AS400 security risk when profile set to INLMNU(*SIGNOFF)

pts.
Tags:
Security
What security risk is involved when using a profile with INLMNU(*SIGNOFF). We have a separate partition (LPAR) which is being used as a file server. On this I have created profiles matching the user's Windows account. This is different from the user's AS400 user id used to sign on to the production partition. On the file server the profiles (matching Windows user account but different from production user id) have the password set to Windows user account and the INLMNU(*SIGNOFF). My understanding is that the profile could not sign on. On the file server (AS400 partition) the IFS is used to create a folder /home/<Windows Account> and the security is set to only allow <Windows Account> access. A map is created in the user's Windows log on script to map a Windows network drive to the IFS folder. This all works file but today the concern was raised that someone (with proper knowledge) could map a drive to an other user's folder on the IFS connecting as <Windows Account>/<Windows Account>. At present and for the forseeable future the files which will be stored in a user's folder will be Excel documents created from historical data. No production data exists on the file server. Is this opening us up to a large security risk? I would ap0preciate your comments. Thanks in advance, Rob Rogerson

Answer Wiki

Thanks. We'll let you know when a new response is added.

You used Windows Account way to many times in your questions but I think your asking is an IFS folder is setup with *PUBLIC *EXCLUDE and WindowsUSER1 has *ALL can WindowsUSER2 map a drive to that folder and the answer is no.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Bamaro70
    INLMNU(*SIGNOFF) , by itself, will not necessarily keep someone from signing on. The parameter INLPGM (initial program)gets executed before INLMNU so in addition to INLMNU(*SIGNOFF), INLPGM must be set to *NONE to prevent the profile from being signed on to.
    0 pointsBadges:
    report
  • Bamaro70
    Having INLMNU(*SIGNOFF) will not necessarily keep the profile from being signed on to. There is another parameter, INLPGM, that needs to be looked at. INLPGM gets exexuted before INLMNU and needs to be set to *NONE along with INLMNU(*SIGNOFF) to keep the profile fromm being signed on to.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following