You can significantly reduce the risk of having your IBM i affected by malware (including ransomware) simply by limiting which users can map a drive (that is, use a file share to map) to your systems. File shares are the entry point of malware to your system.
One of the most significant enhancements of the IBM i 7.5 release provides a method to do just that. IBM i 7.5 provides the ability to associate an authorization list with the NetServer itself as well as individual file shares. Those users with authority to the authorization list associated with the NetServer can use file shares. No authority? Attempts to use a file share will fail. Taking a ‘deny by default’ approach, create an authorization list (don’t overload an existing authorization list with this new function) set to *PUBLIC *EXCLUDE. Authorize only those users that have a business need to map a drive to the authorization list. With this simple step, you have reduced the risk of malware infection from everyone with an IBM i user profile to only those users authorized to the authorization list assigned to the NetServer. (Don’t forget that this includes users with *ALLOBJ special authority.)
To associate a file share with the NetServer, sign into Navigator for i, click on the Network icon, select Servers -> TCP/IP Servers -> IBM i NetServer -> Properties. On the Properties page, select the Security tab. To see the field allowing you to specify an authorization list, click on Expand Next Start. After you’ve stopped and re-started the NetServer, only users authorized to the authorization named will be able to map a drive to your system.
You can also restrict the ability to use an individual file share. Note that this does not require assigning an authorization list to the NetServer as a whole. You can choose to only assign an authorization list to an individual file share; however, we recommend that you do both. Assigning an authorization list to a share is slightly different than assigning one to the NetServer in that the authority the user is granted by the list affects the user’s level of access. If a profile has *USE authority to the list, they’ll be able to map a drive as Read-only. *CHANGE or greater authority will allow the user to connect with Read/Write privileges (assuming that the file share itself has been created as a Read/Write share.) Again, remember that a user with *ALLOBJ will override whatever authority to grant them to the list. Meaning users with *ALLOBJ will always be able to map a drive with Read/Write capabilities.
To associate an authorization list with an individual share, sign into Navigator for i, click on the File Systems icon -> File shares -> Properties on the individual share. Once you specify the list and click OK, the access check is in effect. Again, we recommend that you create an authorization list specific for this share (using the name of the file share and with an explanation of its purpose in the description field) to make the purpose of this authorization list obvious.
IBM i 7.5 brings powerful security features to help you reduce risk to your system. Being able to control who generally uses file shares and the ability to further reduce access to individual shares using authorization lists is a feature we highly recommend you implement to reduce the risk of malware infection.
