Security Patrol discusses security topics and implementation tips and answers your security questions. I welcome questions, recommendations, and suggestions for security topics you would like discussed in detail. You can submit your correspondence through MC-BBS at 619-931-9909; by E-mail at
-Wayne O. Evans, chief of security
Rather than answering user questions, I am devoting this month's column to reviewing a new security application that IBM is offering at no charge. IBM has just released Security ToolKit OS/400 as a PRPQ. The Security ToolKit, which has many long-awaited features, is available for releases V2R3, V3R1, and V3R6. (The V2R3 version also runs on V3R0M5.) I'll give you the ordering details later in this column, but first I want to summarize the Security ToolKit's features.
The Security ToolKit is a group of commands and menus that simplifies managing user profiles. These are some examples of what the product will allow you to do:
o Enable profiles to be active for certain times of the day or specific days of the week.
o Automatically disable user profiles that have been inactive for a specified number of days. (Specific user profiles can be exempt from being disabled.)
o Schedule removal or disabling of user profiles.
The IBM manual Tips and Tools for Securing Your AS/400 is intended for use with the Security ToolKit. The manual, which includes valuable information even for installations that elect not to install the Security ToolKit, contains a step-by-step security setup process, including recommended settings for system values. Three chapters in particular offer useful information on securing different communications environments:
o "Tips for Securing APPC"
This chapter explains the security implications of starting Advanced Program-to-Program Communications (APPC) communications jobs. It also explains the use of single session (SNGSSN) to prevent piggy-backing and the relationship between Secure Location (SECURELOC) and default user when starting communications jobs. Using location password (LOCPWD) is recommended.
o "Tips for Securing TCP/IP"
The chapter on TCP/IP communications is a "must read" for installations that are using this support. Setting up TCP/IP security is one of the more complex setup procedures. This chapter provides detailed steps for preventing TCP/IP applications from running on your system and for protecting system resources if you allow TCP/IP.
o "Tips for Securing PC Access"
This chapter mentions using the network attributes and the exit program registration facility, but it doesn't outline detailed, step-by-step procedures.
The "Protecting Your System from Devious and Determined Users" chapter also provides useful recommendations.
The Security ToolKit allows customers to generate several user-security reports. You can submit these reports to batch or to the job scheduler.
o You can select a report of objects authorized to *PUBLIC by either library or object type. An option allows you to see the changes to object authority.
o You can use the report of authorization lists to show all the authorization lists in one report.
o The user profile information report has columns for special authority, group profiles, user class, and limited capability parameters. This makes it easy to scan for these parameters and greatly simplifies reviewing all user profiles.
o The report of programs that adopt authority for a user is similar to the Display Program Adopt (DSPPGMADP) command output. Once you have established a base of information, you can print changes only. This allows you to see new programs that adopt authority or programs that have been modified to adopt authority since you last ran the report.
o The trigger program report lists all the trigger programs in a specific library or all libraries.
IBM will distribute the Security ToolKit with all V3R1 and V3R6 orders processed after March 8, 1996. If you have already installed these releases or are running V2R3 or V3R0M5, you will want to contact IBM and order your system's Security ToolKit as well as the prerequisite PTFs corresponding to your system release (see 1).
IBM will distribute the Security ToolKit with all V3R1 and V3R6 orders processed after March 8, 1996. If you have already installed these releases or are running V2R3 or V3R0M5, you will want to contact IBM and order your system's Security ToolKit as well as the prerequisite PTFs corresponding to your system release (see Figure 1).
REFERENCE
Tips and Tools for Securing Your AS/400 (GC41-0615).
LATEST COMMENTS
MC Press Online