× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2006

RE: User profile question

Good explanation Pete.

Larry Ketzes
Senior Security Project Analyst
American Life Insurance Company

One ALICO Plaza
600 King Street
Wilmington, DE 19801
Phone: 302-594-2146
Mobile: 302-559-1631
Email: larry.ketzes@xxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Massiello
Sent: Wednesday, January 25, 2006 10:45 AM
To: Midrange Systems Technical Discussion
Subject: Re: User profile question

   If you make QSECOFR *Disabled, you won't be able to sign on anywhere.

   I think when she is referring to signing on at the console, she is
talking
   about
   making the system value QLMTSECOFR set to a 1, and then only giving
   explicit
   authority to QCONSOLE and DSP01 so that you can sign on to either of
these
   devices
   with the QSECOFR user profile and then no others.

   I agree with the other user profiles, but I would encourage people to
just
   change the passwords
   from the defaults they are shipped with. Also do NOT forget to change the
   DST passwords, and to
   create a few other profiles in DST, incase someone disables the DST
   QSECOFR user profile (which is Not
   the same as the OS/400 *USRPRF) from signing on by trying to many times.

   JMHO,
   Pete

   Ketzes, Larry wrote:

 Folks,
         This is quoted from Carol Woodbury's Security Book ( a bible in my
 opinion).

 You also want to ensure that the IBM supplied profiles aren't usable.
 Allowing IBM supplied profiles  to sign on is a wide open door for hackers
 to exploit.  Make sure QPGMR, QSRV QSRVBAS, QSYSOPR, AND QUSER ARE SET TO
 *NONE.  Also make Qsecofr  *DISABLED .  You can always sign on as Qsecofr
at
 the console if you need to .

 Larry Ketzes
 Senior Security Project Analyst
 American Life Insurance Company

 One ALICO Plaza
 600 King Street
 Wilmington, DE 19801
 Phone: 302-594-2146
 Mobile: 302-559-1631
 Email: larry.ketzes@xxxxxxx


 -----Original Message-----
 From: midrange-l-bounces@xxxxxxxxxxxx
 [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jerry Adams
 Sent: Wednesday, January 25, 2006 9:43 AM
 To: Midrange Systems Technical Discussion
 Subject: Re: User profile question

 Wayne Evans (www.woevans.com) has a list of IBM supplied profiles that
 he recommends setting to *None.  You can even email him from there about
 almost any security question.


 Setting an IBM supplied profile to expired will, as Joel says, cause
 jobs to crash and burn.  There are tons of server jobs that use these
 profiles so you could, effectively, bring your system to its proverbial
 knees by disabling or expiring them.


 Carole Woodbury (www.skyviewpartners.com) is another iSeries security
 expert that you might check with.


 I mention both Wayne and Carole because, while the answers from this
 list might satisfy you, my experience has been that auditors want
 something "authoritative."  Wayne and Carole formerly designed iSeries
 (AS/400) security while with IBM.  They currently consult and teach
 security (and security auditing).


 Pat Botz at IBM Rochester would be another "authoritative" reference.  I
 think Pat monitors the forum from time-to-time so he may chime in soon.


         * Jerry C. Adams
 *iSeries Programmer/Analyst
 B&W Wholesale Distributors, Inc.* *
 voice
         615.893.8633x152
 fax
         615.995.1201
 email
         jerry@xxxxxxxxxxxxxxx <mailto:jerry@xxxxxxxxxxxxxxx>



 Harvell, Joel wrote:

  

 If you set a user profile to *disabled it will cause programs that use
 that user profile to fail. 

 Not sure of the wisdom of setting any of the IBM Supplied user Profiles
 to password = *none.  I'm hoping that you haven't set any of the User
 Profiles that have *secadm access set to *none.  Have your SOX auditors
 called you to the carpet for that.

 If you are using any of the IBM Supplied user profiles to run scheduled
 jobs, I would recommend setting up clones of those user profiles so that
 you can disable your IBM supplied User Profiles, if your SOX Auditors
 recommend that.

 Joel B. Harvell
 Food Lion, LLC
 (704) 633-8250 x2709
 jbharvell@xxxxxxxxxxxx

 -----Original Message-----
 From: midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx
 [mailto:midrange-l-bounces+jbharvell=foodlion.com@xxxxxxxxxxxx] On
 Behalf Of Greg Wenzloff
 Sent: Wednesday, January 25, 2006 8:56 AM
 To: midrange-l@xxxxxxxxxxxx
 Subject: User profile question

 Our SOX auditors are hounding me about User Profiles.    I set most of
 the IBM supplied profiles to Password = *none.   I did not change the
 Status to *Disabled because I don't know about all of the effects of
 doing that.

 The help window says:
                       Status - Help                        
                                                            
 Specifies whether the user profile is valid for sign on or 
 for getting a profile handle.                              
                                                            
 The possible values are:                                   
  o  *ENABLED: The user profile is valid.                   
  o  *DISABLED: The user profile is not valid. 

 What does "getting a profile handle" mean?    Will a disabled profile
 prevent programs from running?

 Greg

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.