Re: User profile question

["Steve McKay" <mckays@xxxxxxxxxxx>]

"Does that mean that if qsecofr is disabled, I can still sign on to it at 
the console?"

If you have a twinax console, the answer to that question is "Absolutely!".

Not sure about Ops Console or HMCs though . . .

Steve

<fbocch2595@xxxxxxx> wrote in message 
news:8C7EFDEEEAC51C8-16E4-95BA@xxxxxxxxxxxxxxxxxxxxxxxxxx
> Does that mean that if qsecofr is disabled, I can still sign on to it at 
> the console?
>
> -----Original Message-----
> From: Ketzes, Larry <Larry.Ketzes@xxxxxxx>
> To: Midrange Systems Technical Discussion 
> <midrange-l@xxxxxxxxxxxx>
> Sent: Wed, 25 Jan 2006 09:11:56 -0600
> Subject: RE: User profile question
>
>
> Folks,
>    This is quoted from Carol Woodbury's Security Book ( a bible in my
> opinion).
>
> You also want to ensure that the IBM supplied profiles aren't usable.
> Allowing IBM supplied profiles  to sign on is a wide open door for hackers
> to exploit.  Make sure QPGMR, QSRV QSRVBAS, QSYSOPR, AND QUSER ARE SET TO
> *NONE.  Also make Qsecofr  *DISABLED .  You can always sign on as Qsecofr 
> at
> the console if you need to .
>
> Larry Ketzes
> Senior Security Project Analyst
> American Life Insurance Company
>
> One ALICO Plaza
> 600 King Street
> Wilmington, DE 19801
> Phone: 302-594-2146
> Mobile: 302-559-1631
> Email: larry.ketzes@xxxxxxx
>
>
> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On 
> Behalf Of Jerry Adams
> Sent: Wednesday, January 25, 2006 9:43 AM
> To: Midrange Systems Technical Discussion
> Subject: Re: User profile question
>
> Wayne Evans (www.woevans.com) has a list of IBM supplied profiles that
> he recommends setting to *None.  You can even email him from there about
> almost any security question.
>
>
> Setting an IBM supplied profile to expired will, as Joel says, cause
> jobs to crash and burn.  There are tons of server jobs that use these
> profiles so you could, effectively, bring your system to its proverbial
> knees by disabling or expiring them.
>
>
> Carole Woodbury (www.skyviewpartners.com) is another iSeries security
> expert that you might check with.
>
>
> I mention both Wayne and Carole because, while the answers from this
> list might satisfy you, my experience has been that auditors want
> something "authoritative."  Wayne and Carole formerly designed iSeries
> (AS/400) security while with IBM.  They currently consult and teach
> security (and security auditing).
>
>
> Pat Botz at IBM Rochester would be another "authoritative" reference.  I
> think Pat monitors the forum from time-to-time so he may chime in soon.
>
>
>    * Jerry C. Adams
> *iSeries Programmer/Analyst
> B&W Wholesale Distributors, Inc.* *
> voice
>    615.893.8633x152
> fax
>    615.995.1201
> email
>    jerry@xxxxxxxxxxxxxxx 
> <mailto:jerry@xxxxxxxxxxxxxxx>
>
>
>
> Harvell, Joel wrote:
>
>>If you set a user profile to *disabled it will cause programs that use
>>that user profile to fail.
>>
>>Not sure of the wisdom of setting any of the IBM Supplied user Profiles
>>to password = *none.  I'm hoping that you haven't set any of the User
>>Profiles that have *secadm access set to *none.  Have your SOX auditors
>>called you to the carpet for that.
>>
>>If you are using any of the IBM Supplied user profiles to run scheduled
>>jobs, I would recommend setting up clones of those user profiles so that
>>you can disable your IBM supplied User Profiles, if your SOX Auditors
>>recommend that.
>>
>>Joel B. Harvell
>>Food Lion, LLC
>>(704) 633-8250 x2709
>>jbharvell@xxxxxxxxxxxx
>>
>>-----Original Message-----
>>From: 
>>midrange-l-bounces+jbharvell@l÷Î?4Þ#?u:+TÜRvZoÃ??cá
È
>>[mailto:midrange-l-bounces+jbharvell@l÷Î?4Þ#?u:+TÜRvZoÃ??cá;
È] 
>>On
>>Behalf Of Greg Wenzloff
>>Sent: Wednesday, January 25, 2006 8:56 AM
>>To: midrange-l@xxxxxxxxxxxx
>>Subject: User profile question
>>
>>Our SOX auditors are hounding me about User Profiles.    I set most of
>>the IBM supplied profiles to Password = *none.   I did not change the
>>Status to *Disabled because I don't know about all of the effects of
>>doing that.
>>
>>The help window says:
>>                       Status - Help
>>
>> Specifies whether the user profile is valid for sign on or
>> for getting a profile handle.
>>
>> The possible values are:
>>  o  *ENABLED: The user profile is valid.
>>  o  *DISABLED: The user profile is not valid.
>>
>>What does "getting a profile handle" mean?    Will a disabled profile
>>prevent programs from running?
>>
>>Greg
>>
>>
>>
>
> -- 
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
> list
> To post a message email: 
> MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> -- 
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
> list
> To post a message email: 
> MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> -- 
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
> list
> To post a message email: 
> MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>