Posted by: Arian Eigen Heald
Admins and Auditors, AS/400, Compliance, IT audit, Security, Tools & Tricks of the Trade, Tools for Auditing and Security
IBM’s system iSeries are some of the most solid server systems around. Formerly (and by some, still called) the AS400, those servers are at the top of the food chain for reliability and stability. DB2, the native database system for iSeries, is as solid as a rock, and powers many of the banking, healthcare and service industries I get to see.
A lot of engineers will tell you that the iSeries is the most secure OS around, due to the object-level security functions. Those object levels are great, but I can tell you that I find that iSeries are incredibly easy to get into, for two reasons:
First, default services are left enabled. FTP, DDM and ODBC ports on the server are open, and unless you have an exit program, no logging of access takes place. So if I have an application ID and password, I can gain access to see what I can get into. Try a port scan and see what the server tells you.
Last year I saw an iSeries at a merchant (details fudged to protect the guilty) that had NETBIOS enabled. Sitting on a Windows 95 computer in their training room, with a guest ID access, I could see every single file on that iSeries. And I had Full Control of those files. Ooops.
And let’s talk about telnet! Many legacy “green-screen” applications that connect to an iSeries are running via telnet, which means that usernames and passwords are passed to the iSeries in clear text.
Second, special authorities are not locked down. What initial program are users accessing (UPINPG)? If the response is NONE, then they can break through to the command line. How about user classes (UPUSCL)? Have you got people that are part of the programmers group (PGMR) or SECOFR, or SYSOPR? Regular users shouldn’t be in these classes either.
UPSPAU indicates what special authorities each user has. By default, a user should only have access to their printer queue jobs (*SPLCTL), not all objects (*ALLOBJ).
Last, but not least,are the users changing their passwords? I found two with UPPWCD last week… Are there users that are using their username as a password? UPPWON will tell you the facts.