Password Levels

By Rich Loeber

Ever since the introduction of IBM i/OS V5R1, a system value for “Password Level” has been available (QPWDLVL).  This value lets you have control over the kinds of passwords you use on your system and how the system treats them.  Using the features provided through this value, you can implement passwords of up to 128 characters in length.

Why would anyone ever want to have a password that long?  I asked myself that very question, but when I started looking into the issue, some things jumped out at me that make perfect sense.  With a long password, you can implement a “pass phrase” rather than a password.  The implementation of the long passwords allows for case sensitive passwords and will accept embedded blanks and every character on the keyboard.  This complexity in your password can easily increase the difficulty for people trying to break into your system.

The system value that controls this is QPWDLVL and it can have the following settings:

“0″ – the default setting which sets up 10 character passwords and is what you are probably used to now if you’ve been working with the IBM i system for some time.

“1″ – uses the same 10 character passwords, but the IBM i/OS NetServer passwords for Windows Network Neighborhood access are not kept on the system.  If your system does not communicate with any Win-X machines using Network Neighborhood, you might want to consider this.

“2″ – allows you to have passwords of up to 128 characters that are comprised of any character on the keyboard, are case sensitive and may contain blanks (but not all blanks).

“3″ – implements the same level “2″ passwords but adds the restriction on Windows Network Neighborhood that level “1″ includes.

If I were implementing a new system, I’d seriously consider adopting level “2″ as a standard right from the get go.  But, most of you out there in IBMiLand have an embedded culture of 10 character passwords with specific rules in place that you have your users well trained for.  The good news is that you can move to a new password level as long as you do a little planning in advance.

Moving from level “0″ to level “1″ is pretty simple and does not require much planning.  This will simply eliminate the storage of another set of encrypted passwords on your system.  Moving from level “0″ or “1″ to a higher level should take some planning before you take the plunge.

One of the nice things is that whenever you create a new profile, the IBM i/OS creates the associated level “2″ and level “3″ passwords just in case you want to move to the higher password level.  So, the codes are already there on your system.  The possible downside is that embedded code and certain client software may not get along with the longer passwords.  Consequently, if you decide to make this change, you really should get a full backup of your current security profiles and passwords using the SAVSECDTA command.  This way, if things go south on you, you can recover back to where you are now quite easily.  You can use the DSPAUTUSR command to check your profiles for users with passwords that will not work at the higher levels.  There is a good, comprehensive discussion on how to move to a higher password level in the IBM i/OS manuals “Planning and setting up system security” or “Security Reference” that you should also take a close look at.

If you have any questions about anything in this tip, just ask me and I’ll give you my best shot.  My email address is rich at kisco.com.  All email will be answered.

Testing User Profiles

By Rich Loeber

If you’re reading this, you’re probably either a Security Officer or working in the security group in your IBM i shop.  I’ll bet, however, that you didn’t start your career in the security area, but worked your way into your current position, starting as a programmer or a database administrator or some other related field.  In your earlier positions, I’m sure you learned a lot of principals about testing.  Don’t let this fall by the wayside in your current position.  Security testing is just as important as application testing.

Today, we’ll take a look at testing your user profiles.  In future articles, I’ll also be taking a look at other testing regimens for your security setup.

The best time to test a user profile is when you initially create it.  If, however, you have never tested your user profiles, you may want to tackle a project to get the profiles on your system tested on a periodic basis to make sure that they conform to your security objectives.  This article will assume that you have your user profiles organized into groups with group profiles active.

As with all testing, the objective is to check and make sure that the security setup for a user profile (or group) is meeting the objectives you designed.  To do this with a new profile, make sure that you set the password to a temporary code and that the PWDEXP parameter for the profile is set to *YES.  Using this method, the system will allow a single signon with the temporary password and then prompt you during signon to change your password immediately.  When you signon to test the profile, you can then change the password to the user’s final password or to another temporary code.  If you do assign a new temporary code, you’ll have to set the PWDEXP back to *YES when you’re all done.

The first thing to check on any new profile is to make sure that the signon completes successfully.  If it fails, look in the special QEZJOBLOG output queue for a joblog for the failed logon session.  It is amazing what a joblog can tell you about failures on your system and a close examination of the joblog starting from the top should reveal any problems that have happened to cause the logon process to fail.  Typical problems you will encounter include missing or misspelled library names, incorrect initial menu names and incorrect initial program references.

Once you’ve signed on correctly, then you should exercise the profile to make sure that it meets your objectives.  Ask yourself the following questions as you work with the new profile:

  • Is the right menu displayed?
  • Does the user have access to the command line?  If yes, should they?
  • If an initial program was called for, did it execute correctly?
  • What happens when you press the Attention key function?  Is it what you want the user to see?
  • Where is printed output going for the session?  Is this where you wanted it to go?
  • What happens when you attempt to run the application or applications that this user should be using?
  • Are there any system tasks that the user should be able to run?  Can they?
  • Are there specific functions that the user should be barred from?  Can you access them?
  • Can the user access their printed output spool file?  Do they have access to view other user’s spool files?  Should they?
  • Check the user’s desktop environment for remote access tools.  Using the user profile, can the user access data on your system that they are not authorized for?

Make notes for yourself on any issues uncovered, then go back and make any changes that need to be done to bring the profile or group into compliance with your security objectives.  If you detect any problems, be sure to repeat the test until everything is OK.  At that point, you can turn the profile over to the user.

If you have never tested or audited your current profiles, you can use this same method but you will have to warn the users that you are doing a review.  You can use the PWDEXP parameter on the user profile to help with this testing.  Change the user’s password to a temporary code for your testing logon.  Once you’ve completed your test, change the PWDEXP parameter to *YES and set a temporary code that you’ve already told your user about.  Then, the next time they log on to your system, the IBM i OS will ask them for a new password and they’re back in business with little interruption to their daily job tasks.

If you have any questions about anything in this tip, just ask me and I’ll give you my best shot.  My email address is rich at kisco.com.  All email will be answered.

Limiting When A User Profile Can Be Used

By Rich Loeber

Each user profile on your system is a window, of sorts, into the computing environment for your business.  Some profiles have a very narrow and limited view while others have a panoramic scene before them.  Some profiles can only look while others are allowed to look, pick things up, move them around, make changes and even throw them away.  Some only have access to a single library while others, perhaps even you, have the keys to the Kingdom.

As a security officer, you’ve probably given this a lot of thought already and you already have your profiles set up with the exact permissions necessary.  Users are allowed enough access to fulfill their job descriptions but not so much that they can wreak havoc for your organization either accidentally or intentionally.  And, to a large extent, your trust of the person behind the profile plays a large roll in how much access you give them to your system.

Problems come up, however, when a profile is compromised and is used by someone other than the assigned person.  When this happens to a profile that has the panoramic view of your system, real trouble can ensue.

The IBM i OS on your IBM i system has a nice little feature that can give you improved control in the event of a compromised profile.  This feature, the Activation Schedule, lets you specifically tell the system what days and what hours in the day that a profile can be used.  If a user profile is compromised, the chances are very good that the incorrect use will be attempted during off hours.  If the profile in question has been posted to the system Activation Schedule, the profile will not be available for use during the off-hours time frame.  This extends not only to terminal session signon but to all server activity, such as FTP, the system file server, etc.

There are two commands that you use to maintain the system Activation Schedule.  The “Change activation schedule entry” command (CHGACTSCDE) is the main command for maintaining the schedule.  This lets you add a user profile to the list or change a profile that is already on the list.  Once a profile is on the list, a message will be sent to the user profile that established the entry each time the profile is activated and deactivated.  When you create the entry, you specify the time of day when you want the profile available for use.  The system will activate the profile at the given time and then automatically deactivate it at the closing time that you enter.  You can specify this time for all days of the week or for given days of the week.

The other command that can help you with this is the “Display activation schedule” command (DSPACTSCD).  This command lets you review how your Activation Schedule is set up.  You can look at it interactively or create a report of the schedule.

When you first set this up, nothing will happen right away, so be prepared for that.  The system will post jobs into the IBM i system job scheduler to do the actual activation and deactivation.  The next time one of the time of day thresholds is passed, the activity to activate and/or deactivate users will start and you will begin to receive status messages from the system.

Using this feature of the IBM i OS, you can close the window of opportunity when a compromised profile can be used and make it more difficult for mischief makers to do their thing on your system.  One thing to keep in mind, if you adopt this process, is that you may need to make special arrangements when your users work a different schedule than normal, such as overtime work.  During these times, you may have to update the Activation Schedule to accommodate different work hours.

If you have any questions about anything in this tip, just ask me and I’ll give you my best shot.  My email address is rich at kisco.com.  All email will be answered.

IBM i Password Rules

By Rich Loeber

The first line of defense for most systems is the combination of user profile and password.  For most IBM i shops that I’ve worked in, once you know one user profile, you can usually guess most of the rest of the user profiles.  Different shops use different approaches, but they all seem to key off the user’s name or initials.  Some shops may use a more obscure method, but that only tends to make support more difficult when you need to quickly identify the user based only on their profile name.

Given that guessing a user profile can be pretty easy, it makes it very important that passwords not fall into the category of being easy to guess.  For many years, the IBM i OS has provided tools to let you implement a variety of measures to help you with this goal.  This tip will look at some of these and point you in the direction where you can find even more.

The keys to knowing how to enforce password rules are found in the system values that are included in the IBM i OS.  The OS includes a whole set of system values that start with QPWDxxxxx.  Each of these can be used to do things like set the password expiration time period, limit specific characters in a password, limit adjacent characters and digits, enforce password length minimums and maximums, control how often a password can be reused and more.  My personal favorites in this of rules is to disallow any vowels in a password, disallow repeating characters and require at least one digit.  These simple rules go a very long way in forcing users to create passwords that are hard to guess.

With more recent releases of the IBM i OS, there are a wealth of new password options open to you.  These are all available under the system value of QPWDRULES (Password Rules).  This single system value can be set with a maximum of 23 different rules.  You can enforce all of the earlier rules that were available in earlier OS releases plus you can implement new rules.

If you like the way you’ve had things set up before, then you need to make sure that the QPWDRULES parameter is set to the value *PWDSYSVAL.  This will tell the OS to use the individual settings.

A word of warning at this point.  If you are planning on using any of the new values available to you, then you need to first document how each of the old QPWDxxxx system values is currently set.  Once you change the QPWDRULES to any value other than *PWDSYSVAL, then the older system values will all be ignored (with the exception of QPWDLVL which is always in force).  You must first make sure that the current settings you are using are duplicated within the new  QPWDRULES that you set up.

Some of the newer possibilities that I’ve seen that appeal to me include:

•    *LMTPRFNAME – when this is set, the user profile cannot appear as a string anywhere within the password.  For example, user profile JOHN cannot have a password of DOEJOHN.

•    *MIXCASEn – allows you to require that a password contain at least n upper case characters and n lower case characters.  This is only valid on systems running with a QPWDLVL setting of 2 or higher.  For example, if you specify *MIXCASE2, then the password A12bC45 is not valid because it is missing one lower case character.

•    *REQANY3 – requires that a password must contain at least one character from the four character types of uppercase letters, lowercase letters, digits and special characters.  For example, the password of ABCabcd is rejected since it does not contain any numbers or special characters.

For a complete list of all of the QPWDRULES options, go to the IBM i Information Center at the following link: http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i/welcome.  Select the IBMi OS version option and then enter the value QPWDRULES in the search box.  Look at the first article that comes up called “Password Rules” and you’ll find a complete list of the options.  Keep in mind that this is only available if you are running a currently supported OS level (6.1or higher).

If you have any questions about this topic, you can reach me at rich at kisco.com, I’ll give it my best shot.  All email messages will be answered.

Recovering Your IBM i Security Configuration

By Rich Loeber

I once worked, many years ago, with a company that had a disaster recovery plan in place and actually tested it once or twice.  The plan called for us to arrive at the recovery center and then, almost immediately, turn security on the recovery box OFF to make things easier during the recovery.  There was no corresponding step later in the recovery to reactivate security, so for the duration of any disaster, the backup system was exposed to security violations.  Now, to give them some credit, this was in the days before networks and the Internet, so their exposure was probably pretty limited.  In today’s world, however, when you have to switch over to a disaster recovery site, you will need to have your security plan in place and built into the recovery process.

To understand how best to do this, you first have to understand what the different security objects and settings are on your system along with how and where they are saved.

System values make up a large component of your security policy implementation.  The system values are all stored in the QSYS library.  They are saved when you run a SAVSYS, the “Entire system” or “System data only” options on the SAVE menu or when you save your entire system using the “Run Backup” (RUNBCKUP) command.  When you get to your recovery site and restore your OS from one of these, your system values will get restored in the process.  Keep in mind that these settings will be restored the way they existed when your SAVSYS was created.

User profiles, including group profiles, are also stored in the QSYS library and are saved when you save the OS.  Since these can change more frequently than the OS, you can also save them using the “Save Security Data” (SAVSECDTA) command.  When you restore your OS, you will get the profiles as they existed when that backup was taken.  If you have saved the the profiles separately, make sure that you restore them again as soon as the OS has been restored so that you get the most current set of passwords available.

Job Descriptions can also have an important affect on how jobs run and how security is enforced on your system.  IBM generally recommends that you create your job descriptions in the QGPL library where they keep theirs, but a job description can be created and stored in any library on your system, especially if you are running any third party software.  When you backup a library using the “Save Library” (SAVLIB) or “Save Object” (SAVOBJ) command, the job descriptions will travel along and will be restored when those libraries are restored.

Finally we get to your resource security setup.  This, by its very nature, is a bit more complicated than the above items, but certainly manageable.  The good news is that a lot of the resource security information is stored directly with the object.  This includes its public authority setting, its object audit setting, the profile of the object’s owner, the primary group and the link, if any, to an authorization list.  So, when you save the objects in your library, you will also be saving these security items.  The two resource security pieces that are not included are the authorization list itself and the private authority configuration.

All authorization lists are stored in the QSYS library.  They are saved when you save your OS and they are also saved when you run the SAVSECDTA command.  As with the user profiles already mentioned, these can change more dynamically than the OS, so having a separate SAVSECDTA is a good idea.  After you restore your OS, make sure to include a restore of your security data to get the most recent versions of your authorization lists.

Private authorities are also stored in the QSYS library and are included as a part of the user profile data.  So, when you save the most recent profile information, you are also saving the most recent private authorities.  When you recover your profiles, you are also recovering the private authorities.  But …. there is a catch.  After your system has been recovered, including the most recent profiles and ALL application libraries, you will also have to run the “Restore Authority” (RSTAUT) command for *ALL users.  This will restore the private authorities to objects and to authorization lists.  This is a step that can be overlooked with dire consequences as far as your security implementation is concerned.

There is more information about all of this in IBM’s Security Manual for the OS.  I recommend you review the manual for more details.

If you have any questions about anything included in this tip, you can reach me at rich at kisco dot com,  All email messages will be answered as quickly as possible.

How Much Security Is Too Much?

By Rich Loeber

Last time, I posed the question “Just how much security is enough security for your IBM i?”  This tip will explore the contrary thought of “Just how much security is too much?”.  Is there a point where security is just too much for your installation?

First, we need to admit that all security involves overhead expense.  If you are running security software features in the operating system, they take some computing resources to perform access validation routines.  When you run additional security validation, such as exit point processing, that adds more processing overhead.  When you require users to regularly change their passwords, that requires time every so often on the part of every user on the system to reset their password to a new value.  When someone has a problem during the normal course of their business day that ends up being related to security, this is additional overhead not only on the part of the end user but also by your support staff.  No matter how you look at it, good security costs money.

But, is there a point where you have too much security and the benefits are outweighed by the security protection deployed?  I think the answer is a clear yes, in certain circumstances.

Some time ago, I did a consulting gig for a large company located in North America.  This company had a very aggressive security implementation for outside vendors.  And, they apparently use a lot of outside vendors who need access to their network.  They had a complicated VPN installed which required a remote token generator be shipped to me.  When the token arrived, it included indecipherable instructions on how to gain access which ultimately did not work.  It was a long and drawn out process, but it ended up taking me three days and countless hours of trial and error with various members of their support desk team to get access to their system just to get started on a project that was behind schedule at the outset.  Once I got into their IBM i processor, I found that my profile had not been properly set up and there was a further delay in getting started.

In this case, the costs associated with the security implementation became excessive.  I was on the clock for this entire experience and the customer ended up paying dearly for this wasted time.  For this customer, I’d conclude that too much security was in place or that the security deployed was insufficiently funded.  The whole point was to provide a secure signon to their IBM i from a remote location, but the number of layers needed to get through was just too much.

When is there too much security?  One check is to see if normal business transactions are regularly stopped due to security checking.  If people in your organization can’t get their normal day-to-day work done due to security hurdles, then maybe there is too much security in place and a review of your setup is in order.

Another check is to see if your support costs are on budget or running way over.  If you’re spending significantly more money on support and that can be traced to security issues, that’s another red flag that something is quite wrong in your security environment.

I know that some of you security officers out there are going to cringe at this, but security is always a compromise between operating efficiency and data integrity.  You need to have a good balance, tempered by an honest assessment of what you’re protecting.

If you have any questions about this topic you can reach me at rich at kisco.com,  All email messages will be answered as quickly as possible.

How Much Security Is Enough?

By Rich Loeber

Just how much security is enough security for your IBM i?  This tip will explore this question and, hopefully, get you thinking about your own environment.

In the good old days, enough security meant that you had a lock on the computer room door and you actually used it.  Keeping people out of the computer room was all that was necessary.  Then along came CRTs and cabling started reaching outside the computer room environs and security became more of an issue.  Someone came up with the idea of requiring a CRT user to log into the system using a user identifier and a password.  With that little invention, things seemed to get back under control.  But, before long, along came PCs followed closely by client/server applications and then the Internet.  Now what do we do?

For many shops, a strict reliance on the user profile and password is still the watchword of the day.  But, is that enough given today’s technology?  I think not.  The problem with today’s networked environment is that you can never be absolutely certain who is at the other end of the line.

But, what is enough?  The concept of the Firewall has captured the hearts of many security officers to address this issue.  In fact, for many companies, the firewall is the be-all and end-all of their security plan.  “We’ve got a firewall in place!” …. case closed.  But, is that enough along with your user profile/password implementation?  Again, I think not.  Multiple studies of computer break-ins and data compromises reveal that fully half of all such incidents are inside jobs committed within the boundaries of the firewall “protection”.

What you really need is a multifaceted approach to security.  You need passwords, a firewall, and more.  In the old days, if the bad guy could get into the computer room, he could do some damage.  But, if you had multiple doors with multiple locks, it would take him longer to break in and you’d have a much better chance of catching him in the process.  In a way, today’s environment needs to be thought of in this same way.  Relying on a single security defense is just not enough today.  You have to deploy multiple defense strategies to be successful.

For your IBM i installation, this should include all of the security tools that are at your disposal.  It means implementing object security based on a coherent company-wide policy.  It means strictly limiting those profiles that have all object authority.  It means implementing exit point security with object level controls there as well.  It means controlling which IP addresses you are going to trust and allow access into your system.  It means having a good user profile and password maintenance plan in place with regular rotation of passwords.  It means quickly rescinding access rights for people who leave or change job assignments.  And the list goes on and on.

I suppose that it is a true statement that no computer system is 100% secure.  But, if you build enough fences that have to be climbed and add enough doors that have to be unlocked, the result will be as secure a system as is possible.  What you don’t want to do is make it easy, which unfortunately is all too common in today’s IT shops.

If you have any questions about this topic you can reach me at rich at kisco.com,  All email messages will be answered as quickly as possible.

Custom Password Validation Program

By Rich Loeber

While the IBM i operating system has very good features for controlling password selection, sometimes your password policy just can’t be enforced without additional checking.  You may have a list of reserved words that you specifically do not want anyone using as a password.  Or, you may have some very stringent requirements that are just not covered by the system values that control password assignment in IBM’s i/OS.

When this happens, the only solution is to code your own password validation routine.  This can be coded in any high level language.  The operating system passes four parameters to your program, one of which is a single character return code.  Once you’ve had a chance to complete your validation testing, just set the return code to the value you want and exit your program.  If you set the return code to zero (‘0′), then the operating system will assume that your password is acceptable and the password is updated.  The parameters passed are, in order, the new password, the old password, the return code and the user profile for a total of 31 characters.

To tell the operating system that you now have your own password validation program in place, you need to update the system value “Password validation program” (QPWDVLDPGM).  It is shipped from the factory set to *NONE.  To use your own program, just change this value to your program name and library name.  It is recommended that you store this program object in the QSYS library so that it is always saved when you backup your operating system.

Once your program is in place, test it to make sure that it is getting called.  Use the CHGPWD command and intentionally use a password that will cause your routine to fail.  You will see that a message is displayed indicating that the password rules are not met along with the value of the return code that you used.  By varying the return code for different situations, you can give your support team a heads up as to the exact reason for the password failure.  While you’re completing your testing, make sure that you process a valid password change to make sure that normal changes are not adversely affected by your new validation routine.

Registering your specific program with the QPWDVLDPGM system value will only work if you are using default 10 character user profiles and passwords.  If you are using the newer long passwords, then you will have to write an exit program and register it using the exit point registration facility.  If you take this path, then the QPWDVLDPGM system value must get set to the special setting of *REGFAC and the exit program is registered by the WRKREGINF command.  Beware, however, that the parameters for the exit point are very different.  There is a good example of the format needed for this exit program in the IBM security guide.

One thing to watch out for in this process is that the passwords, both old and new, are passed to your program without any encryption.  So, do not store any values received in a database file as this will compromise security on your system.  In fact, you should periodically check this system value to make sure that it does not change and that the program processing additional validation rules remains unchanged.  This could easily be abused on your system, so lock up the program object.

If you’d be interested in receiving a sample program for default 10 character password validation, I’ve written one just to test how this works on my system.  Let me know and I’ll send the program shell to you.  If you have any questions about this topic you can reach me at rich at kisco.com,  I’ll try to answer any questions you may have.  All email messages will be answered.

Strengthen Your Passwords

By Rich Loeber

Secure access to your system often starts with your user profile and password policy.  If you’ve been working in the IBM i world for any length of time, this is very familiar territory for you.  You may even have this task assigned to an underling who maintains your user profile base without any instruction or interaction from you.

Sign-on passwords are your first line of defense in your approach to security.  Your password policies are important tools in securing your system.  If you’ve been around a while, you may not be aware of the latest controls that are now available in IBM’s i/OS to help implement stronger password controls.  Over the years, additional controls have been implemented and strengthened.  This tip will review the system values that you can use to implement your password policy.

For starters, you should not have any permanently assigned passwords on your system.  While this is technically possible, it is NEVER recommended.  The system value QPWDEXPITV lets you enforce how often your users need to change their password to continue valid access to your system.  IBM recommends that you do this every 60 days.  Since users have to change their passwords often, some users may want to just alternate between two favorite passwords.  Another system value control in place is QPWDRQDDIF, which defines how many password iterations can go by before a password can be reused.  IBM recommends you set this to level 5 which will enforce 10 iterations.  I recommend a higher number to discourage this practice altogether.

To control how your password is constructed, you want to eliminate common words and names from use so that password guessing is ruled out.  One easy way to do this is to exclude all vowels from use in passwords, which can be done using the QPWDLMTCHR system value.  This lets you specify up to 10 characters (letters or numbers) that must be excluded from passwords.  By using the string “AEIOUY”, you will exclude all vowels from use in passwords.  One thing to note is that the QPWDLMTCHR is not enforced when you are using long passwords at password level 2 or 3 (QPWDLVL).  Another system value that controls password content is QPWDRQDDGT.  When this value is set to ‘1′, then each password must include at least one numeric digit, again making guesswork that much more difficult.

There are three more password system values that help to control password content.  QPWDLMTAJC lets you disallow repeated adjacent numerical digits in the password when the value is set to ‘1′.  Similarly, for characters, the QPWDLMTREP does the same function for alpha characters.  For this value, using ‘1′ will disallow the use of the same character anywhere within the password.  The value of ‘2′ will disallow consecutive use of the same character.  Lastly, the QPWDPOSDIF system value controls password changes.  When this value is set to ‘1′, a new password cannot have any character in the same position as the previous password.  This prevents the user from changing their password by just changing one or two characters.

Two system values control the minimum and maximum length of your passwords.  QPWDMINLEN defines the minimum number of characters required by your password.  IBM recommends a setting of 6, and I concur.  QPWDMAXLEN defines the maximum number of characters.  IBM recommends that you set this to 8, but I really don’t know why.  It depends on the type of passwords you are using as defined by the QPWDLVL setting.  Depending on how this is set, your system might support password lengths up to 128 characters of mixed case values (but that is a different discussion).

Lastly, if none of these settings will adequately implement your password policy, you can write your own exit program.  The system value QPWDVLDPGM will let you register your exit program.  When there is a program registered to this exit point, it will be called whenever a new user is added or when a password is changed.  Your program can do any additional validation testing, returning a pass/fail indicator to the exit point.

This seems like a lot to consider, but with the system values set properly, you can let the operating system enforce your password policies without a second thought.  You only have to set them up once and they will do the job faithfully from that point on.

If you have any questions about this topic you can reach me at rich at kisco.com,  I’ll try to answer any questions you may have.  All email messages will be answered.

The Case For Better User Profile Names

By Rich Loeber

Ever since I started working in an environment where I needed a user profile and password (yes, there was a time when these were foreign concepts), I have always used a simple profile based on my first name.  As I moved from System/34 to System/36 to AS/400 to iSeries to IBM i on PowerServer, I just kept that same simple profile name.

But …. no longer.  I am now a firm believer that first name profiles are a very bad idea.  There are several reasons for this change.

First, recent studies show that people are really bad about picking secure passwords.  Current studies show that, unbelievably, the most commonly used password is “password”!  Check this for a recent list of the most commonly used passwords.

Since people are so bad about choosing passwords, having a user profile that is easy to guess makes a scripted attack very possible.  In a scripted attack, a hacker attempts to gain access to your system by trying a typical user profile in combination with the list of commonly used passwords.  If your system has simple first name profiles, then it could be at risk.  Even if the hacker does not gain access to your system, they could easily end up disabling a lot of your user profiles because of multiple logon failures.

There are two ways that a scripted attack is normally mounted.  The most obvious is via FTP.  In the scripted attack, a series of logon attempts is done using an automated FTP client.  Common profiles are coupled with common passwords and repeatedly tried to see which combination works.  When a match is found, the profile/password is reported back to the hacker so they can explore further at their leisure.

On our IBM i test box, FTP scripted attacks are all stopped before they get to the point where a logon is run.  This is because we use our SafeNet/i exit point security software that only lets FTP connections in from known and trusted IP addresses.  We collect the profiles used, however, so we can report to you on the most commonly used profiles that we are seeing.  From these FTP attempts, the most common user profiles used are:

ADMINISTRA
ADMIN
TEST
ALAN
ALBERTO
ALEX
AMANDA
ANGELA
ANNA
ANONYMOUS

Since we are protected by SafeNet/i, we were not too worried about the few common user profiles we had until a recent attack resulted in two profiles being disabled.  We quickly turned to our exit point log, but there was no record of the activity.  We also checked the system log (DSPLOG) but nothing reported there shed any light on why the profiles, including my trusted personal profile, got shut down.  As a last attempt to discover what happened, we turned to the system security audit journal.  What we found there was an eye opener.

We run the POP server on our IBM i.  We use it, in combination with the SMTP server, for sending outbound email from the system with our WebReport/i software.  This lets us send email without depending on any other office servers.  What we discovered from the system audit journal was that another form of scripted attack was taking place under the covers on the system with no knowledge on our part.  A little research revealed that we were being subjected to what is known as a “Brute Force POP3 Attack”.  It is like an FTP scripted attack, but broader in scope.

An analysis of the T-PW records recorded in the security audit journal showed that over a one month period, more than 20,000 attempts had been made to log into POP3 accounts.  Fortunately for us, we were protected by quite a few other best practices for IBM i security, not the least of which is that we do not use the POP server on our IBM i for inbound mail, so none of the mailboxes actually exist.  That, however, does not stop the hacker from trying.  And, since people tend to use the same password in all places, a user profile/password combination found at the POP server level could easily be tried to gain access to the system by other means.  From our analysis of these break-in attempts via the POP server, the most common user profiles are:

ADMIN
INFO
DATA
TEST
ROOT
MARK
SERVER
MAIL
MARY
SUPPORT
ORACLE
GUEST
DANIEL
GEORGE
ALEX

By looking at these, it is clear that the hacker or hackers are not aware of the type of system that they are trying to access.  None of these profiles are commonly used on the IBM i platform.  But, you can see some profiles that might easily be in existence on a normal system deployment which gives cause for concern.

What can you do?

Here are some simple ideas in brief:

  • Don’t keep the POP server active on your system if you don’t need it.
  • Don’t keep the FTP server active on your system if you don’t need it.  If you do need it, only have it active during hours when you expect it will be used and shut it down during other times.
  • Implement enforced password rotation if it is not already active.
  • Implement the user profile password rules to always require a numeric digit as a component of the password.
  • Review the active profiles on your system for simple first names and get them changed.
  • Check the common profiles used on most IBM i systems and make absolutely certain that their passwords are complex and hard or impossible to guess.
  • Implement exit point controls, check out our SafeNet/i product.
  • Consider disallowing vowels in your passwords.  IBM i system value password controls will let you do this.  At a minimum, rule our the letters E and A.
  • Check your system security audit journal regularly for T-PW records to see if you are getting unexpected password denials.

If you have any questions about this, or you need help with implementing any of these recommendations, feel free to contact me by email at rich @ kisco.com.  All email inquiries will be answered.