IBM Delivers More Out-of-the-Box Security with IBM i 7.5
May 11, 2022 Alex Woodie
It’s often said that IBM i is one of the most securable server platforms on the market. But all too often, customers don’t take the time to properly configure it, leaving their applications and data at risk. With IBM i 7.5, IBM is taking aim at security and delivering a system that is more secure when it ships from the factory.
From default settings to the elimination of some options, IBM has taken several steps to make IBM i more secure by default. IBM i security expert Carol Woodbury, a former security IBM architect for OS/400 and now the co-founder of DXR Security, guided users through the changes during a recent COMMON webinar with Db2 for i database architect Scott Forstie.
“This is to IBM’s credit. They show that they’re listening to us, the user community, and they have responded,” Woodbury said during the webinar with Forstie on the security and database aspects of IBM i 7.5 and 7.4 Technology Refresh (TR) 6. “And they have responded to both our requests, as well as to the current threats on industry and are making the platform even more securable and secure.”
For starters, IBM has eliminated security level 20 as an option. If you’re just upgrading from a previous release of the operating system and staying on the same machine, you can remain at level 20, according to Woodbury. But if you provision a new server with a new operating system, and it’s at level 30, 40, or 50, there is no way back to security level 20.
“We got rid of 10 while I was still at IBM, so a long, long time ago. Now the same thing is happening in 20,” Woodbury said. “So now is the time to start planning to get off of level 20. And the unfortunate thing is, I do know that there are some organizations that are still having their systems out level 20. So this is hopefully your impetus to move to that higher level, meaning 40 or 50.”
IBM has also introduced a new password level that brings stronger encryption. Password level 4 introduces a 512-bit hashing algorithm that makes the password hashes even more secure than they previously were.
Woodbury clarified how the password hashing works on IBM i. The interesting thing is that the encryption mechanism is a one-way deal. That is, decrypted passwords are never stored on the server, which helps security.
“Remember our passwords are not actually stored on IBM i,” she explained. “The password is actually part of a key that is used for the whole hashing process. So when we go to sign into someplace and we present a profile and password, that algorithm is run and the encrypted values are compared. The password is never brought back or decrypted. In fact, it’s in an algorithm that is not decryptable, so it’s one way.”
There was one exception to that “no passwords stored on IBM i” rule, and it involved old Windows clients (Win 95/98/Me and Windows Server 2000) connected over a LANMAN connection. In this case, the weakly encrypted password was stored on IBM i (or rather, the AS/400 or iSeries server) at password level 0 and level 2. It was never very secure, and Woodbury encouraged users to either move to level 1 or level 3.
IBM has banished that vestige with IBM i 7.5. “When you upgrade to 7.5, IBM gets rid of that weakly encrypted password at all password levels, so that will no longer be stored,” she said. “So hopefully you’re not in an organization that is running that ancient of a technology. If you do, then you’ve got other issues than just having this password removed.”
Arguably the biggest improvement to default security is the elimination of default passwords, which on IBM i is the same as the user profile. With IBM i 7.5, IBM has changed the default for the password parameter to *NONE, Woodbury says. What’s more, administrators can also set the password to expire even when the default password parameter is set to none, which wasn’t possible before.
“So yay,” Woodbury said, in understated excitement. “This again is a very important change. There’s way too many people who continue to create profiles with a default password, meaning the password is the same as the user profile. Sometimes they don’t mean to, but they’re in a hurry and they do it anyway, so this is fantastic.”
IBM has also made an update to the security attributes display in IBM i Navigator to enable administrators to more easily understand their system’s password behavior. It can be confusing because the screen shows both the current and pending values for password level and QSECURITY level, but didn’t show whether an IPL had taken place or not, which is required to have the changes take effect, Woodbury said.
“When you just do a display system value, it shows the value it’s going to be. It doesn’t actually give an indication as to whether the IPL has taken place or not,” she said. “So the nice thing with this view is that it’s showing you the current and pending value.”
IBM has also changed the system’s behavior when it comes to invalid sign-on attempts. Instead of giving an error indicating that either the user ID or the password was wrong, it will just indicate that the sign-on was invalid, “so you’re not giving intruders half the equation to know whether which one is right,” Woodbury said.
IBM i 7.5 also brings the capability for administrators to get more granular about the number of failed sign-on attempts a user is allowed before locking them out of the system. Best practice is three to five failed sign-on attempts, Woodbury said.
“I’m hoping that all of you administrator who are listening to this are not going to set this to 25 for your own profile and give you a lot of chances to guess your profile,” she said. “I would set my own profile as an administrator to fewer attempts because the powerful profiles are the ones that you don’t want the intruders to get after, right? You’d rather have it be disabled than have them actually have so many attempts that they can actually get your password and get onto this system.”
IBM has also added a new security option in System Service Tools (SST) that gives administrators the option to lock whether customer validation programs are locked in place when a user is changing their password.
“This command came out and it was really there to help people lock up their partitions who wanted to manage that system remotely, and they needed a command to be able to change some of the service tool attributes,” she said. That came out in 7.4, Woodbury said, and with 7.5, IBM has added “quite a few new values to it.”
New Navigator also gains some new security capabilities with IBM i 7.5 that will help administrators go over their users’ user profiles. Instead of running a *ALL on the Display User Profile (DSPUSRPRF) command and then querying a specific user, New Nav enables administrators to view all of the users in a GUI, to right-click on a specific user profile, and then perform one of a number of actions against that user profile, Woodbury said.
“A much friendlier way to do this,” she said. “A much easier way to look at this information.”
Forstie’s team delivered new audit journal entry table functions with the previous TRs, and it’s delivering more with IBM i 7.5. Woodbury says the table functions help her make sense of data in the audit journal.
“The audit journal has so much information in it, and there are very few people who actually understand what that information is or and worse, how to get it out,” Woodbury said. “And so I’m hoping that manifesting this in New Nav will open this world up to a lot more people.”
Ransomware should also have a tougher time worming its way into mapped drives as a result of a pair of enhancements from IBM. The first one is the addition of an authorization list that restricts user access to the net server, which will eliminate their ability to access file shares, Woodbury said.
“So this is huge,” Woodbury said. “I would put a public exclude, and then only authorize those people that you want to map a drive to authorization list.”
The second method is more granular, and enables the administrator to protect an individual file share, either by granting read-only access or, if they have ALLOBJ authority, by giving them the ability to connect to a read-write share, Woodbury said.
“The write aspect of that share is what is produces more risk to the system obviously because that’s what would allow, assuming they have enough authority to the object being shared, it would allow that to get encrypted,” she said. “But again, huge, huge enhancement here.”
There were several other minor enhancements that Woodbury covered in her very thorough treatment of the security improvements in IBM i 7.5. You can view Woodbury and Forstie’s presentation, as well as presentations by other IBMers, here at COMMON’s website.