Admin Alert: Dealing with Default OS/400 Passwords

by Joe Hertvik

A necessary part of OS/400 security checking is sniffing out and changing user profiles that contain default passwords. Default passwords occur when an OS/400 password is equal to the user profile name. They occur often when creating new user IDs because default passwords are the default setting for new IDs in both OS/400 V4R5 and V5R1. As a result, many systems may have a number of user profiles that are ripe targets for hacking.

Since this is a fairly common situation in OS/400 shops--and one that could endanger the security of an iSeries or AS/400 box--you have to be on guard in detecting and eliminating these passwords. Fortunately, default-password hunting is easy on an iSeries or AS/400 machine. IBM provides the green-screen Analyze Default Password (ANZDFTPWD) command, which allows you to find and automatically disable or expire any user profile containing a default password. This command is standard in most recent OS/400 versions and ANZDFTPWD can run in either batch or interactive mode, depending on your needs.

ANZDFTPWD runs in three separate action modes: report only, without affecting user profiles (*NONE); report and disable profiles with default passwords (*DISABLE); and report and expire default password user profiles (*PWDEXP). The action mode is selected through the Action taken against profiles' (ACTION) parameter, and here is a brief description of the three ways you can run ANZDFTPWD.

To obtain a report of any user profiles that contain a default password, type the following ANZDFTPWD command from a green-screen command line:

ANZDFTPWD   ACTION(*NONE)

This produces a user-profiles-with-default-passwords report, which lists the following information for each suspect profile:

• The user profile name.
• The user profile status (*ENABLED or *DISABLED). Disabled profiles cannot sign in to OS/400. If you're using the green-screen Work with User Profiles (WRKUSRPRF) command to view the user profile, this is the same value as the STATUS parameter. If you're using the iSeries Operations Navigator User Properties dialogue to work with the profile, this is analogous to whether or not there is a check mark in the "Enable user for processing" check box.
• Whether or not the user profile is currently set to expire. This is a *YES or *NO value that can be found in the "Set password to expired" (PWDEXP) field on the WRKUSRPRF screen, or in the "User must change password at next sign-on" check box inside OpsNav. If a password is set to expire, OS/400 will force the user to change it at his next sign on.
• The text description associated with the user profile.

Using *NONE for the ACTION merely produces the default-passwords report. It doesn't perform any actions against the dangerous profiles. System and political situations may require you to manually--rather than automatically--take action when dealing with default password users. So IBM allows you to run ANZDFTPWD in a reporting mode only. A prudent plan would be to produce this report automatically on a weekly basis by adding a scheduled entry in the OS/400 job scheduler (which can be accessed by adding a scheduled task command through the Management Central function of OpsNav, or through the green-screen Work with Job Schedule Entries, or WRKJOBSCDE, command).

If you want to automatically change user profiles with default passwords, you can run ANZDFTPWD with ACTION set to either the *DISABLE or the *PWDEXP value. You would use the *DISABLE setting as follows:

ANZDFTPWD  ACTION(*DISABLE)

OS/400 will automatically disable any default password user from signing on to your system, and these users will have to come to your department to be re-activated for access. This is drastic action and you might want to run the command in report mode first to make sure you don't accidentally disable any high-ranking figure's user profile, such as your company president, without giving that person a warning. But in terms of security, this will tightly close any default password holes in your system.

A less drastic way of dealing with these passwords is to expire the user profile by setting ACTION to *PWDEXP. With an expired password, the next time a default-password user logs in to the system, OS/400 will him them to change his password before he can sign on. This is a nice way to handle the situation because it allows the user--not the system administrator--to straighten out the password without any technical assistance. The down side is if a hacker discovers a default password profile, he can simply change the password himself and then he still has complete access to the system. The important thing to remember is that expiring a password limits your exposure to hackers; it doesn't eliminate it.

Regularly running ANZDFTPWD on your system is good policy. And don't think that you can ignore default passwords if your AS/400 isn't attached to the Internet. Internal users are just as capable of committing mischief with someone else's ID as an outside hacker is. A disgruntled user could easily damage your data if you're not vigilant. So if you're responsible for OS/400 security, it's a good idea to get comfortable with ANZDFTPWD and check for default passwords often.

Sponsored By RJS SOFTWARE SYSTEMS

Save TIME AND MONEY with our AS/400-iSeries Report and Data Delivery Systems Delivering AS/400 reports via email, web, Lotus Notes, Domino or CD. Whether it's Native AS/400 or PC-based, we have the solution. For a FREE FULLY FUNCTIONAL DEMO CD, please visit our Web site at www.rjssoftware.com. Contact us at 888-RJS-SOFT or email us at sales@rjssoft.com