New Year. New Budget. It’s the time many companies decide to start a security project. However, there’s often a lack of clear direction regarding the tasks and priorities of securing your IBM i system.
Sometimes, there are known vulnerabilities that clearly need to be mitigated as soon as possible—such as application users running with *ALLOBJ special authority. But, often there isn’t a thorough understanding of what’s wrong with a server’s configuration or what should be addressed first.
One approach to this problem is to hire a security consultant to perform a full audit of the environment and map out the priority of the resolutions. Unfortunately, the number of professionals that truly understand IBM i security is small; the number that you can hire to perform a good quality audit is even smaller. As a result, those professionals typically are very busy and command a premium fee for their services.
Scan Your System Security in Just Minutes
A better option is to start with the HelpSystems Security Scan, a unique tool that can scan an IBM i server in less than 10 minutes and display the results in a dynamic browser-based application. When I contract with customers to perform a deep-dive audit, I always start with this scan so I know something about the environment I’m walking into. It also helps them justify the expense of the full audit.
The scan runs from a networked PC and requires the Adobe Flash plug-in, Java runtime environment (JRE), and TCP access to your server running IBM i. A PowerTech security consultant helps you interpret the findings. And, you can rerun the scan multiple times over a 7-day period, against any partitions you like, allowing you to make changes to your setup and test the effect of your changes.
Six Areas of Configuration
The Security Scan reviews six critical areas of configuration, including:
The most influential components of IBM i configuration are found in a number of system values. The most important ones for security, such as the server’s master security level (QSECURITY), are compared to best practices to ensure you’re building on a solid foundation.
Users often have access to data through powerful desktop tools like FTP, ODBC, and remote command. IBM included more than 30 hooks (exit points) in the operating system to allow programs to verify the authenticity of requests originating from these tools. We check to see if any programs are being used to provide protection.
A user profile is the most important control between an end-user and the application data. Correctly configuring and maintaining profiles is critical to ensuring user credentials are not compromised. Reviewing numerous problem areas such as profile inactivity, default passwords, and public accessibility helps ensure those profiles are as strong as they can be.
Users who have permission to use a command line or to run tools like Excel often can access data without going through the approved application. IBM i has a unique authority called *PUBLIC that applies to all users that aren’t explicitly granted or denied access. This section determines if *PUBLIC access to your application libraries has been secured (see Figure 1).
Figure 1: The Public Authority section shows user access to system libraries.
IBM i contains powerful auditing features—once they’re correctly activated. Often this is not the case, or the events being collected are insufficient. Verification of the configuration can provide peace of mind that you have a comprehensive log of events. The assessment also checks if the system has a log reporting tool installed to provide forensic analysis of the logged data.
A common vulnerability is overly powerful users. Administrative rights—known as special authorities—often are granted to users without business justification. Reviewing the assignment of these authorities can ensure that there are no surprises when someone uses an authority they don’t understand (see Figure 2).
Figure 2: The Admin Rights section shows how may users have special authorities.
After analyzing the results, you can review the recommended steps to remediate the vulnerabilities. Or, simply ask the PowerTech security expert how our comprehensive suite of solutions can help.
The Security Scan is a great starting point for any security project. Isn’t it time you learned the current state of security on your servers?