> > Phone : +33 1 55 00 3180
> > Email :  dkahn1@jnjfr.jnj.com (work)
> >            dkahn@cix.co.uk      (home)
> >
> > -----Message d'origine-----
> > De: Jim Langston [mailto:jlangston@conexfreight.com]
> > Date: 20 September 1999 20:06
> > A: MIDRANGE-L@midrange.com
> > Objet: Re: Fw: Rewarding challenge AS/400...
> >
> > Well, usually no one tells me they left.  And if I find out later, I
> delete
> > them,
> >
> > or I find out when I analyze user passwords, and see the last date they
> > changed
> > their password was over 30 days ago.
> >
> > But if someone is using some else's account...
> >
> > There was a case, for instance.  Someone had left before I had came here,
> > analyzing passwords was fine.  The, this person came back. And then I see
> > the message in QSYSMSG that their password was disabled.
> >
> > Looking at the display station it was disabled from I quickly figured out
> > what had happened.  There was a user who did not have the authority to
> > do something years ago, call them UserA, so this other user, UserB,  let
> > them use their account.  UserB then left the company.  No one was around
> > to delete UserB's account, and UserA continued to use it.  UserB comes
> > back to the company, and changes their password (how they figured out
> > what their current password was, I don't know, as they must change it
> > every 30 days).  UserA then tries to log in to UserB's account, and
> disables
> > it since the password was changed.
> >
> > UserA was talken to (talked to?) and told this was a definite no no,
> never
> > do
> > it again, UserB was talken to and told never to give anyone their
> password,
> > a message was broadcast that everyone is to use their log in and no one
> > else's,
> > if they needed authority have their manager contact me or they weren't
> > supposed
> > to be doing it in the first place.
> >
> > I then took a list of our users to our head accounting person/person in
> > charge
> > and
> > asked them who still worked here.  She didn't know.
> >
> > So what to do?
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > +---
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].