That is still applicable here with our heightened security.
Many devices have a single, discrete device ID
All PC's have a specified prefix (i.e. mypcA, mypcB, etc.)

We have autoconfig on... but we also have limited the creation of virtual devices QAUTOVRT - a bad actor cannot continually try on a new device ID.
(also, the users can't just keep adding 5250 display sessions).

Given what I've seen this year, I would suggest all shops adopt a "ultra high security environment"
All of our internal connections to the IBM i are SSL/TLS except for the RF devices that run telnet emulators.

My 2 cents.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Jim Oberholtzer
Sent: Tuesday, November 2, 2021 9:54 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: Enable Disabled Users and Devices

And to handle the varied off device, that's simple, STOP varying the device
off. (change system value)

Back when twinaxial ruled, it made sense to vary off the device if someone
blew up a password, it was a possible signal that the device was being used
to break in, particularly if it was out in the warehouse or factory floor.
But now with telnet, where the system simply makes another device it makes
no sense at all.

The exception to this would be if all sessions were set with a discrete
device ID and autoconfigure is turned off, but I don't know too many that
do that today outside of ultra high security environments.

Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects

On Tue, Nov 2, 2021 at 8:23 AM Bob Schwartz <rschwartz@xxxxxxxxxxxxxxx>

date: Tue, 2 Nov 2021 12:53:26 +0000
from: Greg Wilburn <gwilburn@xxxxxxxxxxxxxxxxxxxxxxx>
subject: Enable Disabled Users and Devices

We recently switched to password level 3 (in addition to quite a few
security changes). This has been in place for several months now and we
have a epidemic of disabled user ID's and varied off devices. While this
inconvenience is tolerable during normal working hours, it's killing
productivity during the off-hours/days that IT coverage is not available.

Is there any way to automate enablement of passwords that are disabled by
invalid sign on attempts - say after 15-20 minutes?
Same question for devices varied off by too many invalid password

Greg, we handle the disabled user profiles with the Message Monitor in
Navigator for i.
Monitor for CPF1393, then call a CLP to handle the situation.

Bob Schwartz
Director of Technical Services
Glynn County Board of Education
1313 Egmont Street
Brunswick, GA 31520

This is a staff email account managed by Glynn County School District.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.