Contrary to popular belief, IBM i is NOT secure by default. Thankfully, it IS secure-able.
View this on-demand webinar to explore the top configuration settings that leave your IBM i vulnerable – to accidental misconfiguration, being infected with malware (including ransomware), an outside attacker, or an ill-intentioned insider.
During this webinar, Carol Woodbury, President and CTO of DXR Security describes the vulnerability, provides considerations prior to changing settings, and high-level instructions for eliminating each vulnerability.
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Top Ten Settings that Leave your IBM i Vulnerable
1. Bill Hammond | Precisely
Carol Woodbury | DXR Security
John Vanderwall | DXR Security
Top Ten Settings
that Leave your
IBM i Vulnerable
2. Housekeeping
Webinar Audio
• Today’s webinar audio is streamed through your computer
speakers
• If you need technical assistance with the web interface or audio,
please refresh your browser window – Chrome is recommended
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box
Recording and slides
• This webinar is being recorded. You will receive an email following
the webinar with a link to the recording and slides
3. The global leader in data integrity
Trust your data. Build your possibilities.
Our data integrity software and data enrichment products
deliver accuracy and consistency to power confident
business decisions.
Brands you trust, trust us
Data leaders partner with us
of the Fortune 100
90
Customers in more than
100
2,000
employees
customers
12,000
countries
5. Goal
To give you topics to consider, and once you’ve
considered them, evaluate whether you need to
make changes - based on your organization’s
business requirements - and then take a step to
improve security and reduce risk
6. Issue #10 – Nothing Needs to be Done
Belief that IBM i is secure by
default
“We trust our employees”
No regulatory compliance
requirements
7. So….. the data residing on IBM i
isn’t important to your organization?
8. Acknowledge that Accidental Errors Occur
Insiders
Malicious insider – 14%
Credential theft – 23%
Negligence – 63%
Ponemon Institute The Cost of
Insider Threats – 2020
https://www.ibm.com/security/digita
l-assets/services/cost-of-insider-
threats/#/
9. Issue #9 – Setting and Forgetting
Security project has completed or an
audit performed – no process in place
to review:
User profile settings
Default passwords
Special authorities
Group membership
Old profiles
Authority settings
Libraries, directories, files
Authorization lists
File Shares
TCP/IP Settings
Auto-start values, Encryption settings
14. Issue #8 – Running at the Wrong Security Level
Vulnerable to:
Running batch jobs with elevated authority
By-passing some auditing
Calling OS programs directly
Note: Permissions when profiles are created include *ALLOBJ and *SAVSYS (level 20)
-20 0 20 40 60 80 100
Level 10
Level 20
Level 30
Level 40
Level 50
Total Available IBM i Security Capabilities
QSECURITYValue
15. Moving to a Higher Security Level
Moving from 30 to 40/50:
Must audit to determine issues (if any)
Moving from 20 to 40/50
Much more planning required
Details can be found:
IBM i Security Reference, Chapter 2
IBM i Security Administration and Compliance, 3rd edition
16. Issue #7 – Not Requiring a Password for DDM
An attribute of the DDM server determines whether a
password is required on the target system
Using ADDSVRAUTE, a user can define that they will run
as a different profile on the target system – including
QSECOFR
17. Securing DDM
Investigate what profiles are using DDM prior to changing the server
attributes to require a password!
Use the GR audit journal entries, looking for use of DDM/DRDA
Look at the exit point logs
Add a server authentication entry for each profile using DDM
Using a group profile for DDM access
https://www.ibm.com/support/pages/simplified-ddm-and-drda-authentication-
entry-management-using-group-profiles
Use current user’s password for DDM access
https://www.ibm.com/support/pages/enable-drda-and-ddm-authentication-using-
user-profiles-password
18. Securing DDM - continued
Set ADDSVRAUTE to *PUBLIC *EXCLUDE
Set QSECOFR to STATUS(*DISABLED)
Use Application Administration to shut off access
Use Exit Point software to log and control access
19. Issue #6 – Keeping Around Old Stuff
Inactive profiles
Archived data past retention
schedule
Copies made prior to updating a
database
filenameX, filenameOld, filename2,
filenameCopy
De-commissioned servers
Past versions of vendor products
Vendor products no longer in use
File shares
20. #6a – Profiles Remain with Access / Power
Even though Users (employees / contractors) have left the
organization, their access remains
MUST have process to ensure immediate access is terminated
Don’t forget SAAS applications – payroll/HR, CRM, etc
Use:
CHGUSRPRF to *DISABLE on a specific date or timeframe (days)
GO SECTOOLS
Option 8 to *DISABLE or *DELETE on a specific date
WRKOBJOWN or QSYS2.object_ownership to find owned objects
21. Issue #5 – Sessions aren’t Encrypted
Internal communications are
often not encrypted
WFH or WFS (Work from
Starbucks ) not using a VPN
Vulnerable to sniffing
22. Encrypt Sessions
Obtain a digital certificate from a well-known CA (Certificate
Authority) or configure IBM i to be a CA
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzahu/rzahurazhu
digitalcertmngmnt.htm
http://your_system_name:2006/dcm/login
Use the SSLCONFIG or TLSCONFIG (V7R4) SST command to
determine what protocols are in use
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzain/rzainhscoun
ter.htm
Use the *NETSCK, *NETUDP and *NETTELSVR in QAUDLVL to
determine if unsecure communications are in use (V7R3)
https://www.mcpressonline.com/security/ibm-i-os400-i5os/how-can-i-tell-
whether-all-the-connections-to-my-ibm-i-are-secure
23. Issue #4 – Data is Not Protected
Data is not protected against:
accidental modification
accidental (or purposeful) deletion
downloading by individuals without
a business justification
24. How / Why does this Happen?
Perception that object security is
too difficult
IFS is ignored
An organization’s corporate data
is ignored
People don’t realize where (all)
the data is located
25. Multiple Layers of Defense / Defense in Depth
Object security
NOT all or nothing!
Authority Collection – added in
V7R3 and enhanced in V7R4
Masking and/or additional
permissions via Row and
Column Access Control (RCAC)
Encryption via FIELDPROC
Exit point software Implement as many layers of
defense as is required to
reduce risk
to an acceptable level
26. Issue #3: Lack of Visibility into What’s Happening on IBM i
No auditing enabled or never
reviewed
Not sending information to
organization’s SIEM
27. Audit Recommendations
QAUDCTL
*OBJAUD
*AUDLVL
*NOQTEMP (optional)
QAUDLVL
*AUTFAIL
*PGMFAIL (only when moving from 20/30 to 40/50)
*CREATE
*DELETE
*PTFOPR, *PTFOBJ
*SAVRST
*SECCFG and *SECRUN (or *SECURITY)
*SERVICE
*OBJMGT
*JOBBAS (generates A LOT of entries)
*ATNEVT (intrusion detection at IP stack level)
28. SIEM
Are you sending IBM i events to your SIEM?
If not, why not?
What’s your SIEM used for?
System of record or to detect inappropriate activity
See MC Press article for more considerations
https://www.mcpressonline.com/security/ibm-i-os400-i5os/what-
ibm-i-information-should-i-be-sending-to-my-siem
29. Send Audit Entries Indicating an Attack to your SIEM
PW
‘U’ entries where the User is “root” or “Admin” and attempt originates from outside of
the organization
‘P’ entries where many occur within a short period of time and for the well-known
IBM i-supplied profiles (QSYS, QSECOFR, QUSER, QSYSOPR, QPGMR, QSRV,
QSRVBAS)
JS
Job start entries that originate from an unknown external IP address
Job starts for unknown entries (such as QSECOFR)
CP
Password changes for QSECOFR and other IBM-supplied profiles
Re-enablement of QSECOFR (if kept STATUS *DISABLED)
https://www.mcpressonline.com/security/ibm-i-os400-i5os/what-ibm-i-
information-should-i-be-sending-to-my-siem
30. Use Intrusion Detection
IM – Audit entries – Used to detect DDoS attacks and cryptomining malware
See
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubkickoff.htm
>>> It takes tuning! <<<
31. Issue #2: Authentication
Running at the wrong password
level
Allowing weak passwords
(including default passwords)
No multifactor authentication
(MFA)
Credential stuffing
32. Password Level (QPWDLVL)
System value
0 Default
Character set: A-Z, 0-9, $, @, # and _
Maximum length: 10
1 Same as level 0 but gets rid of old NetServer password-
Safe to move if you are not using NetServer or not connecting with Windows 95,
98, ME or Windows 2000 server – end users will see no difference
2 Character set: Upper / lower case, all punctuation and special characters, numbers and
spaces
Maximum length: 128
Keeps NetServer password, encrypts with old and new algorithms
Sign on screen changed to accommodate longer password, CHGPWD and
CRT/CHGUSRPRF pwd field changed
3 Same as level 2, gets rid of old encrypted password and old NetServer password
Safe to move if you are not using NetServer or not connecting with Windows 95,
98, ME or Windows 2000 server – end users will see no difference
Changes require an IPL
Move to level 2 prior to moving to 3.
At level 2, can sign on with a password that’s ALL CAPS or all lower until
password is changed. *** User education required!***
33. Sign-on System Values
System value Recommended setting
QMAXSIGN 3-5
QMAXSGNACN 2 (Disable the profile) or 3 (Disable the
profile and device)
35. QPWDRULES
*PWDSYSVAL or
*CHRLMTAJC
*CHRLMTREP
*DGTLMTAJC
*DGTLMTFST
*DGTLMTLST
*DGTMAXn
*DGTMINn
*LMTSAMPOS
*LMTPRFNAME
*LTRLMTAJC
*LTRLMTFST
*LTRLMTLST
*LTRMAXn
*LTRMINn
*MAXLENnnn
*MINLENnnn
*MIXCASEnnn
*REQANY3
*SPCCHRLMTAJC
*SPCCHRLMTFST
*SPCCHRLMTLST
*SPCCHRMAXn
*SPCCHRMINn
V7R2
*ALLCRTCHG
Recommended: Rules are all in one place, more options
Note: ALL rules must go in QPWDRULES once it’s
changed from the default.
36. Default Passwords
Specify *LMTPRFNAME and *ALLCRTCHG in
QPWDRULES
Specifying that the password has to be changed at first sign-on is
no protection!
Run ANZDFTPWD to discover
37. Credential Stuffing
Using previously stolen / compromised credentials (user id
and passwords) to attempt to gain access to a different site
or organization.
DO NOT re-use passwords!!!
39. Multi-factor Authentication (MFA)
Requires two or more ‘factors’ to authenticate (gain access
to the system)
Something you know (password, pin)
Something you are (fingerprint, facial recognition, optical scan)
Something you have (token, bank card)
Recommended for at least ‘powerful’ profiles
Helps prevent credential stuffing
40. Issue #1: Malware
Two types of malware affect IBM i:
Resident (Stored) in the IFS
Coming in via a file share
41.
42. *ALLOBJ and Directory Permissions
Unlike Windows, there is no permission on the share itself
What the malware can do will depend on
How the share is defined – Read only or Read/Write
The user’s authority to the directory and objects in the directory
45. To Reduce the Risk Of Malware
Educate your users!
Back-ups
Do them!
Verify them!
Store them separately
Shares
DO NOT SHARE ROOT !!!! (or QSYS.lib)
Remove unnecessary shares
Set shares to Read-only where possible
Hide shares by creating with a ‘$’ – e.g. newshare$
Turn off broadcasting of the NetServer
46. To Reduce the Risk Of Malware - continued
Permissions
After review, set root to DTAAUT(*RX) OBJAUT(*NONE)
Review critical paths and restrict access as appropriate
Ransomware has started to exfiltrate the data and threaten to post it
Review who has *ALLOBJ special authority
Exit programs
If you have exit point software, use the NetServer exist to control
which profiles can use the IFS
Consider network segmentation
47. If Infected …
Pull out your incident response plan !
Determine if you’re still under attack or if it’s contained
Determine if you can resolve yourself or need to call in experts
Determine if you need to notify law enforcement
If ransomware, determine if ransom will be paid
Quality and availability of your back-ups may determine
whether you can recover from a malware attack
48. Real Scenario
Dear MsWoodbury,
I was forwarded your info. As of last night, we are being held hostage.We've
been in touch with the FBI and IBM.We have a ransom note on our servers. I can
be reached at xxx-xxx-xxxx
- via LinkedIn and Voicemail
48
49. Don’t be Overwhelmed!
To give you topics to consider, and once you’ve
considered them, evaluate whether you need to
make changes - based on your organization’s
business requirements - and then take a step
- ANY step –
to improve security and reduce risk
50. For More
Information
IBM i Services page
https://www.ibm.com/support/pages/node/1119123
https://gist.github.com/forstie
RCAC Redpiece
http://www.redbooks.ibm.com/abstracts/redp5110.html?Open
Intrusion Detection
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzaub/rzaubpdf.
pdf?view=kc
IBM i Security Reference – PDF
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/rzarl/sc415302.pdf?v
iew=kc
Chapters 2 and 3 – System Values
Chapter 9 - Auditing
Chapter 10 – Authority Collection
IBM i Security Administration and Compliance, 3nd edition, by Carol Woodbury, 2020.
50
52. DXRSecurity Services
1) Annual IBM i Security Analysis Subscription
Includes:
2 Vulnerability Discovery Instances per year
12 hours of assistance per year
Sold per partition/LPAR
2) Vulnerability Discovery
Sold per partition/LPAR
3) Vulnerability Confirmation
Includes:
Testing and validation of vulnerabilities
Understand if compensating controls that are in place actually work
Understand how much access people have to critical files
Similar to a “penetration test” for the IBM i, but far more customized
4) Security Education
Includes:
2 Day Course (virtual or onsite “post Covid”)
Learn Security from an Expert
Sold “per student” plus expenses if onsite
53. Why DXR Security?
Unquestioned Expertise
Carol Woodbury
Former Security Architect and Chief
Engineering Manager for Enterpriser Server
group at IBM
Only Commercially available book on IBM i
Security. “IBM i Security Administration and
Compliance”
25+ years in IBM i Security
John Vanderwall
20+ years selling IBM i Security services and
software
CEO and VP roles
Doubled size of security services business in 4
years
We are all about “action” – not
overwhelming you with huge amounts of
information
56. 56
Assure
Security
addresses the issues on the
radar screen of every security
officer and IBM i admin
Compliance Monitoring
Gain visibility into all security activity on
your IBM i and optionally feed it to an
enterprise console
Access Control
Ensure comprehensive control of
unauthorized access and the ability to
trace any activity, suspicious or otherwise
Security Risk Assessment
Assess your security threats and
vulnerabilities
Data Privacy
Protect the privacy of data at-rest or
in-motion to prevent data breaches
57. 57
Choose the full product
Choose a feature bundle
Or select a specific capability
Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Assure Security
Risk Assessment
Assure Compliance
Monitoring