Pythagoras considered three the perfect number because it embraces the concept of beginning, middle, and end. Similarly, the world is threefold (earth, sea, and air), and the Kingdom of Nature contains three elements (animal, vegetable, and mineral). And now, the new Client Access Express for Windows (Express client) offers three ways to control security: installation security, connectivity security, and Windows system policy security. Although somewhat inelegant, these security enhancements will pleasantly surprise shops moving to Express client.

Installation Security

While the Windows 95/NT client offers customized installation, Express client goes much further. Both clients allow Operations Navigator (OpsNav) installation by function. Express client, however, contains custom installation options that allow you to bypass installation of such “dangerous” components as these:

• Incoming remote command and the directory update features
• Microsoft Excel add-in support, ODBC support, and OLE DB support in the Data Transfer function

• The Visual Basic wizards in the Client Access toolkit With the Windows 95/NT client, these features were either installed automatically or installed as part of a larger group. You couldn’t bypass installation. Many users are now comfortable with extracting data using these common techniques, so you can shore up security simply by not giving them the tools.

Connectivity Security

In Express client, connection sign-on information is defined through OpsNav; in the Windows 95/NT client, it is defined through your NS/Router or AS/400 Connections entry. In both Express client and the Windows 95/NT client, you define sign-on information for each individual AS/400 connection, but you can tell your Express client applications to use one of three sign-on options when making an AS/400 connection:

• Use the user’s Windows login name and password every time the user wants to sign on to that AS/400.

• Use a default AS/400 user ID that you specify in a field on the Express client system connection properties screen.

• Have the Express client prompt you for an AS/400 user ID and password every time you start an Express client program.

By providing three sign-on options (there’s that number, again), Express client allows you to tailor your security scheme to your network. For PCs that have a Windows NT server and an AS/400, you can maintain identical user IDs and passwords so your users can use their Windows desktop login password to reach the AS/400. For PCs that do the majority of processing on a Windows NT server (AS/400 access being limited to a few generic user IDs), you can specify a default AS/400 user ID that must be used for any Express client program. Finally, for PCs that have multiple users who need to run different Express client applications under different AS/400 profiles, you can require Express client to prompt you for an AS/400 user ID and password every time it opens up a program.

To set Express client connection properties, right-click on your AS/400 connection icon in OpsNav, select Properties from the pop-up menu, and select the Connections tab.

Windows System Policy Security

The V3R2M0 Windows 95/NT client introduced Microsoft system policy template support, but policy support really blossoms with Express client. Microsoft’s system policy technology allows you to restrict access to Windows or application program features. With policy files, you can restrict specific program features by individual Windows users, computer name, or membership in a Novell NetWare or Windows NT server group. Furthermore, you can store policy restrictions in a centralized policy file that can be downloaded to any Windows desktop so that Express client restrictions follow users around the network wherever they log in.

With Express client, IBM has dramatically increased the number of Client Access features you can lock down. The new Express client policy templates include these restrictions:

• Configuration restrictions to restrict incoming remote commands, password caching, and service pack checking.

• Communication restrictions to specify forced AS/400 connection properties.
• Installation restrictions to prevent specific users from installing certain Express client components.

• Runtime restrictions to prevent data transfer to and from your AS/400, restrict OLE and ODBC usage, prevent PC5250 configuration, and limit the number of PC5250 sessions a user can start.

System policy support allows you to restrict Express client usage across your network enabling you to configure Express client program access from a central location. For more, see “Express Client’s Souped-up System Policy Templates,” AS/400 Network Expert Web Edition, May/, www.midrangecomputing.com/ane/99/05).

What Three Wise Men Might Say

Lost in the V4R4 announcement, this triad of Express client security enhancements has gone relatively unpublicized. In addition to stabilizing your Windows desktop, Express client can also stabilize aspects of your AS/400 security. So consider that if you need other reasons to start experimenting with Express client.