• Subject: RE: New AS/400 - Now What?
  • From: "Draper, Dale" <dale.draper@xxxxxxxxxxxx>
  • Date: Tue, 30 Nov 1999 06:37:40 -0800

Another little publicized security issue:

Client Access for W95 / NT put named connections on your "network
neighborhood" list. If a user clicks on this they will see a folder called
QSYS.LIB ,  this is basically QGPL via the IFS system. 
Most people have security based on green screen applications, via menu
controls, Limit Capabilities *YES, etc.. These green screen limitations DO
NOT apply when accessing the AS400 via FTP, ODBC, IFS via "network
neighborhood" or Operations Navigator. 
If a user were to hit the delete key while highlighting QSYS.LIB, all
objects and libraries that they could delete would delete. And this is a LOT
more objects that you or I would like to think is the case. I did some
testing on my Security 40 machine that runs JD Edwards. YIKES! Scary stuff .
I tried changing the AUTL of QPWFSERVER for *PUBLIC to *USE, nope, *PUBLIC
still had authority to objects within this folder (of course).
The ONLY way to secure people from this is to change the AUTL of QPWFSERVER
is to change *Public to *EXCLUDE.

On a command line type:
WRKAUTL AUTL(QPWFSERVER) and hit return, type 2 to edit authority and change
*public to *EXCLUDE.

Client Access Express (V4R2 or higher) does not do this, so those that use
the CA V4R4 do not need to bother with this.


And to reiterate what Jeffrey said, document, document, document. Print out
SYSVAL's at every step and save the spool file under an outq you make called
SYSVAL, do the same for other important items as well. Do a lot of SAVSYS's.
Go through your SYSVAL's, hopefully you have another machine to check it
against? Do not assume that the shipped values are correct.
 But, for about $75-$125 an hour, you can get a professional to come in and
set you up in about 4 hours. I can reccomend a company in the SF Bay Area.




Dale Draper
Sega Enterprises, Inc. (USA)
Dale.Draper@seu.sega.com



> -----Original Message-----
> From: Jeffrey Silberberg [SMTP:jsilberberg@mindspring.com]
> Sent: Tuesday, November 30, 1999 5:38 AM
> To:   midrange-l-digest@midrange.com
> Subject:      RE: New AS/400 - Now What?
> 
> Kirk,
> 
>       You missed what in my mind would be some important steps.
> 
> #5 - Using the Security Advisor questionnaire at
> http://www.as400.ibm.com/tstudio/secure1/index_av.htm   set up the
> security
> levels and establish the security policy for your system.
> 
> #6 - Setup a Source CLP member and start the SYSVALMOD or what ever you
> call
> it CL program.  This and the CLP from the Security advisor combined should
> hold any and all CL commands executed to configure the system suchas
> CHGSYSVAL Qanything. This way the changes are documented, and the CL can
> be
> used in the event of a Disaster recovery issue at a latter date.
> 
> #7 - Setup any system journals like Security Audits, and Job Accounting
> for
> the Box.
> 
> #8 - Now let the world in according to your Security policy !!
> 
> Jeffrey M. Silberberg
> CompuDesigns, Inc.
> (770) 399-9464
> 
> Abandon the search for Truth; settle for a good fantasy.
> ------------------------------
> 
> Date: Mon, 29 Nov 1999 20:38:54 -0800
> From: Kirk Goins <KirkG@pacinfosys.com>
> Subject: RE: New AS/400 - Now What?
> 
> > -----Original Message-----
> > From: Gallagher, Debbie [SMTP:dgallagher@deloitte.ca]
> > Sent: Monday, November 29, 1999 12:24 PM
> > To: Midrange-L@midrange.com
> > Subject: New AS/400 - Now What?
> >
> > < SNIP >
> > SNIP...
> < SNIP >
> 
> #4 Now is a good time for a FULL BACKUP of the base machine. GO
> SAVE and take an opt #21.
> 
> < SNIP >
> 
> At this point or before #4 you need to assign IP addresses,
> Setup any networking, Setup the Netfinity/IPCS with NT or whatever if
> you have it.
> 
> OK call your SW Vendor(s)/Programmer(s)/Consultant(s) etc and
> let them started. There will still be lots to do like setting up users
> based on the security plan, getting your regular backups started... etc.
> 
> Hope this helps...
> 
> - ---------------------------------
> Kirk Goins
> IBM Certified AS/400 Technical Solutions
> Pacific Information Systems
> 503-290-2104
> kirkg@pacinfosys.com
> - ---------------------------------
> 
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
> david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].