-----Original Message-----
From: Wills, Mike N. (TC) [mailto:MNWills@taylorcorp.com]

>We are currently going through all of the users on our systems and removing
>any that have not been deleted for one reason or another. Through our
>looking, we have noticed people with authority that really didn't need it
>(like *SAVRST and *ALLOBJ). We are currently reviewing what people need for
>authority.

1) What have you guys done to maintain security?
I use the security tools periodically to check the accounts on my AS/400 about 
once a month or every 2 months (when I remember).  It helps if your account 
passwords are set to expire once a month or so, then you can run a security 
report and see who has not changed their password within the last 30 days.  
This is an easy way to find obviously obsolete accounts, but is not fool proof 
as I found out at my last company.  One person had left to go to another office 
for a while, and when she came back 4 months later she called and said her 
password was bad.  Doing a little digging I saw the password was last set about 
15 days ago.  Doing a little more digging I found that this user had given her 
password to a co-worker to allow him to do something, and when she left he just 
kept her account active, changing the password when he had to.  A stern talking 
to to the both of them and an eye opener on my side.

2) How do you create new users? Do you have a "general" user which you copy
from? Do you start from scratch?
I have always taken an existing account with the same privileges I wanted to 
give the new user and copied it.  Modified it when necessary.  Also at one 
company everyone had almost not provides, but were apart of a group which had 
the rights they needed.

3) How do you eliminate the possibility of a user using the username for a
password and not allow 'password' for a password?
Security tools has a tool to check for default passwords, where the password is 
the same as the user name.  You can either just print the report, or disable 
the account also.  System values set the minimum/maximum length of passwords 
and other things, and the easiest way to disable "password" as a user password 
is to not allow consecutive characters (2 of the same character side by side) 
which means they could use "pasword" but not "password".  You can also require 
the user to enter at least one digit in their password.  You could also use a 
password validity checker if you wanted.  WRKSYSVAL QPWD* and browse through 
there.

4) How often do you review the users and security?
Once every month to 3 months, depending on how often I remember.

5) Payroll notifies us when people quit or have moved to a new position, but
it doesn't tell us when remote users quit or have moved on. How do you
handle this?
As stated before, if you set the password expiration level to something, using 
security tools (or roll your own) you can report on the last time users changed 
their passwords.  As previously stated, this doesn't detect when someone else 
is keeping an otherwise inactive account active by using it without authority.

Regards,

Jim Langston
Programmer/Analyst


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.