New PowerTech Product Cracks Down on Special Authorities
January 18, 2005 Alex Woodie
In an ideal world, there would be no need to grant All Object (ALLOBJ) privileges on your OS/400 server. Everybody would be granted just enough access to do their jobs, and no more. Of course, we live in an imperfect world, and IT administrators, programmers, and even outside auditors often need special authorities, like ALLOBJ, to do their jobs. Thanks to a new program called AuthorityBroker, launched by PowerTech Group last week, the use of special authorities can be minimized and monitored.
Users with special authorities can do quite a bit of damage to an OS/400 server. The big one is ALLOBJ authority, which gives users unfettered access to the system, including all libraries, data, and programs. “A user with All Object authority cannot be controlled,” PowerTech warns on its Web site. “An employee with access to this profile who has malicious intent has very little difficulty in exploiting it to steal critical data or to wreak havoc on a system.”
Even access to lesser authorities can be the equivalent of a blank check to evil doers. A user with Spool Control (SPLCTL) authority can read and modify payroll data after it has been sent to a printer, according to PowerTech. Similarly, a nefarious user with Job Control (JOBCTL) authority can power-down the system or terminate subsystems and individual jobs at will, bringing your business to a painful, grinding halt.
But this doesn’t have to happen to you.
PowerTech’s new product, PowerLock AuthorityBroker, is designed to reduce the number of profiles with special authorities on users’ systems, without needlessly disrupting everyday business. When users do need a special authority to accomplish a task, such as loading a new program, kicking off a system save, configuring network access, or changing other user profiles, they can go into AuthorityBroker and swap into a “switch” profile, which temporarily gives them the special authority. In this way, users don’t need the special authorities in their everyday profile.
AuthorityBroker allows administrators to restrict the types of special authorities that users have access to. It also tracks all switches through an audit trail, and will generate regular reports on switch activity. Administrators can even configure AuthorityBroker to send e-mail notifications when users swap into their powerful “switch” profile.
PowerTech CEO Bruce Leader says AuthorityBroker is a good complement to regulatory compliance initiatives at OS/400 shops. “Auditors are finding an unacceptable amount of users with powerful profiles,” he says. “Under pressure from regulations like Sarbanes-Oxley, executives are no longer willing to allow this kind of unchecked access and are demanding tighter monitoring and control.”
AuthorityBroker puts controls in place for the eight special authorities in OS/400, including All Object (ALLOBJ), Security Admin (SECADM), Network Services (IOSYSCFG), Audit Rights (AUDIT), Spool File Authority (SPLCTL), Hardware Administrator (SERVICE), System Operator (JOBCTL), and Backup Operator (SAVESYS).
So are you a candidate for AuthorityBroker? According to Dan Riehl, an iSeries security expert and the founder of PowerTech, if your shop has more than 10 profiles with ALLOBJ authority, you are opening yourself to potential security problems, and could even be out of compliance with new industry regulations. Riehl lays out the special authority problem in his article “The Exposures of Indiscriminate Assignment of iSeries Special Authorities” (in PDF format).
AuthorityBroker supports OS/400 V4R4 and later versions. Licenses are tier-based and range from $1,400 to $7,600, which allows a customer to install the software in a single partition; an additional fee of $1,000 or more is required for additional partitions.
More information and trial downloads for AuthorityBroker are available from PowerTech’s Web site, at www.powertech.com.