|
"IF" the user profile is solely as a group profile, object owner, etc
and if the user profile never needs to sign on, be used for imbedded SQL
connections and that genre
then instead of just INLPGM(*NONE) and INLMNU(*SIGNOFF)
I recommend
CHGUSRPRF USRPRF(...) PASSWORD(*NONE)
If LCLPWDMGT is set to *NO then they can still sign on but only through
SSO/EIM and like solutions.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Buck Calabro <kc2hiz@xxxxxxxxx>
To: midrange-l@xxxxxxxxxxxx
Date: 05/15/2014 09:55 AM
Subject: Re: Audits and profiles with passwords the same as the
profile
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
On 5/15/2014 8:40 AM, Briggs, Trevor (TBriggs2) wrote:
As a coda to Rob's recommendations, you should almost certainly ensure
that those profiles cannot be used to sign on to the system by
specifying (off the top of my head)
INLPGM(*NONE) and INLMNU(*SIGNOFF).
Trevor Briggs
Good idea! This will stop people from using a tn5250 interface to sign
on. It won't however stop them from using FTP or ODBC or other non-5250
interfaces.
--buck
ps I also vote to change the passwords to anything other than the same
as the user profile.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx
Sent: Thursday, May 15, 2014 8:32 AM
To: Midrange Systems Technical Discussion
Subject: Re: Audits and profiles with passwords the same as the profile
Whether a user profile owns objects, is in a group, is the group, etc.
should have no effect on whether or not you change the password.
What will have an effect is if you do stuff like have PC RMTCMD
statements
tied to the old password, RUNRMTCMD for IBM i to IBM i communication,
embedded CONNECT TO ... USING statements using the password in the code,
Lotus Enterprise Integrator (or like techniques), java connections,
WRKRDBDIRE and a plethora of other things.
I say change it. It's too big of a security risk. It's worth the
possible disruption in business that may pop up because of imbedded
passwords.
Rob Berendt
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.