Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
fhg
Volume 4, Number 41 -- December 8, 2004

Controlling PC Access

Hey, Wayne O:


First of all, thank you for your good Web site and your very useful essays. I have some questions about AS/400 security. I would like to find a solution to prevent access to the database, running remote commands from PCs, and PC file transfers.

Of course, we want to give permission to users to be able to run programs that use files or objects for reading and updating. I have followed your recommendation to specify *EXCLUDE for *PUBLIC when securing files with the Grant Object Authority (GRTOBJAUT) command, but doing so prevents our users from running any program that uses database files.

  

--Aivazian


You have two separate problems, Aivazian: controlling PC access and allowing users to run applications. The good news is that one solution will solve most of the problems you mentioned.


Application-Only Access


You were very close when you set the public access to data files to *EXCLUDE. This authority prevents users from accessing data files from PCs. As you discovered, the users of application programs get a "not authorized" message when they attempt to run an application program whose authority is set to *EXCLUDE. The solution is to have the application programs adopt the authority of the owner of the data.

Using adopted authority allows users to access the data only while an application is running. This is the basis for a security strategy I call application-only access, or AOA.

The principle of AOA is to give users access to data while in the application, but no access (or read-only access) while outside of the application. You simply need to adopt access in the application.

To make programs adopt, two steps are required:

  1. The programs need to be owned by the user profile that also owns the data. I recommend an application owner profile (OWNPRDDTA). This profile should have no password, in order to prevent sign-on, and should not be a group profile.
  2. The programs need to be compiled with the option USRPRF(*OWNER). You can also use the CHGPGM command to change programs to adopt.

You can read more about application-only access in the paper on my Web site.


Controlling PC Access


A second problem you mentioned was how to prevent PC users from using the Remote Command (RMTCMD) command. IBM has provided the exit program capability to screen requests from PC users so you can use exit programs to block file transfer and remote commands. Exit programs can also stop FTP, ODBC, and JDBC access to the database.

 

You have two choices for exit programs: Application Administration and third-party exit programs. Let me summarize both and then make a recommendation.

 

Application Administration


IBM has provided simple exit programs that you can activate using iSeries Navigator (formerly known as Operations Navigator) Application Administration. When you right-click the System icon, iSeries Navigator displays a pop-up panel that shows Application Administration. Select Application Administration and sign on as a user with security administrator (*SECADM) special authority.

When you select the "Client Applications" tab on the Application Administration panel, you will see another panel. At the bottom of this panel, notice that the checkbox for Remote Command – Command Line is not checked. I did this to prevent remote commands for users. You can also prevent users from using file transfer operations by deselecting the options next to specific functions.

Application Administration is very flexible. To allow only selected users to use a function, go to the Customize Access panel, select the function, and then add the specific users who are allowed to use that function.

One limitation of Application Administration is that this support controls access to the function. For example, you can use application administration to prevent file transfer operations; however, application administration is an "all or nothing" decision. You can't allow a user to use file transfer for specific files and block access to other files. To get that level of control, you have to purchase third-party exit programs.



Third-Party Exit Programs


Third-party vendors (NetIQ, PowerLock, Kisco, and others) have written exit programs that allow you to define rules that control the actions of PC users. The function is similar to the Application Administration function provided by IBM, but the third-party exit programs offer more flexibility. For example, some exit programs allow you to permit users to run specific remote commands while preventing other commands.

If you wish, you can write your own exit programs, but I do not recommend that you attempt to do all of the research and testing required to implement your own programs. You will save money in the long run by purchasing exit programs from several of the vendors.


--Wayne O. Evans


Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. Click here to contact Wayne O. Evans by e-mail.

Sponsored By
WORKSRIGHT SOFTWARE

Do you need area code information?
Do you need ZIP Code information?
Do you need ZIP+4 information?
Do you need city name information?
Do you need county information?
Do you need a nearest dealer locator system?

We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

Just call us and we'll arrange for 30 days FREE use of either
ZIP/CITY or PER/ZIP4.

WorksRight Software, Inc.
Phone: 601-856-8337
Fax: 601-856-9432
E-mail: software@worksright.com
Web site: www.worksright.com
Technical Editors: Howard Arner, Joe Hertvik, Ted Holt,
Shannon O'Donnell, Kevin Vandever
Managing Editor: Shannon Pastore
Contributing Technical Editors: Joel Cochran, Wayne O. Evans, Raymond Everhart,
Bruce Guetzkow, Marc Logemann, David Morris
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

THIS ISSUE
SPONSORED BY:

ProData Computer Svcs
WorksRight Software
Guild Companies


BACK ISSUES

TABLE OF
CONTENTS
RPG IV Comment Blocks

Controlling PC Access

Admin Alert: Use Fix Central to Order iSeries PTFs on CD-ROM


The Four Hundred
Choose Wisely: High Availability Performance and Reliability Issues

OS Solutions Relies on Remote Journaling for New HA Offering

Server Market Grows in the Third Quarter

Four Hundred Stuff
LTO 3 Tape Makes Its Way to Market

Profound Launches RPG-to-Web Conversion Tool for the Masses

FormSprint Gets a New PDF Archive

Four Hundred Monitor


Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement