× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Folks,
        This is quoted from Carol Woodbury's Security Book ( a bible in my
opinion).

You also want to ensure that the IBM supplied profiles aren't usable.
Allowing IBM supplied profiles  to sign on is a wide open door for hackers
to exploit.  Make sure QPGMR, QSRV QSRVBAS, QSYSOPR, AND QUSER ARE SET TO
*NONE.  Also make Qsecofr  *DISABLED .  You can always sign on as Qsecofr at
the console if you need to .

Larry Ketzes
Senior Security Project Analyst
American Life Insurance Company

One ALICO Plaza
600 King Street
Wilmington, DE 19801
Phone: 302-594-2146
Mobile: 302-559-1631
Email: larry.ketzes@xxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jerry Adams
Sent: Wednesday, January 25, 2006 9:43 AM
To: Midrange Systems Technical Discussion
Subject: Re: User profile question

Wayne Evans (www.woevans.com) has a list of IBM supplied profiles that 
he recommends setting to *None.  You can even email him from there about 
almost any security question.


Setting an IBM supplied profile to expired will, as Joel says, cause 
jobs to crash and burn.  There are tons of server jobs that use these 
profiles so you could, effectively, bring your system to its proverbial 
knees by disabling or expiring them.


Carole Woodbury (www.skyviewpartners.com) is another iSeries security 
expert that you might check with.


I mention both Wayne and Carole because, while the answers from this 
list might satisfy you, my experience has been that auditors want 
something "authoritative."  Wayne and Carole formerly designed iSeries 
(AS/400) security while with IBM.  They currently consult and teach 
security (and security auditing). 


Pat Botz at IBM Rochester would be another "authoritative" reference.  I 
think Pat monitors the forum from time-to-time so he may chime in soon.


        * Jerry C. Adams
*iSeries Programmer/Analyst
B&W Wholesale Distributors, Inc.* *
voice
        615.893.8633x152
fax
        615.995.1201
email
        jerry@xxxxxxxxxxxxxxx <mailto:jerry@xxxxxxxxxxxxxxx>



Harvell, Joel wrote:

>If you set a user profile to *disabled it will cause programs that use
>that user profile to fail.  
>
>Not sure of the wisdom of setting any of the IBM Supplied user Profiles
>to password = *none.  I'm hoping that you haven't set any of the User
>Profiles that have *secadm access set to *none.  Have your SOX auditors
>called you to the carpet for that. 
>
>If you are using any of the IBM Supplied user profiles to run scheduled
>jobs, I would recommend setting up clones of those user profiles so that
>you can disable your IBM supplied User Profiles, if your SOX Auditors
>recommend that.
> 
>Joel B. Harvell
>Food Lion, LLC
>(704) 633-8250 x2709
>jbharvell@xxxxxxxxxxxx
>
>-----Original Message-----
>From: midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx
>[mailto:midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx] On
>Behalf Of Greg Wenzloff
>Sent: Wednesday, January 25, 2006 8:56 AM
>To: midrange-l@xxxxxxxxxxxx
>Subject: User profile question
>
>Our SOX auditors are hounding me about User Profiles.    I set most of
>the IBM supplied profiles to Password = *none.   I did not change the
>Status to *Disabled because I don't know about all of the effects of
>doing that.
>
>The help window says:
>                       Status - Help                         
>                                                             
> Specifies whether the user profile is valid for sign on or  
> for getting a profile handle.                               
>                                                             
> The possible values are:                                    
>  o  *ENABLED: The user profile is valid.                    
>  o  *DISABLED: The user profile is not valid.  
>
>What does "getting a profile handle" mean?    Will a disabled profile
>prevent programs from running?
>
>Greg
>
>  
>


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.