Sister CISA CISSP

Oct 6 2008   8:19PM GMT

Auditing iSeries

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

IBM’s system iSeries are some of the most solid server systems around. Formerly (and by some, still called) the AS400, those servers are at the top of the food chain for reliability and stability. DB2, the native database system for iSeries, is as solid as a rock, and powers many of the banking, healthcare and service industries I get to see.

A lot of engineers will tell you that the iSeries is the most secure OS around, due to the object-level security functions. Those object levels are great, but I can tell you that I find that iSeries are incredibly easy to get into, for two reasons:

First, default services are left enabled. FTP, DDM and ODBC ports on the server are open, and unless you have an exit program, no logging of access takes place. So if I have an application ID and password, I can gain access to see what I can get into. Try a port scan and see what the server tells you.

Last year I saw an iSeries at a merchant (details fudged to protect the guilty) that had NETBIOS enabled. Sitting on a Windows 95 computer in their training room, with a guest ID access, I could see every single file on that iSeries. And I had Full Control of those files. Ooops.

And let’s talk about telnet! Many legacy “green-screen” applications that connect to an iSeries are running via telnet, which means that usernames and passwords are passed to the iSeries in clear text.

Second, special authorities are not locked down. What initial program are users accessing (UPINPG)? If the response is NONE, then they can break through to the command line. How about user classes (UPUSCL)? Have you got people that are part of the programmers group (PGMR) or SECOFR, or SYSOPR? Regular users shouldn’t be in these classes either.
UPSPAU indicates what special authorities each user has. By default, a user should only have access to their printer queue jobs (*SPLCTL), not all objects (*ALLOBJ).

Last, but not least,are the users changing their passwords? I found two with UPPWCD last week… Are there users that are using their username as a password? UPPWON will tell you the facts.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: