Learn practical, sound practices for properly configuring security settings within the IBM i OS, keep the OS and PTFs up to date and user profile management considerations.
Essential Layers of IBM i Security: IBM i Security Configuration
1. Layers of Security
IBM i Security Configuration
Rich Marko – Professional Services Director
Bill Hammond – Sr, Product Marketing Manager
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
3. Today’s Agenda
• Layers of Security Overview
• IBM i Security Configuration
• System values settings
• IBM i server-configuration settings
• System Services Tools (SST) settings
• User authority settings
• Staying current on OS releases and
PTFs
• Q & A
3
5. IBM i Security
Configuration
Proper configuration
of the IBM i OS and related
resources, as well as
keeping OS versions and
PTFs up to date.
5
6. IBM i Security Configuration
3
System Services
Tools (SST)
settings
2
IBM i server-
configuration
settings
1
System values
settings
4
User authority
settings
6
5
Staying current on
OS releases and
PTFs
8. System values settings
8
• The QSECURITY system value is used to specify the security
level of the OS
• Must be set to 40 or 50.
• Activates system-integrity protection for your IBM i
• Object-domain checking
• Parameter validation
• Object-hardware storage protection
• Prevent direct access to objects
• Ensures user-written programs utilize system interfaces (commands
and APIs) in order to gain access to objects
• Decide whether to enable QALWOBJRST, QFRCCVNRST,
QVFYOBJRST, and other system values related to integrity
and security.
10. IBM i server-configuration
settings
10
• Numerous servers on IBM i allow a client system to connect
over a network
• FTP
• TELNET
• ODBC
• JDBC
• DRDA
• Sign-on server, and many others
• Starting all servers by default on an IBM i unnecessarily opens
“doors” into the system,
• Review all IBM i servers
• Deactivate any that aren’t needed.
12. System Services Tools (SST)
settings
12
• Many SST capabilities provide significant access to data
• Network trace tools can provide a view of data flowing over a
network
• Manage or view storage dumps
• Manage other service tools User IDs
• Limit number of users having SST access
14. User authority settings
14
• Many companies have too many users with powerful profiles
• *SECADM authority
• *ALLOBJ authority
• Command-line access
• Stop the spread of powerful profiles
• Assign limited privileges to the majority of user profiles
• Temporarily grant selected users the authority they need to do a task
• Utilize third-party solutions
• Make it easier for administrators, security officers, and end users to
temporarily obtain elevated privileges as required.
• Log all actions taken once a user has the temporarily elevated authority
16. Staying current on OS releases
and PTFs
16
• Running older releases of the IBM i OS can open a security
risk within an enterprise.
• Risk from open-source packages that are no longer supported
by the open-source community but that run on systems with
older IBM i OS release levels.
• Java
• OpenSSL/SSH
• Samba
• Lotus products
• Web and application servers
• Subscribe to IBM’s security bulletins and tech notes for IBM i
17. Top Takeaways
• For QSECURITY system value, you should be
at security level 40 or 50
• Deactivate any IBM i servers not in use
• Take care with access to System Service Tool
capabilities
• Limit Powerful Profiles on your system
• Stay up-to-date with IBM i OS PTFs
17
19. Download the White Paper
The six layers of IBM i security and how
Precisely can help
19
https://www.precisely.com/resource-center/whitepapers/the-essential-
layers-of-ibm-i-security
20. Layers of Security Webinar Series
20
Topic 1 Topic 2 Topic 3
access on Resource Center today
Topic 5 Topic 6Topic 4
register now!
The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it.
Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper
QALWOBJRST – Allow object restore option
QVFYOBJRST – Verify object on restore
QFRCCVNRST - Force conversion on restore
QVFYOBJRST=3, QFRCCVNRST=3, and QALWOBJRST=*ALWPTF or *NONE work together.
WRKSYSVAL SYSVAL(*SEC) for the entire list
Use the ANZDFTPWD command to check for default passwords
Create the QAUDJRN audit journal - CHGSECAUD
ENDTCPSVR
ENDHOSTSVR
NETSTAT – Option 3 or 4 to see Listening Ports
3rd party tools are available to monitor and secure
DSPSSTUSR (Display Service Tool User CL command)
Command line interface to “audit” service tool users and privileges
STRSST (Start System Service Tools command)
Command line interface to the System Service tool menu
Create as few Service Tools User IDs (SST/DST) as possible
Create a Service Tool user with the same privileges as QSECOFR (QSECOFR can become disabled)
Never use QSECOFR Service Tool USERID (save the password in a secure location)
*SECOFR Class User Profiles
Audit powerful profiles with CHGUSRAUD command
In OS 7.3, IBM added Authority Collection that can be used to determine what security a user needs
DSPPTF/WRKPTF
QAUDJRN now has *PTFOBJ – Changes to PTF objects and *PTFOPR – PTF Operations
The increased frequency of high-profile breaches and the corresponding rise of new and expanded regulatory compliance requirements is putting enormous pressure on IT departments to assure their corporate executives that business-critical systems and data are secure. One particular statistic from a recently conducted Precisely survey of IT professionals is revealing in that 69% of respondents said they were only “somewhat confident” (or worse) in the effectiveness of their company’s IT security program. Given today’s rapidly evolving security threats, even being “somewhat confident” doesn’t cut it.
Improving confidence in one’s IT security posture requires a solid understanding of all potential vulnerabilities as well as the most effective best practices and technologies in order to minimize the possibility of a breach. To help, Precisely has created this white paper as a roadmap, grouping together important security best practices and technologies into six primary categories or “layers.” These layers cover physical devices, networks, configuration of the IBM i OS, access to systems, protection of data at the file and field level, and monitoring and auditing of systems. The reason it’s particularly helpful to view these security categories as “layers” is that, to some extent, each category overlaps with the others to provide multiple lines of defense. In other words, should one security layer be somehow compromised, there’s a good chance that another layer will thwart a would-be intruder. The six layers of IBM i security are summarized in the following diagram and are detailed in the remainder of this white paper