Re: Profile security

[John Hall <jhall@xxxxxxxxxxx>]

Ray Regalado wrote:
> 
> >My guess is that you did not understand your security auditor correctly.
> >For example, having PASSWORD(*NONE) is much safer than having PASSWORD
> >(*USRPRF). Each user profile that has PASSWORD(*USRPRF) should have its
> >password changed. It is not a good idea to give a password to most of the
> >IBM supplied user profiles that are shipped with PASSWORD(*NONE).
> 
> >Ed Fishel,
> >edfishel@US.IBM.COM
> 
> I understand that, but can you explain to me how having the mentioned
> profiles with Limited Capability equal to *NO and Password (*NONE) can cause
> a problem?  By the way, I did not mean to include QSECOFR in the list of
> profiles.
> 
> His exact words were, "You have too many profiles with Limited Capability
> equal to *NO and Password equal to *NONE."  Does that mean that I should
> change all the IBM profiles that are not being use to Limited Capability
> equal to *YES???
> 

My guess is that he really doesn't understand AS400 security.  Or maybe
I don't !  He probably thinks that password = *NONE means you just type
in the username and it logs you on without a password.

In any case "too many" profiles set with anything is not the correct
method for security any kind of system.  If there is a security risk
then ONE account set that way is a problem.  

John Hall
Home Sales Co.
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---