Getting Started with IBM i Security: Securing PC Access

All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.
Getting Started With
IBM i Security:
PC Access

HelpSystems Corporate Overview. All rights reserved.
Your Speaker
ROBIN TATAM, CBCA CISM
Director of Security Technologies
952-563-2768
robin.tatam@helpsystems.com

• Premier Security Products (globally-recognized “PowerTech” brand)
– Represented by industry veteran, Robin Tatam, CISM
• Comprehensive IBM i Security Services
– Represented by industry veteran, Carol Woodbury, CRISC
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
About HelpSystems’ Security Investment

IBM i has an integrated database called DB2
When you obtain a user ID and password, you
automatically receive credentials to the database
through every interface supported by the server.
It All Starts Here!

These Were The Easy Days

These Were The Easy Days
Menu Security easily limits the applications that a user
has access to
Application Security restricts the functions within an
application that the users user has access to
Both approaches:
• Continue to be heavily replied upon
• Mask the complexity of object-level security
• Remain beneficial to a limited degree
• Are no longer sufficiently comprehensive

But It’s Not All Green Anymore

Application Menu
ODBC & JDBC
Telnet
What’s the Problem?
FTP
DDM

ODBC isn’t rocket
science anymore
Easy Open Access

From a User’s Perspective

Easy Open Access
Even basic read-only (*USE) permission to a file allows for
the data to be viewed, copied, and even taken offline

• Some tools allow users to retrieve and return database
data directly (without involvement of the application)
• The OS does not log this activity
Easy Open Access

• No specialized tools required
• Simple and very fast
• No complex data parsing or application edits to comply with
Easy Open Access

From an Auditor’s Perspective

1. Users typically have
excessive rights to
application data.
2. IBM i ships with many
TCP/IP services
active by default.
The 1-2 Punch!

Excessive Administrator Privileges
IBM i Special Authorities

IBM i default = Allow All
*EXCLUDE
6%
*CHANGE
61%
*USE
22%
*ALL
9%
*AUTL
1%

IBM i default = Allow All
Library Default - Create Authority
System Default - Create Authority

Many of these Services Are Listening
Systems with FTP Autostarted

Administrators can control user access to commands
using the Limit Capabilities parameter (LMTCPB) on the
user profile.
However, consider that:
• Some interfaces do not adhere to this restriction.
• Certain users may require command line access
(make sure that they are *CMD audited).
Command Line Abuse

Users
+ Open Services
= High Risk
A Simple Equation

The IBM i operating system contains a number of exit points, which
enable custom functions to be developed.
Any registered exit program will be invoked by the OS when a
transaction is received, in order to perform the custom function. The
OS waits for the program to complete and indicate
if the transaction should be allowed to continue
IBM i contains almost 30 exit points dedicated
to users accessing the server and data
using PC interfaces.
A New Function?

The function of an exit program can be to do anything (even
malicious!) as it’s written by a programmer; however, for network (PC)
access, security officers typically want it to:
• Audit (as IBM i doesn’t do a good enough job)
• Control (as object security is often lacking)
The exit program returns a pass/fail indicator
to the exit point which then halts or continues
the transaction’s journey
NOTE: A ‘pass’ does not mean the transaction will be
honored. The request still has to satisfy
OS security rules assuming they exist
A New Function?

Exit Program Coverage
Many organizations remain unaware of this capability,
or simply chose not to use it thinking they do not need it

Exit programs can help compensate for—and
reduce the risk associated with—poorly
configured security controls.
Use exit programs to:
• Prevent unwanted access.
• Allow beneficial and approved access.
• Log all network access attempts.
Do We Really Need Exit Programs?

“But I Already Have Object Level Security!”
STILL
• Experts agree that layered security is the most effective.
• Most IBM i data isn’t nearly as secure as the owner thinks.
• Authority for data carries through to all interfaces.
• IBM i cannot differentiate between different access methods.
• Adequate auditing of network requests is not available in the OS.
• Command line permissions can still be circumvented.
Do We Really Need Exit Programs?

Run a HelpSystems Security Scan

Option 1: Write Your Own
Option 2: Purchase Them
• IBM provides samples at http://www-01.ibm.com/support/docview.wss?uid=nas8N1018050
• Search the web for published examples
• Not complex for simple “block all” type approach
• Can cause performance issues (esp. with ODBC)
• Should be tested against each OS release
• Auditors might take exception to self-policing
Okay, so how do I get Exit Programs?

Security awareness among IBM i
professionals is generally low.
IBM i awareness among audit
professionals is even lower.
Some of the most valuable data is
stored on a Power Systems server
(iSeries, AS/400).
Most IBM i data is not secured and
the users are far too powerful.
Most data is easily accessed via PC
interfaces with little-to-no oversight
The Perfect IBM i Security “Storm”

Learn more about IBM i security
Free Download:
2016 State of IBM i Security
https://www.mc-store.com/products/ibm-i-security-
administration-and-compliance-second-edition

Questions

http://www.helpsystems.com/getting-started-security-series
Thank You
See you on July 12th at 12 noon CST to discuss user privileges

Getting Started with IBM i Security: Securing PC Access

More Related Content

What's hot (20)

Similar to Getting Started with IBM i Security: Securing PC Access (20)

More from HelpSystems (20)

Recently uploaded (20)

Getting Started with IBM i Security: Securing PC Access