Re: Application administration for security control?

It seems to me that  when a client PC sign on to an iSeries Server, the
application administration setting is downloaded to the client from the
iSeries.
Theoretically, someone can steal into the system by changing local windows
registry. But it seems to me that the server will keep overwriting the
window registry(I don't know how often it will send the setting to PC, at
least when you start another session).

Best Regards.

James Fu

TDL Group Corp. (Tim Hortons)
Oakville, Ontario
Direct: 905-339-5798
fu_james@xxxxxxxxxxxxxx
Web: http://www.timhortons.com


                                                                           
             rob@xxxxxxxxx                                                 
             Sent by:                                                      
             midrange-l-bounce                                          To 
             s@xxxxxxxxxxxx            Midrange Systems Technical          
                                       Discussion                          
                                       <midrange-l@xxxxxxxxxxxx>           
             06/09/2006 01:40                                           cc 
             PM                                                            
                                                                   Subject 
                                       Re: Application administration for  
             Please respond to         security control?                   
             Midrange Systems                                              
                 Technical                                                 
                Discussion                                                 
             <midrange-l@midra                                             
                 nge.com>                                                  
                                                                           
                                                                           




The windows registry on which PC?  The PC setting it, or the PC using it?
If the PC using it, how does it get set there?  The first time they try to
execute the application and it looks to where it was set on the server by
the administrator?

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





vhamberg@xxxxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
06/09/2006 01:29 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Application administration for security control?






The problem cited is that the settings go to the Windows registry and can
be modified by anyone who has enough local authority - at least, that's
how it looks to me. It is not using the iSeries registry.

-------------- Original message --------------
From: rob@xxxxxxxxx

-snip-

If you really study Application Administration, I fail to see how a
windows registry patch can get them in. You configure Application
Administration from your PC. And it will affect that user from

regardless

which PC he logs into.

I've personally written some exit points. There's no way a windows
registry patch is getting past those.

-snip-

Thanks, Rob. I am afraid I didn't make my point clear.

The reasons why IBM doesn't recommend it as a security tool is
"Application Administration uses the Windows registry to cache
restrictions
on the client PC. A skilled user who is restricted from a function by
Application Administration could obtain access to the function by

editing

the registry.

-snip-
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





The information contained in this message is confidential and may be
legally privileged. The message is intended solely for the addressee(s).
If you are not the intended recipient, you are hereby notified that any
use, dissemination, or reproduction is strictly prohibited and may be
unlawful. If you are not the intended recipient, please contact the sender
by return e-mail and destroy all copies of the original message.

L'information contenue dans ce  message est de nature confidentielle et
peut etre de nature privilegiee. Ce  message est strictement reserve a
l'usage de son ou ses destinataires. Si vous  n'etes pas le destinataire
prevu, prenez avis, par la presente, que tout usage,  distribution, ou
copie de ce message est strictement interdit et peut etre  illicite. Si
vous n'etes pas le destinataire prevu, veuillez en aviser  l'expediteur par
courriel et detruire tous les exemplaires du message original.