-----Original Message----- From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com] >We are currently going through all of the users on our systems and removing >any that have not been deleted for one reason or another. Through our >looking, we have noticed people with authority that really didn't need it >(like *SAVRST and *ALLOBJ). We are currently reviewing what people need for >authority. 1) What have you guys done to maintain security? I use the security tools periodically to check the accounts on my AS/400 about once a month or every 2 months (when I remember). It helps if your account passwords are set to expire once a month or so, then you can run a security report and see who has not changed their password within the last 30 days. This is an easy way to find obviously obsolete accounts, but is not fool proof as I found out at my last company. One person had left to go to another office for a while, and when she came back 4 months later she called and said her password was bad. Doing a little digging I saw the password was last set about 15 days ago. Doing a little more digging I found that this user had given her password to a co-worker to allow him to do something, and when she left he just kept her account active, changing the password when he had to. A stern talking to to the both of them and an eye opener on my side. 2) How do you create new users? Do you have a "general" user which you copy from? Do you start from scratch? I have always taken an existing account with the same privileges I wanted to give the new user and copied it. Modified it when necessary. Also at one company everyone had almost not provides, but were apart of a group which had the rights they needed. 3) How do you eliminate the possibility of a user using the username for a password and not allow 'password' for a password? Security tools has a tool to check for default passwords, where the password is the same as the user name. You can either just print the report, or disable the account also. System values set the minimum/maximum length of passwords and other things, and the easiest way to disable "password" as a user password is to not allow consecutive characters (2 of the same character side by side) which means they could use "pasword" but not "password". You can also require the user to enter at least one digit in their password. You could also use a password validity checker if you wanted. WRKSYSVAL QPWD* and browse through there. 4) How often do you review the users and security? Once every month to 3 months, depending on how often I remember. 5) Payroll notifies us when people quit or have moved to a new position, but it doesn't tell us when remote users quit or have moved on. How do you handle this? As stated before, if you set the password expiration level to something, using security tools (or roll your own) you can report on the last time users changed their passwords. As previously stated, this doesn't detect when someone else is keeping an otherwise inactive account active by using it without authority. Regards, Jim Langston Programmer/Analyst
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.