Don't forget that if QSECOFR is disabled you MAY still sign on with QSECOFR profile if you are at the System Console device.

For this and other reasons several of my customers keep QSECOFR *DISABLED at all times.

- DrF

On 5/6/2021 3:18 PM, midrangel@xxxxxxxxxxxxxxxxx wrote:
It's a great idea until you need QSECOFR to do something on the system and
all your other high authority profiles are disabled, and the profile you
have does not have sufficient authority.

So you can sign into DST to reset the IBM i QSECOFR profile, but damn that
just got disabled too. Now you don't have ANY high authority profiles to
fix whatever it is that requires high authority. If you can't get one of
those two profiles fixed then to recover them you must reload the system
(entirely) from tape.

Yea, great idea. (OK I'm a bit snarky here but at some point you gotta
wonder who am I protecting?)

Yes long passwords
Yes restrict devices
Monitor security logs to look for attempts to hack it
Make DANG sure you have a profile (no Q in first position) that is a back up
that is as heavily protected/restricted.
Disabled, not on my systems.

--
Jim Oberholtzer
Agile Technology Architects

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Justin
Taylor
Sent: Thursday, May 6, 2021 1:05 PM
To: MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Disable QSECOFR?

I thought disabling QSECOFR was a very bad idea, but I came across a Help
Systems documents recommending the practice.

Is this a practical security measure?

Thanks


From:
Protect Your Administrator Accounts from Abuse March 10, 2017 Use of QSECOFR

QSECOFR is the first profile hackers will try to abuse if they're randomly
trying to gain access to your systems. Limit the use of QSECOFR to only
system upgrades and, yes, the time when an irresponsible vendor requires you
to sign on to install or upgrade their product. The operating system will
prevent you from setting the QSECOFR password to *NONE, so, to further
protect this profile, set QSECOFR to status of *DISABLED. This requires you
to either sign on to the console to use QSECOFR or set it to status *ENABLED
prior to using it.
https://www.helpsystems.com/resources/articles/protect-your-administrator-ac
counts-abuse
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.