|
<snip> How many people do you think religiously write down the QSECOFR password and store it immediately on changing it ? <endsnip> Our system operator just dropped off a copy of all of our QSECOFR passwords for me to put into my lockbox. So does that make it everyone that I know? Rob Berendt -- Group Dekko Services, LLC Dept 01.073 PO Box 2000 Dock 108 6928N 400E Kendallville, IN 46755 http://www.dekko.com Evan Harris <spanner@xxxxxxxxxx> Sent by: midrange-l-bounces@xxxxxxxxxxxx 02/10/2004 02:45 PM Please respond to Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> To Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> cc Fax to Subject RE: Can We retire the QSECOFR userid? Hi Rob you asked first so I'll respond to you :) The major difference I see is that QSECOFR is a published well known (yes, the hackers know it) profile. My preference is to create QSECOFR class profiles and use those where required, as well as a QSYSOPR/QPGMR class profile for more general activities depending on what I am doing. I'd confess it's usually closer to QSECOFR and the operators get menus :) All QSECOFR class profiles including QSECOFR have auditing turned on. Any activity on the unused profile is monitored. The main reason I do this is that in the event that the SECOFR class profile is disabled, password forgotten or something happens there is a known profile with a recorded password available to get root access to the system. Better that some external party can ask for the QSECOFR password which is certain to have not changed as it has not been in general use. How many people do you think religiously write down the QSECOFR password and store it immediately on changing it ? I'd be willing to bet that they think "I'll get to it later after I've finished my coffee" as people usually change their password first thing in the morning when they are forced to. All those who are highly disciplined exceptions to the rule need not correct me :) If you have ever tried to break into a V5R2 system without QSECOFR because the only QSECOFR guy used it, changed it and forgot it you'll know what I mean. Even profile swapping will not work if you do not have another QSECOFR class profile *WITH* *SECADM. *ALLOBJ is not sufficient to swap to QSECOFR to allow you to reset the DST password (which has also been forgotten) to allow you to change the QSECOFR password. If you have to create a complete QSECOFR copy to allow you to fix any QSECOFR problems best you create one and while your at it create a DST back door with all rights. Regards Evan Harris >Does anyone really see a difference between having the generic QSECOFR or >a generic MYSECOFR with the same authorities? Granted, there are some >very limited applications where you must be QSECOFR, (ptf's ain't one of >them). But does creating the MYSECOFR give you any additional security? >None that I can think of. Oh, I suppose you could disable QSECOFR and >then a hack trying it would have a bear of a time getting in. But, other >than that? If so, why bother? > >Rob Berendt _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
