On 10/25/07, albartell <albartell@xxxxxxxxx> wrote:
is very secure (or is it now more politically correct to say "it has the
capability to be more secure out of the box" :-). Maybe you could write an
Especially the out-of-the-box experience is WORSE with i5/OS.
Let's see, you buy your first System i ever. A Model 9407-515, Express.
You start the machine.
A logon screen displays on the thin console.
You enter QSECOFR/QSECOFR, and are asked enter a new password. You
enter "abc123". The system accepts it.
(On Windows Server 2003, you will get a notice that this password is
insecure. You can set it anyway, but there is strong reminder that the
password is insecure).
You accept all software agreements. Now, you assign the machine an IP
address, in order to use iSeries Navigator to configure it. As soon as
the system has an IP adress, all doors are wide open.
Unencrypted Telnet, FTP, DDM, SNMP, etc. are all enabled!
You do not have the latest group PTFs installed! The system is already
fully exposed, and you might be missing important, security relevant
You start iSeries Navigator, connect to your system. Your password is
sent in plain text, so everyone can read it and enjoy your QSECOFR
(On Windows Server 2003, when logging for the first time, a firewall
automatically blocks all inbound ports, until you have installed the
latest security fixes! Remote Logon using Remote Desktop is disabled
by default, and when enabled is used with encryption!).
This is not secure out of the box. No matter if i5/OS is not
vulnerable against buffer overflows. And, by the way, WS2003 SP1 and
XP SP2 support DEP (Data Execution Prevention), which also mitigates
most buffer overflows.