IBM i Shops “Attacking” Security Concerns, Study Shows

July 8, 2025 Alex Woodie

Faced with ever-growing security concerns, IBM i shops are “attacking” the problem and taking real steps to improve their security posture, Fortra’s says in its latest State of IBM i Security study. It is the second straight year that Fortra has noticed an improvement in IBM i shops’ approach to security. However, there are still areas that require improvement.

Fortra and its predecessors (HelpSystems, PowerTech) have been running the annual State of Security study for 22 years, providing a unique glimpse into the security configurations of IBM i customers that is unmatched in the industry.

Every year, a new group of Fortra customers and prospects volunteer to allow their IBM i servers to be scanned and included in the report. This year’s study encompasses data pulled from 154 servers and logical partitions. While there are limits to the conclusions one can draw from such a report, it does provide some insight as a point-in-time snapshot of real-world systems.

Fortra says it is seeing a trend of improving IBM i security configurations. The four main areas of improvement include: fewer users with powerful authorities; more customers using exit points; bigger investments in security event auditing, and an increase in use of *PUBLIC access to data and applications.

Considering the backdrop of increased security concerns over the past few years, this increase in action is commendable, according to Fortra.

“Following record-setting levels of cybersecurity concern in 2024, IBM i organizations have continued to convert this increased attention into action,” the company says in its report. “While this year’s study shows some areas of IBM i security stagnating or regressing, the results primarily paint a picture of a community that is attacking security with improved urgency.”

Here’s how the IBM i systems stacked up in Fortra’s 2025 State of IBM i Security report:

Security Level

Source: Fortra 2025 State of IBM i Security

IBM recommends IBM i shops run at security level 40 or higher, due to documented security vulnerabilities in security level 30. Fortra’s study shows 88 percent of the systems it scanned were at security level 40 or 50, compared to 84 percent documented in the 2024 report. The company says 9 percent are running at security level 30, while 3 percent are at security level 20, which IBM disabled for new systems (except for in-place upgrades) with IBM i 7.5.

Powerful User Profiles

Fortra recommends IBM i shops to have ten or fewer user profiles with special authorities, such as *ALLOBJ, or alternatively, to have fewer than 3 percent of the total number of user profiles with special authorities. Only three of the 154 systems it scanned for the 2025 report met this threshold, which isn’t good. The average shop had 136 user profiles with *ALLOBJ, which is an “unacceptably high number,” Fortra said.

However, while the total number of IBM i profiles with root authority is way too high, there is a silver lining hidden in the figures. Namely, the average percentage of user profiles holding *ALLOBJ went from 13 percent in the 2024 report down to 11 percent this year, which is a small but positive improvement.

Inactive User Profiles

User profiles that are still functional but not actively being used present a security risk, such as through a disgruntled former employee or an unscrupulous third-party contractor. The average IBM i partition had 572 user profiles (that hadn’t been used over the previous 30 days, or 46 percent of all user profiles, according to Fortra. Out of those, 216 of the user profiles had not been used in the past 30 days.

Again, the security configuration data shows there are serious security concerns with the inactive user profiles, but at least the figures are improving, Fortra says.

“While the number of profiles that have not signed on in the past 30 days remains relatively unchanged, the number of those profiles that remain enabled and ready to use has decreased significantly,” the company says.

Source: Fortra 2025 State of IBM i Security

Default Passwords

IBM i 7.6 brings a big improvement in the user log-in process thanks to native multi-factor authentication. However, IBM i passwords remain a critical link in the security protections schemes for IBM i shops. Unfortunately, the situation with passwords remains a mixed bag in 2025.

Using the default password is considered to be an unacceptably bad in IBM i security. However, the percentage of user profiles with default passwords remains stubbornly high. Fortra says 8 percent of the user profiles it queried for the 2025 report had default passwords, and 36 percent of the IBM i partitions it studied had 30 or more user profiles with default passwords. Six systems had 1,000 or more user profiles with default passwords, while one had nearly 4,000.

“While we’ve seen a continued decline in the use of default passwords, most organizations have a long way to go in their effort to completely eradicate default passwords from their systems,” Fortra says

Password Strength

Password strength is another mixed bag when it comes to IBM i security. Only 8 percent of the systems Fortra analyzed meet the PCI DSS 4.0’s requirement of a 12-character minimum password. That’s up just one percentage point from 2024.

Fortra found 9 percent of systems permit six-character passwords, and one system even allowed passwords with just one character. The good news is that the number of systems studied that surpassed the NIST-recommended password length of eight characters remained steady at 60 percent.

Fortra found more IBM i shops are requiring harder-to-guess passwords. It says 73 percent of systems it analyzed require a digit in passwords, up from 66 percent in the previous study. It also found that 86 percent require passwords to differ from previous versions of the password, which was down from 87 percent last year.

Only 29 percent of servers are using QPWDRULES, which specify the rules of how passwords are constructed, such as the use of uppercase letters, lowercase letters, digits, and special characters. Fortra says QPWDRULES should server as the standard for password security.

*PUBLIC Access to Data

Fortra 2025 State of IBM i Security

The use of *PUBLIC access rights to data is a potential danger zone for IBM i shops, according to Fortra. The company found 30 percent of libraries with *PUBLIC access rights allow users to read the data, 43 percent also allow them to change it, and 9 percent let them manage, rename, and delete libraries. Only 16 percent of libraries are set to *EXCLUDE, Fortra says.

“Our findings demonstrate that IBM i shops still have far too many libraries accessible to the average user – libraries that often include critical corporate information,” Fortra wrote in its report. “With virtually every system user having access to data far beyond their demonstrated need, administrators need better processes to control access to IBM i data.”

Unsecured Profiles

More bad news comes in the form of unsecured profiles, which is what happens when *PUBLIC permissions aren’t set to *EXCLUDE.

“It is possible for an alternate user to run a job that leverages the privileges of the unsecured profile,” Fortra said. “This activity will not be logged by the operating system as a security violation, since it is deemed permissible at all security levels.”

In the 2025 report, 68 percent of systems had at least one unsecured profile and 12 percent of systems had 10 or more, “both of which are significant increases from their 2024 marks,” Fortra writes. “Publicly accessible and unsecured profiles have the potential to create a loophole around a QSECURITY setting of level 40 or 50.”

Exit Points

Network access is controlled on IBM i via exit points. IBM supports dozens of exit points on IBM i, and Fortra reviews 27 of them during its security assessments. The 2025 report shows that 58 percent of IBM i systems had at least one exit point program in place to protect against unwanted network access across the exit point via FTP, Telnet, ODBC, etc.

While that number isn’t ideal, it’s a big improvement from two years ago, when only 35 percent had at least one exit point program in place. What’s more, the percentage of IBM i systems covering all 27 exit points monitored by Fortra went from 7 percent to 28 percent.

“Although the goal is for every system to have complete exit point coverage, we are highly encouraged by this increase in adoption of such a critical security measure,” Fortra writes.

Security Event Auditing

Another area of improvement can be found in the audit journal, which is critical for logging security events on the system and piecing together security breaches after the fact. Fortra found that 94 percent of IBM i systems it studied for the 2025 report do have an audit journal active, up from 81 percent in 2023.

However, Fortra found no improvement when it comes to the QAUDCTL system value setting, which ships from the IBM factory with a default setting of *NONE; 6 percent of the systems it analyzed in 2025 had that setting on their systems, the same as in 2024.

“This is the master on/off switch for auditing and globally blocks any system or object level events from being logged, regardless of the existence of the system audit journal,” Fortra writes. “Setting QAUDCTL to *NONE suggests that administrators fired up the auditing function but subsequently turned it back off or perhaps were unaware of the necessity for additional configuration.”

Antivirus and Ransomware Protection

While IBM i is considered to be virus-resistant, it’s not virus proof, and it’s been demonstrated that components beyond the Integrated File System (IFS) – traditionally the part of the platform considered most vulnerable to infection – are also potentially at risk.

Running antivirus software on IBM i is now considered a best practice. Fortra found that 62 percent of the IBM i partitions it analyzed are scanning files for malware when the file is opened, “a massive increase from 41% in 2024.” On the flip side, 38 percent of IBM i shops are leaving themselves vulnerable, Fortra said.

You can download a copy of Fortra’s 2025 State of IBM i Security study here.

RELATED STORIES

Fortra Issues 20th State of IBM i Security Report

Top Five Failures In State of IBM i Security For 2022

3 Takeaways from the 2021 PowerTech Security Report

Security Gaining Attention On IBM i, But More Progress Needed