What Is a File Share?
A file share allows the directory it's associated with to be available from network interfaces. Think of your network as a long hallway. As you cruise down the hallway, most doors are closed, but a few doors are open (these are the file shares). If you show the guard your pass and it's valid (this is your i5/OS user profile and password), you're allowed to enter a closed door off the hallway. Sometimes, only you can open a certain door, and once it's opened, there's very little to see. (This is an example of a file share for a directory that has no subdirectories and contains only objects you or your group are allowed to work with.) However, on occasion, you may enter a door that takes you through a vast labyrinth of rooms and other hallways with wide-open doors for all to walk through. You may be amazed at the wealth contained in each of the rooms. (This is an example of a file share that's been assigned to the root ('/') directory. Once the root directory is shared, the QSYS.LIB file system is shared. What does that mean? That means that, assuming you have sufficient i5/OS authority, all libraries are available through your network, including the database files in those libraries. Imagine the "wealth" of information stored in those files!
File shares are often used to enable drive mapping. In the Windows world, shares are often defined to enable drive mapping for file and document sharing. The same can be implemented in the IFS. Imagine what is available to you—and every other user on the system—if you map a drive to root and the object authority of all libraries and files is at least *USE. All database files are now available through a Windows Explorer session.
Using Risk Assessor to Examine File Shares
With the SkyView Risk Assessor product, the SKYSHARES report lists all of the file shares, the directory they're assigned to, and whether they've been defined as read-only or read/write. The QPSECPVT report lists the public authority of root ('/') as well as the root's subdirectories so that you can determine the level of risk the file shares pose to your system. Risk Assessor also provides advice for controlling who can create and modify file shares. Finally, Risk Assessor lists whether a guest profile has been defined, which allows access to the system without an i5/OS profile and password.
Using Policy Minder to Manage File Shares
Policy Minder allows you to define which file shares your policy allows on each system. Initializing the File Share category will gather the shares currently on the system and define those as your initial policy. You can analyze that list and determine whether any shares need to be removed from the system. Then, when you run a compliance check on the File Share category, the category will be out of compliance if new file shares have been created or an existing file share removed from the system. This compliance check automates the process of managing file shares on your system.
In addition, you can use the Directory Authority category to automate the process of checking the authorities and ownership of IFS directories and files, ensuring those settings remain in compliance with your organization's policies.
File shares are not inherently a security risk, but they can be if they are assigned to the wrong directory or if the object-level security for the directory or library is not appropriate for its contents. Make sure you are using the features of the SkyView products to automate the checking of file shares and other policy settings.
Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale
|
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online