c4153006-TIPS

Click here to load reader

  • date post

    26-Aug-2014
  • Category

    Documents

  • view

    194
  • download

    10

Embed Size (px)

Transcript of c4153006-TIPS

ERserveriSeries

Tips and Tools for Securing Your iSeriesVersion 5SC41-5300-06

ERserveriSeries

Tips and Tools for Securing Your iSeriesVersion 5SC41-5300-06

Note Before using this information and the product it supports, be sure to read the information in the Security Basic articles found on-line in the Information Center. The Internet URL address is http://www.ibm.com/eserver/iseries/infocenter.

Seventh Edition (August 2002)

| This edition replaces SC41-5300-05. This edition applies only to V4R5 and subsequent versions of OS/400. Copyright International Business Machines Corporation 1996, 2002. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsFigures . . . . . . . . . . . . . . vii Tables . . . . . . . . . . . . . . . ix About Tips and Tools for Securing your iSeries (SC41-5300-06) . . . . . . . . xiWho should read this book . . . . How to use this information. . . . Prerequisite and related information . iSeries Navigator . . . . . . . How to send your comments . . . . . . . . . . . . . . . . . . . . . . . . xi . xii . xii . xiii . xiii Operate Security Tools securely. . . . . . Avoid file conflicts . . . . . . . . . . Save Security Tools . . . . . . . . . . Commands and menus for security commands Security Tools menu options . . . . . . Use the Security Batch menu . . . . . Commands for customizing security . . . Values set by the Configure System Security command . . . . . . . . . . . . Functions of the Revoke Public Authority command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 33 34 34 34 36 41

. 42 . 44

Part 1. Whats new for V5R2 . . . . . 1| Chapter 1. iSeries security | enhancements . . . . . . . . . . . . 3

Part 3. Advanced iSeries security

47

Chapter 6. Protect information assets with object authority . . . . . . . . . 49Object authority enforcement . . . . . . . . Menu security . . . . . . . . . . . . . Limitations of menu access control . . . . . Enhance menu access control with object security Example: Set up a transition environment . . . Use library security to complement menu security. . . . . . . . . . . . . . . Configure object ownership . . . . . . . . . Object authority to system commands and programs Audit security functions . . . . . . . . . . Analyze user profiles . . . . . . . . . . Analyze object authorities . . . . . . . . Check for altered objects . . . . . . . . . Analyze programs that adopt authority . . . . Manage the audit journal and journal receivers 49 49 50 50 51 53 53 53 54 54 56 56 57 57

Part 2. Basic iSeries security . . . . 5Chapter 2. Basic elements of iSeries security . . . . . . . . . . . . . . . 7Security levels . . . . . . . . . . Global settings. . . . . . . . . . User profiles . . . . . . . . . . Group profiles . . . . . . . . . . Resource security . . . . . . . . . Limit access to program function . . . Security audits . . . . . . . . . Example: System security attributes report . . . . . . . . . . . . . . . . . . . . . . . . 7 8 8 9 9 9 . 11 . 11 . . . . . .

Chapter 3. iSeries Security Wizard and Security Advisor . . . . . . . . . . 15Security Wizard . Security Advisor. . . . . . . . . . . . . . . . . . . . . . . . 15 . 17

Chapter 7. Manage authority . . . . . 59Monitor public authority to objects . . Manage authority for new objects . . . Monitor authorization lists . . . . . Use authorization lists . . . . . . Accessing Policies in iSeries Navigator Monitor private authority to objects . . Monitor access to output and job queues Monitor special authorities . . . . . Monitor user environments . . . . . Manage service tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 60 60 61 62 63 63 64 65 66

Chapter 4. Control interactive sign-onSet password rules . . . . . . . Password levels . . . . . . . . Plan password level changes . . Change known passwords . . . . Set sign-on values . . . . . . . Change sign-on error messages . . . Schedule availability of user profiles . Remove inactive user profiles . . . Disable user profiles automatically Remove user profiles automatically Avoid default passwords . . . . . Monitor sign-on and password activity Store password information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1919 20 20 25 26 27 28 29 29 29 30 30 31

Chapter 8. Use logical partitions security (LPAR) . . . . . . . . . . . 69Manage security for logical partitions. . . . . . 70

Chapter 9. iSeries Operations ConsoleOperations Console security overview Console device authentication . . User authentication . . . . . . Data privacy . . . . . . . . Data integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7172 72 72 72 73

Chapter 5. Configure the iSeries to use Security Tools . . . . . . . . . . . 33 Copyright IBM Corp. 1996, 2002

iii

Use Operations Console with LAN connectivity . . 73 Protect Operations Console with LAN connectivity 73 Use the Operations Console setup wizard . . . . 73

Chapter 13. Secure APPC communications . . . . . . . . . . 109APPC Terminology . . . . . . . . . . Basic elements of APPC communications . . . Example: A basic APPC session . . . . . . Restrict APPC sessions . . . . . . . . APPC user access to the target system . . . . System methods for sending information about a user . . . . . . . . . . . . . . Options for dividing network security responsibility . . . . . . . . . . . Target system assignment of user profiles for jobs Display station passthrough options . . . . . Avoid unexpected device assignments . . . . Control remote commands and batch jobs . . . Evaluate your APPC configuration . . . . . Relevant parameters for APPC devices . . . Parameters for APPC controllers . . . . . Parameters for line descriptions . . . . . . . . . . 109 110 110 110 111

Chapter 10. Detect suspicious programs . . . . . . . . . . . . . 75Protect against computer viruses . . . . . Monitor usage of adopted authority . . . . Limit the use of adopted authority . . . . Prevent new programs from using adopted authority . . . . . . . . . . . . Monitor usage of trigger programs . . . . Check for hidden programs . . . . . . . Evaluate registered exit programs . . . . . Check scheduled programs . . . . . . . Restrict Save and Restore capability . . . . Check for user objects in protected libraries . . . . . . . . . . . . 75 . 77 . 77 . . . . . . . 78 80 81 82 83 83 84

. 111 . 112 113 . 114 . 116 . 116 . 116 . 117 . 119 . 120

Chapter 11. Prevent and detect hacking attempts . . . . . . . . . . . . . . 85Physical security. . . . . . . . . . Monitor user profile activity . . . . . . Object signing . . . . . . . . . . Monitor subsystem descriptions . . . . Autostart job entries . . . . . . . . Workstation names and workstation types . Job queue entries . . . . . . . . . Routing entries . . . . . . . . . . Communications entries and remote location Prestart job entries . . . . . . . . . Jobs and job descriptions . . . . . . . Architected transaction program names . . Architected TPN requests. . . . . . Methods for Monitoring Security Events. . . . . . . . . . . . . . . . . . . . . . . . . . names . . . . . . . . . . . . . . . 85 85 86 87 87 88 88 88 88 89 89 90 91 92

Chapter 14. Secure TCP/IP communications . . . . . . . . . . 121Prevent TCP/IP processing . . . . . . . . TCP/IP security components . . . . . . . Use packet rules to secure TCP/IP traffic . . HTTP proxy server . . . . . . . . . Virtual Private Networking (VPN) . . . . Secure Sockets Layer (SSL) . . . . . . . Secure your TCP/IP environment . . . . . Control which TCP/IP servers start automatically . . . . . . . . . . . Security considerations for using SLIP . . . . Control dial-in SLIP connections . . . . . Control dial-out sessions . . . . . . . Security considerations for point-to-point protocol Security considerations for using Bootstrap Protocol server . . . . . . . . . . . . Prevent BOOTP Access . . . . . . . . Secure the BOOTP server . . . . . . . Security considerations for using DHCP server . Prevent DHCP access. . . . . . . . . Secure the DHCP server . . . . . . . . Security considerations for using TFTP server . Prevent TFTP access . . . . . . . . . Secure the TFTP server . . . . . . . . Security considerations for using REXEC server Prevent REXEC access . . . . . . . . Secure the REXEC server . . . . . . . Security considerations for using RouteD . . . Security considerations for using DNS server . . Prevent DNS access . . . . . . . . . Secure the DNS server . . . . . . . . Security considerations for using HTTP server for iSeries . . . . . . . . . . . . . . . Prevent HTTP access . . . . . . . . . Control access to the HTTP server . . . . Security considerations for using SSL with IBM HTTP Server for iSeries . . . . . . . . Security considerations for LDAP . . . . . Security considerations for LPD . . . . . . . . . . . . . . . . . 121 121 122 122 122 123 123 124 125 126 128 129 130 130 131 131 132 132 133 133 134 135 135 135 136 136 136 137

| |

Part 4. Applications and network communications . . . . . . . . . . 95Chapter 12. Use Integrated File System to secure files . . . . . . . . . . . 97The Integrated File System approach to security . . 97 Root (/), QOpenSys, and user-defined file systems 99 How authority works . . . . . . . . . . 99 Print private authorities objects (PRTPVTAUT) command . . . . . . . . . . . . . . 101 Print publicly authorized objects (PRTPUBAUT) command . . . . . . . . . . . . . . 102 Restrict access to the QSYS.LIB file system . . . 103 Secure directories . . . . . . . . . . . . 104 Security for new objects . . . . . . . . . . 104 Use the Create Directory co