Terminal Session Security

By Rich Loeber

Like all modern systems, the IBM i requires a user profile and password before you can log on and use the system. You might think that this simple requirement would always ensure that only authorized users will have access to your system. But, with the proliferation of devices that can connect to the system, it is not always that simple.

In the old days, we used to have devices that are now called "dumb terminals". To use the system, you'd log on to the sign on screen and when you were done, you'd log off. You could tell by looking at the screen whether the session was active or not. If the signon screen was displayed, then the session was inactive.

Today, with a proliferation of PCs, tablets and cell phones and with easy access to Telnet based terminal emulation software, it is not always that clear. On a PC using IBM i Access, the first time you log into the system for the day, there is an IBM i Access logon that establishes connection from the PC to your host system. Then, there may or may not be another logon for your terminal session. If you have your PC set up to bypass terminal sign on to the host, then there will be no second signon process. Once your connection to the host system has been established, the only way to break it is to either log off from Windows altogether or reboot your system.

There are a couple of potential problems with this configuration. It makes working with your system a lot easier just like leaving the keys in your car makes getting going a lot easier, but you wouldn't want to do it on a regular basis.

If you are using bypass signon, once your initial connection has been established, anyone can come by and start up your terminal emulation session and gain access to your system without knowing either your user profile or your password. If you're a programmer or a systems administrator, that could be a significant exposure to your system as you will probably have very generous access rights to objects on your system. If your PC is located in a public or semi-public setting, you should think twice about having this setup.

Another exposure, which can happen when you leave a terminal session active, is that anyone can come along and use the Client Access upload or download functions to gain access to your system, again without knowing your user profile or password. If you have any virtual drives mapped to your host, those could also be compromised by someone using your PC without your knowledge or approval.

One simple solution is to activate your PC's screen saver with a password requirement to unlock the keyboard when it goes into screen saver mode. That way, if you go for coffee and get delayed by a dumb question from the boss, the screen saver will kick in and protect your system in your absence. The problem comes from user systems that you, as security officer, are responsible. Each user can probably reset their screen saver settings on their own, thereby defeating this important additional security measure. A periodic inspection of all PCs installed in public and semi-public settings for these exposures would probably be a good idea.

Most terminal emulation software for use on tablets allow you to build in a macro for the signon process. So, anyone picking up your tablet, might be able to establish a connection to your system. If tablets are available in public areas, then disabling the signon macro function would be a good idea.

If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).