Very early edition of AS/400 Internet Security FAQ.
This information comes from MANY MANY sources.
None of this knowledge is unique to AcmeNews.com LLC.
I claim no copy protection of this document.
Chapters;
1 AS/400 User profiles to secure
1a
1b
2 SMTP Settings
2a Protect from relaying
3
Chapter 1 USER PROFILES
------------
ISSUE 1 - Default Profiles
The following profiles need to be secured
QSECOFR
QSYSOPR
SYSOP
*ADMIN
Set the following to pwd *none at level 40 or 50.
PGM
CHGUSRPRF USRPRF(QPGMR) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QUSER) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QSRV) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QSRVBAS) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QBRMS) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QEJB) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QFIREWALL) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QIJS) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QNETSPLF) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QNFSANON) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QNOTES) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QPM400) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QPRJOWN) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QQSNAP) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QRJE) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QSVCDRCTR) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTIVOLI) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTIVROOT) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTIVUSER) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTMHHTP1) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTMHHTTP) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTMPLPD) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QTMTWSG) PASSWORD(*NONE)
CHGUSRPRF USRPRF(QUMB) PASSWORD(*NONE)
ENDPGM
Some of these should have PASSWORD *NONE which will prevent
anyone from signing on as these users. This will also prevent
hackers from being able to disable these accounts and bring down
services such as HTTP, APPC, etc.
Issue 2 - Default DST Accounts
IBM supplies the following DST profiles on every iSeries that is
shipped:
QSECOFR
QSRV
22222222
11111111
You will need to go into DST and change these passwords. These are NOT the
same users that you see when you do a WRKUSRPRF. They are completely different.
Changing user IDs and passwords for Dedicated Service Tools users
After you create a user profile for the security officer, you need to change Dedicated Service Tools (DST) profiles. IBM provides three profiles for performing service on your system by using DST. IBM ships these profiles with standard user IDs and passwords. IBM ships both the DST security capability user ID and password and the QSECOFR password with a value of QSECOFR. These are two different passwords. You changed the QSECOFR password the first time you signed on to the system. You must now change the password for the DST security capability user ID. Changing these passwords is important for the security of your system. To change the DST user IDs and passwords, use either the Manual initial program load (IPL) Procedure or the Manual Mode Procedure.
Manual IPL Procedure
This procedure requires you to IPL the AS/400 to change the user ID and password.
Put the keylock switch or the keystick in the Manual position.
From the SETUP menu, select the Power on and off tasks option.
Select the Power off the system immediately and then power on option. Press the Enter key. The system does an attended IPL.
Your display goes blank for several minutes. When the system displays the IPL or Install the System menu, select option 3 (Use Dedicated Service Tools).
+--------------------------------------------------------------------------------+
| IPL or Install the System |
| |
|Select one of the following: |
| |
| 1. Perform an IPL |
| 2. Install the operating system |
| 3. Use Dedicated Service Tools |
| 4. Perform automatic install of the operation |
| 5. Save Licensed Internal Code |
| |
+--------------------------------------------------------------------------------+
Type the DST security capability user ID and password on the DST Sign On display. IBM ships your system with user ID and password values of QSECOFR.
Select options only in the specified sequence. The system requires this sequence to successfully reset the passwords.
Menu or display name Select this option:
Use DST menu 5 (Work with DST environment)
Work with DST Environment menu 11 (Change DST User Profiles)
Change DST User Profiles 1 (Change the DST basic capability user profiles)
Change DST User Profiles 2 (Change the DST full capability user profiles)
Change DST User Profiles 3 (Change the DST security capability user profiles)
Type the new user ID or password in the User or Password field. If the user ID or password is changed, you will see a screen that requests confirmation. Type the new user ID or password again on this screen for verification.
+--------------------------------------------------------------------------------+
| Change DST xxxxx Capability User Profile |
| |
|Type choices, press Enter. |
| |
| xxxxx capability |
| |
| User . . . . . . . . . . . . . . . . . . . . ________ |
| |
| Password . . . . . . . . . . . . . . . . . . ________ |
| |
+--------------------------------------------------------------------------------+
Write down the user IDs and passwords and keep them in a safe place with the password for the QSECOFR profile.
Manual Mode Procedure
The following procedure does not require you to IPL the AS/400 to change the password. Therefore, you can use it in production environments.
Put the system in manual mode.
Enter 21 in the indicator lights and press the Enter key.
Sign-on to the DST sign-on screen at the system console.
You can do this while the system is operational.
Attention
If you lose or forget both the QSECOFR and the DST security capability passwords, you may need to install your operating system again to recover them. Contact your service provider for assistance. The topic Recovering a lost DST or QSECOFR password tells how to recover one of these passwords if you know the other.
You must provide the DST basic capability password whenever your system needs service. No one can service your system without this password.
Issue 3 - Default Passwords
ANZDFTPWD
Run this command. It will generate spooled output. Any user profile
that is listed has their password set to their userID. Change the
user profile to *DISABLED, or set their password to expire, or
change their password. You should not use default passwords.
Chapter 2 SMTP SETTINGS
----------------------------------------------------
A. Protect from Relaying.
From WRKDIRE, make sure you do not have an *ANY *ANY Rule.
If you have this, SMTP will allow any e-mail to relay from your
system. If you do not, they relaying will be denied.
Chapter 3 HTTP SERVER
----------------------------------------------------
Issue 1 - viewing JSP source
It is possible through HTTP server and servlet engine configurations
that HTML and/or JSP source could be view at the browser.
HTTP Server There are configuration settings that could be made
where JSP source could be displayed in the browser, such as
placing JSPs in the document root of the HTTP server. Also, in
regards to html pages, if you use a PASS directive that allow all
file types to be served
(e.g. Pass /MYsamples/* /QIBM/UserData/MyHtml/*) then you
could see the HTML source. If the directive is qualified by file type
(e.g. Pass /MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent
the request ending with '/' from being serviced.
Servlet Engine:
The problem description does not mention what Servlet
engine/JSP processor
that is being used. If it is WebSphere, if you have a file serving
servlet in your web application, it will try to service the
request for
http://www.foo.com/getsource.jsp/. Like the PASS example
above, if you
limit the types of requests to be served my the simple file
servlet by file type,
you can prevent the source from being displayed. To do so:
1. select the simple file servlet for the web app.
2. modify the URI in the servlet web path list.
a) start by modifying the existing URI. It may look
something like
default_host/webapp/myapp/
b) change to something like default_host/webapp/myapp/*.html
3. Continue adding URIs for other file types (*.gif, etc...)
4. Click Apply
5. Restart the web application