|
 
| |
Locking Down Your system
PASSWORD SECURITY
As one responsible for System Security you should consider the following when
setting up your password policy:
☒ Set a Password policy stating that user passwords must not be trivial (i.e.
car, 007, dart, etc.) or vulgar,
☒ Create a suggestion list for how to think of a good password,
☒ Use alphanumeric passwords,
☒ Avoid birthdays, nicknames and other easily deciphered passwords,
☒ Change passwords frequently (every 30,60 or 90 days). Regular changes will
stop individuals who might have learned your password,
☒ Remember never to share your password with anyone, do not discuss your
password verbally, memorize your password and destroy any written copies and
change your password immediately when you think there exists any possibility of
its compromise,
☒ Sign-off the System whenever you are away from your Workstation and
☒ Adopt a second sign-on profile with limited security and access for each of
your Security Officers and Administrators. This will enable them to Sign-on at
the Sales counter and walk away without having to then sign-off the System.
Changing Well-Known Passwords
1. To make insure that no users password is the same as his/her sign-on name go
to a Command line and key the following: “ANZDFTPWD” then press the ENTER key.
2. The System will generate a spooled file report. You can find this report by
keying WRKSPLF then pressing the ENTER key. Look for a Spool file named
“QPSECPWD” this will contain your information.
3.
You can view this file by keying a “5” beside the file then press the ENTER key.
4.
The report lists the User Profile, Status, PWDEXP (e.g. Password Expired), and
the Text
User Profile:
Who is assigned this password.
Status:
Sign-on status of the User
☛ If the user status is enabled (*ENABLED), the User can sign-on the System at
any time.
☛ If the User status is disabled (*DISABLED), the User cannot sign-on the System
at any time.
PWDEXP (Password Expired):
If the Password has (*YES) or has not (*NO) expired.
Text
Any text associated with the User Profile.
5. Note any User that need their Passwords changed.
6. When you have completed your review of the Spool File press the Cmd3 key to
exit.
7. Next key a “4” (Delete) alongside the Spool file and press the ENTER key.
8. Press ENTER once more to confirm deletion of this file.
Closing the IBM Backdoor
1. IBM has created on each AS/400 a series of default passwords. These are
normally changed by IBS personnel when your System is first set-up. Nonetheless,
check each password to see if you can sign on using the IBM default. If so, then
immediately change the password.
2. Attempt to sign on using the following User Profiles:
User Name Password
QSYSOPR QSYSOPR
QPGMR QPGMR
QUSER QUSER
QSRVBAS QSRVBAS
For Example: Key QSYSOPR in the User line. Then, press the FIELD EXIT key and
re-key QSYSOPR in the Password line. Finally, press ENTER.
☞ DO NOT delete any of the “Q” profiles.
3. If you receive the Message
“CPF1107 - Password not correct for user profile.” then this profile has been
changed. Check each User Profile and change any that has NOT been changed.
☞ Remember that these Sign-on profiles and Passwords are public domain.
☞ An individual with knowledge of the IBM System will first try these user
profiles when attempting to illegally access your System.
Scheduling Availability of User Profiles
? What does this option do?
☞ This option limits the time during the day that a user can access the system.
? When is this option used?
☞ Whenever you decide that certain users should not have 24-hour a day sign-on
capability?
☞ If you are worried that individual users might attempt an unauthorized remote
sign-on via your AS/400 Modem.
Getting Started
1. Go to a command line.
2.
Key “CHGACTSCDE” (Change Activation Schedule Entry) then press the ENTER key.
3. In the User Profile field, key the User Profile name “AAAAAAAAAA” and press
the FIELD EXIT key. See Example
4. In the Enable Time field, key the earliest time that this user may Sign-on
the System during the day then press the FIELD EXIT key. Your entry must be in
military time (i.e. 5PM is keyed 1700, and 10PM is 2200). See Example.
5. In the Disable Time field key the latest time that this user can Sign-on the
System then press the FIELD EXIT key. Your entry must be in military time (i.e.
5PM is keyed 1700, and 10PM is 2200). See Example.
6. In the days field key the specific days that the user may access the System.
The default is everyday (*ALL).
☞ For a limited number of days you must key the first day then press the FIELD
EXIT key. Next key a “+” sign in the “+” for more values and press the ENTER
key.
☞ Fill in the Specific days day(s) you want the user to access the System. Then
press the ENTER key to return to the Scheduling Menu.
☜ This User can access the System from 7AM to 9PM, seven days a week. You can
change the days and the hours anytime it is convenient.
7. After all changes have been made press the ENTER key to update and activate.
☞ If you entered this Menu in error or choose not to update any changes that
have been made press the Cmd3 key to return to your original menu. Displaying
Audit Journal Entries
? What does this option do?
☞ This option will verify that the system is enabling and disabling user
profiles according to your planned schedule.
? When should this option be run?
☞ Whenever you need to review user profiles that are being or have been disabled
on your System.
1. Go to a command line and key “DSPAUDJRNE” then press the ENTER key. The
System will create a report.
2. Next key “WRKSPLF” and press the ENTER key. You will see all Spool files
created under your name. Look for the file named “QPQUPRFIL”. If there is more
than one page roll down to the next page until you find the file.
3. Key a “5” (Display) to display the file and press ENTER. The report will be
displayed on your screen.
You will see the Date and time the report was run along with the following.
Violation Type
AF Authorization Failure entry.
CA Change Authority entry.
CP Change User Profile entries
PO Printed Object entries
PW Invalid Password entries
SF Action on Spooled file entries
User Profile
The individual with the violation. Object Name
The actual name of the Part of the System used.
Library name
The location on your System of the problem.
Object Type
What kind of file is displayed.
4. When you have finished reviewing the list press the Cmd3 key to return to the
WRKSPLF screen. Key a “4” (Delete) alongside the Spool File and press the ENTER
key twice. This will delete the spool file from your System.
Disabling Employee System Access
? What does this option do?
☞ This option will prevent an employee from Signing on the System with his/her
User name without deleting him/her from the System.
? When should this option be used?
☞ Use this option anytime an employee will be absent for an extended period of
time. For example if you wanted to disable but not delete.
☞ Long vacations, extended leaves of absence, a college student returning to
school are each examples of when this option can be most effectively used.
Disabling the Employee
1. Go to a command line and key the following:
“WRKUSRPRF” (Work with User Profiles) then press the Cmd4 key.
Work with User Profiles (WRKUSRPRF)
Type choices, press Enter.
User profile . . . . . . . . . JOHN Name, generic*, *ALL
2. The Work with User Profiles Screen will prompt.
3. Key in the User name (in the example the name of John is used) then press the
ENTER key.
☞ If you will to display All users key *ALL the press the ENTER key. Every user
profile on the System will display.
☞ If you entered this menu in error or choose not to change any user profile,
press the Cmd3 key until you return to your original menu screen.
4. From this screen you can create, change, copy, delete and display user
profiles.
5. Use your TAB key until the cursor is beside the User profile you want to
disable.
6. Key a “2” (Change) the press ENTER. The Change User Profile screen will
prompt.
7. Use your TAB or NEW LINE key until the cursor is in the Status field.
8. Change the Status from *ENABLED to *DISABLED then press the ENTER key. The
AS/400 will be updated and the user can no longer Sign-on the System.
☞ This disables the user from Signing on the AS/400. You must go to “M U” option
“6”. If you wish to delete his/her user profile from the System.
Changing Sign-on Error Messages
? Why change the Sign-on Error message?
☞ Hackers like to know when they are making progress toward breaking into a
system. when an error message on the Sign On display says Password not correct,
the hacker can assume that the User ID is correct. This would be considered
working progress if attempting to break into a System.
☞ You can frustrate hackers by changing the Sign-on Error message.
How to Change the Sign-on Error Message
1. Go to a command line and key “CHGMSGD” (Change Message Description) then
press the ENTER key. The Change Message Description screen will prompt.
2. Key in the following:
☞ In the Message Identifier field key “CPF1107”, then press the FIELD EXIT key.
☞ In the Message File Field key “QCPFMSG” and press the Field exit key.
☞ Next, in the Library field key “QSYS” and press the Field Exit key.
☞ Finally, in the First-level message text field key “System unavailable at
present time” then press the ENTER key to activate.
3. At the Command line press the Cmd9 key and Cmd4 sequentially. You will be
returned to the same screen with the previous information listed.
4. This time change the Message Identifier to “CPF1120” then press the ENTER
key.
5. To verify that you have changed the messages Sign-off the System and attempt
to Sign-on using an incorrect password. The System will display the Message
“System unavailable at present time.”
☞ You can customize you messages in the First-Message text field. Other possible
messages include:
“Sign-on information is not correct.”
“Sign-on not correct.”
☞ Note you can customize literally any IBM System message if so inclined.
Monitoring Sign-On and Password Activity
? What does this option do? ☞ This option permits you to monitor Sign-on and
Password activity.
? Why should this option be run?
☞ Run this report regularly to monitor unsuccessful sign-on attempts.
☞ Someone who is trying to break into your system may be aware that your sytem
takes action after a certain number of unsuccessful attemps. Each night the
would-
|
