- Settings/definitions OK 
- Warning 
- High risk |
Confidential |
Date:20/04/2005 |
|
any company |
| User ID: leonid | Host Ip Address: 9.9.9.55 |
1. Management Summary |
A number of critical areas of your iSeries' security (on IP address 9.9.9.55) have been checked and an assessment provided for your information. The assessment looks at the network protection you have in place, attempts to execute various forms of access to your iSeries from the network and examines which critical security definitions are currently in effect. The first thing checked was access of your iSeries from the Network. Attempts to access the iSeries database through your PC succeeded with the user id leonid and password you entered. This indicates a possible weakness in your defenses. You should try also with other users. Next, we looked at your Security and Password Policy. Many of Your Security and password system value settings are not set in accordance with IBM recommendations. Your iSeries security is at a significantly lower level than it should be. Analysis of your exit point protection indicated that your application servers are fully protected by exit programs. A review of your system journal audit policy showed that there are critical system actions which are not logged in the system journal and will not be available for auditing. When looking for active invalid user and password entries in the system journal it was found that this information is logged in your system and may be audited. Power user authorities were examined next. You are advised to urgently review your user profile definitions to reduce the number of power users. Regarding other user and password vulnerabilities, there are user profiles that should be changed or removed. Finally, we looked at the active network connections. You should be aware that ports are open and in listing mode. |
| The remainder of the report details specific
vulnerabilities. Warnings in the body of the report appear in red and the following icons are used to indicate the degree of risk for a specific item. |
|
- Settings/definitions OK |
- Warning |
- High risk |
| ©Copywrite Bsafe Information Systems 2005. This document, format and content, are the property of Bsafe Information Systems Ltd. It cannot be copied, distributed or used in any way without the express permission, in writing, of Bsafe Information Systems Ltd. |
| FTP is one of the most widely used means of passing
files between an iSeries server and another computer. It is a powerful
protocol allowing manipulation of your iSeries files and libraries. The results listed below give a live indication of the ease with which a selected user can manipulate your critical files. |
It can be clearly seen from the results that the selected user can penetrate your iSeries, view vital information and cause great damage. |
| Check | Result | Current Risk/Suggestions | Command |
| FTP logon
|
Action successful | HIGH RISK! An FTP connection can be made from the network to your iSeries | ftp 9.9.9.55 |
| FTP view
library |
Action successful | HIGH RISK! The contents of your iSeries libraries can be viewed through an FTP connection | ls bsafelib |
| FTP copy
files from iSeries |
Action successful | HIGH RISK! Your iSeries files can be copied to a PC through an FTP connection | get bsafelib/bsafefile1 C:\leonid\RiskAssessment\bsafefile1 |
| FTP delete
files |
Action failed | OK. The selected iSeries file could not be deleted | delete bsafelib/bsafefile2 |
| FTP
overwrite files on iSeries |
Action successful | HIGH RISK! Your iSeries files can be overwritten via an FTP connection from a PC | put C:\leonid\RiskAssessment\bsafefile3 bsafelib/bsafefile1 |
| FTP CL
command |
Action failed | OK. The selected CL command could not be executed on your iSeries through an FTP connection from a PC, by this user | rcmd crtpf file(bsafelib/bsafefile4) rcdlen(10) |
| Remote command is a powerful and highly accessible
means of accessing the iSeries server from a remote location. It is enough
to install client access on any PC with a connection to your iSeries to
give access to this means of penetrating your iSeries. The results listed below give a live indication of the ease with which a selected user can manipulate your critical files. |
The selected user did not achieve access to your iSeries through the remote command server. But is this the case for all users in your organization, including power users and senior staff? |
| Check | Result | Current Risk/Suggestions | Command |
| Create a new
library |
Action failed | OK. A library could not be created remotely on your iSeries using remote command | rmtcmd crtlib lib(bsfcmdlb) //9.9.9.55 |
| Create a new
file |
Action failed | OK. A file could not be created remotely on your iSeries using remote command | rmtcmd crtpf file(bsfcmdlb1/bsfcmdfl) rcdlen(10) //9.9.9.55 |
| Copy a
system object |
Action failed | OK. The selected system object could not be copied remotely on your iSeries using remote command | rmtcmd crtdupobj obj(crtclpgm) fromlib(qsys) objtype(*cmd) tolib(bsfcmdlb1) newobj(bsfcmdcmd) //9.9.9.55 |
| The database server is among the most sensitive and
highly used gateways into your iSeries from the network. It is the means
by which ODBC, JDBC and Websphere applications and many IBM Client Access
features make their connection with the iSeries database. It is a
particularly sensitive gateway into your iSeries as it the means by which
the database is accessed and manipulated at the record and field
level. The results listed below give a live indication of the ease with which a selected user can manipulate your data. |
It can be clearly seen from the results that the selected user can penetrate your iSeries through the database server and add, change and delete data in your database. |
| Check | Result | Current Risk/Suggestions | Command |
| Database
logon |
Action successful | HIGH RISK! An ODBC connection can be made from the network to your iSeries | Database Logon User Name - leonid; IP - 9.9.9.55; |
| Database
view records |
Action successful | HIGH RISK! Data can be displayed remotely on your iSeries using the database server | SELECT * FROM bsafelib.bsafepf1 |
| Database
change records |
Action successful | HIGH RISK! File contents can be changed remotely on your iSeries using the database server | UPDATE bsafelib.bsafepf1 SET bsafepf1 = 'dd' WHERE bsafepf1 = 'cc' |
| Database
delete records |
Action successful | HIGH RISK! Data can be deleted remotely on your iSeries using the database server | DELETE FROM bsafelib.bsafepf1 WHERE bsafepf1 = 'bb' |
| Your iSeries password policy is defined by a group of system values which can be controlled by the system administrator. The more stringent the settings given to these system values the harder it will be to penetrate your iSeries by guessing passwords. |
The findings of this risk assessment are that many of your password policy settings deviate from IBM recommendations. The security of your iSeries could be seriously compromised and we recommend you urgently review your password policy. |
| Name | Description | Current Value | Risk Assessment |
| QPWDEXPITV
|
Password expiration interval specifies whether user passwords expire or not, controls the number of days allowed before a password must be changed. | 000120 | High risk - Number of days before expiration interval exceeds the recommended, this compromises the password security on your system |
| QPWDLMTAJC
|
Limit adjacent digits in password restricts consecutive digits, provides additional security by preventing sequence of numbers as passwords. | 0 | Warning - Using sequence of numbers as passwords makes it easy to guess |
| QPWDLMTCHR
|
Limit characters in password specifies certain characters that are not allowed in a password. | *NONE | High risk - Users are not prevented from forming actual words for their passwords this compromises system security |
| QPWDLMTREP
|
Restrict repeating characters restricts repeating characters and prevents users from specifying passwords that are easy to guess | 0 | High risk - The same characters can be repeated more than once, this compromises the security on your system |
| QPWDLVL |
Password level the system can be set to allow for user profile passwords from 1-10 or 1-128 characters | 0 | Recommended - The password level of the system set as needed |
| QPWDMAXLEN
|
Maximum password length maximum number of characters for a password | 5 | High risk - specified maximum number of characters for a password is far less than recommended, this compromise the security on your system |
| QPWDMINLEN
|
Minimum password length specifies the minimum number of characters for a password | 3 | High risk - specified minimum number of characters for a password is far less than recommended, this compromises the security |
| QPWDPOSDIF
|
Limit password character position requires a new character in each position | 0 | Warning - Allowing characters in the same positions as previous password affects the security on your system |
| QPWDRQDDGT
|
Require digit in password specifies whether a numeric character is required in a new password | 0 | Warning - Users are not prevented from forming all alphabetic character passwords, this can influence the security on your system |
| QPWDRQDDIF
|
Duplicate password control prevents users from specifying passwords that they have used previously | 6 | Warning - Duplicate password control selected value not sufficient, lapsed time too short, this can affect the security on your system |
| QPWDVLDPGM
|
Password validation program provides the ability for a user-written program to do additional validation on passwords | PASSVLDPGMSHLOMOANZ | Warning - User-written validation programs can compromise the security on your system |
| Your iSeries security policy is defined by a group of system values which can be controlled by the system administrator. The settings given to these system values will influence the degree of ease by which sensitive objects may be accessed and changed. |
The findings of this risk assessment are that many of your security policy settings deviate from IBM recommendations. The security of your iSeries could be seriously compromised and we recommend you urgently review your policy. |
| Name | Description | Current Value | Risk Assessment |
| QALWOBJRST
|
Allow object restore option allows restore of security-sensitive objects. checks occur during the installation of ptf and restore of licensed programs | *ALL | High risk - Objects restored regardless of security-sensitive attributes or validation errors, this compromises the security on your system |
| QALWUSRDMN
|
Allow user domain objects in libraries specifies where to allow user domain objects that bypass authority checking and cannot be audited | *ALL | Recommended - Domain objects that are not auditable allowed in libraries and directories |
| QCRTAUT |
Create default public authority default authority for newly created objects in ibm supplied qsys.lib file system | *ALL | High risk - Objects created with default public authority for all operation and management rights |
| QRETSVRSEC
|
Retain server security data allows server security information to be retained: 0=retain 1=do not retain data. | 1 | Warning - Retaining user authentication security data on a target system when used via client-server interfaces can compromise system security |
| QSECURITY
|
System security level objects and operating system integrity | 40 | Recommended - Level of security selected is sufficient for keeping Passwords, objects and operating system integrity |
| QSHRMEMCTL
|
Shared memory control allows use of shared or mapped memory with write capability: 1=allowed, 0=not allowed | 0 | Warning - Programs running in different jobs are prevented from accessing shared-memory objects |
| QSVRAUTITV
|
Server authentication interval server authentication interval system value (no longer used) | 2880 | Recommended - The system value is no longer used by the operating system and kept as a referrence |
| QUSEADPAUT
|
Use adopted authority whether users can cause programs to use adopted authority from calling programs | *NONE | Recommended - Use adopted authority, authorization lists can be used to secure objects with similar security needs. |
| QVFYOBJRST
|
Verify object on restore verifies object signatures during restore. values:1-5 | 1 | High risk - Do not verify signatures on restore, allowing such a command or program represents an integrity risk to your system |
| IBM provides a means of protecting against many forms of unauthorized activity not covered by OS/400. The mechanism is called exit point protection and comprises dozens of strategic points which may be monitored by a specialized, purpose-built application. Once in place this software can monitor and even protect against access to key gateways to your iSeries. Such gateways include FTP server, Telnet and ODBC. |
The findings of this risk assessment are that your application servers are fully protected by exit programs. |
| Server Name | Risk Assessment |
 File
Transfer Server FTP |
Protected by Bsafe/Global Security |
| File
Transfer Client FTP |
Protected by Bsafe/Global Security |
| TelNet |
Protected by Bsafe/Global Security |
| Remote
Command Server |
Protected by Bsafe/Global Security |
| Data Base
|
Protected by Bsafe/Global Security |
| Remote SQL
|
Protected by Bsafe/Global Security |
| Data Queue
|
Protected by Bsafe/Global Security |
| Distributed
Data Management |
Protected by Bsafe/Global Security |
| Pass-Through
|
Protected by Bsafe/Global Security |
| File
Transfer |
Protected by Bsafe/Global Security |
| Signon
Server |
Protected by Bsafe/Global Security |
| File Server
|
Protected by Bsafe/Global Security |
| Trivial File
Transfer TFTP |
Protected by Bsafe/Global Security |
| Central
Server |
Protected by Bsafe/Global Security |
| Message
Server |
Protected by Bsafe/Global Security |
| Virtual
Print |
Protected by Bsafe/Global Security |
| Network
Print |
Protected by Bsafe/Global Security |
| Work Station
Gateway Logon |
Protected by Bsafe/Global Security |
| Delete
Journal Receivers |
Protected by Bsafe/Global Security |
| Power Down
System Command |
Protected by Bsafe/Global Security |
| Attention
Keys |
Protected by Bsafe/Global Security |
| System
Request Attention |
Protected by Bsafe/Global Security |
| Auxiliary
Storage Limit |
Protected by Bsafe/Global Security |
| The system journal is a powerful feature of OS/400 which is often not used owing to its complexity. However ,a correctly setup policy can log important system activity which may be later analyzed and audited depending on the tools you have available. |
Your current audit policy has been analyzed in this assessment and the findings are that there are critical system actions which are not logged in the system journal and will not be available for auditing. |
| Value | Description | Setting | Risk Assessment |
| *AUDLVL |
System auditing | On | System auditing events logged and may be audited |
| *OBJAUD |
Object auditing | On | Object auditing activity defined logged and may be audited |
| *AUTFAIL |
Authorized failure | On | All access failure,Incorrect Password or User ID logged and may be audited |
| *PGMFAIL |
System integrity violation | On | Blocked instructions,Validation failure,Domain violation logged and may be audited |
| *JOBDTA |
Job tasks | On | Job start and stop data(disconnect,prestart) logged and may be audited |
| *NETCMN |
Communication & Networking tasks | On | Action that occur for APPN filtering support logged and may be audited |
| *SAVRST |
Object restore | On | Restore(PGM,JOBD,Authority,CMD,System State) logged and may be audited |
| *SECURITY
|
Security tasks | On | All security related functions(CRT/CHG/DLT/RST) logged and may be audited |
| *SERVICE |
Services HW/SW | On | Actions for performing HW or SW services logged and may be audited |
| *SYSMGT |
System management | Off | Registration,Network,DRDA,SysReplay,Operational not logged and cannot be audited |
| *CREATE |
Object creation | On | Newly created objects, Replace exisitng objects logged and may be audited |
| *DELETE |
Object deletion | On | All deletion of external objects logged and may be audited |
| *OFCSRV |
Office tasks | On | Office tasks(system distribution directory,Mail) logged and may be audited |
| *OPTICAL |
Optical tasks | On | Optical tasks(add/remove optical cartridge,Autho) logged and may be audited |
| *PGMADP |
Program authority adoption | On | Program adopted authority, gain access to an object logged and may be audited |
| *OBJMGT |
Object management | On | Object management logged and may be audited |
| *SPLFDTA |
Spool management | On | Spool management logged and may be audited |
| A small cross-section of actual activity - invalid user names and passwords used when signing on - has been analyzed. It can be seen that this information is logged in your system and may be audited. |
| Entry Type | Entry Code | Description | Count |
| PW | P | Failed signon due to incorrect password | 14 |
| PW | U | Failed signon due to incorrect user name | 0 |
| The user classes given to a user when creating or changing a user profile control the default special authorities granted to the user. If you wish to follow good practice it is advisable to define all users with the 'weaker' user classes except where absolutely necessary. The less power users you have the less chance there is of wanted or accidental damage being caused. |
Your user definitions have been analyzed and the number of power users defined is disturbingly high. We suggest you urgently review your user profile definitions. |
| User Class | Description | Total | Percent | Risk Assessment |
| *PGMR |
Programmer | 12 | 8 | |
| *SECADM |
Security Administrator | 3 | 2 | The number of users assigned as administrators is acceptable |
| *SECOFR |
Security Officer | 27 | 19 | Too many users are assigned as security officers |
| *SYSOPR |
System Operator | 7 | 5 | The number of users assigned as system operators is somewhat high |
| *USER |
User | 95 | 66 | |
| All Users | 144 | 100 |
| The various special authorities granted to users are what differentiate a power user on your iSeries from an ordinary user. |
The authorities of your users have been analyzed and the number of power users is unnecessarily high. We suggest you review your user profile definitions. |
| Authority | Description | Total | Percent | Risk Assessment |
| *ALLOBJ |
All object authority | 35 | 24 | All objects authority granted to users not in class security Officer or Administrator |
| *AUDIT |
Audit authority | 30 | 21 | Auditing authority granted to users other than the system security officer |
| *IOSYSCFG
|
Input/Output system configuration | 34 | 24 | I/O configurations authority given to users other than the system security officer |
| *JOBCTL |
Job control authority | 46 | 32 | No suggestions available |
| *SAVSYS |
Save system authority | 34 | 24 | No suggestions available |
| *SECADM |
Security administrator authority | 36 | 25 | Security administrator authority granted to users not in the same class |
| *SERVICE |
Service authority | 31 | 22 | No suggestions available |
| *SPLCTL |
Spool control authority | 33 | 23 | No suggestions available |
| *USRCLS |
Special authorities granted based on User Class | 0 | 0 | No suggestions available |
| All Users | 144 | 100 |
| There are many definitions, statuses and statistics about users in your organization which if monitored, can reveal weaknesses in your iSeries security. |
A selection of this information has been analyzed and there are user profiles that should be changed or removed. We suggest you urgently review your user profiles to change all default passwords and remove those profiles not in use. |
| Description | Total | Percent | Risk Assessment |
| Powerful
Users with default password |
39 | 27 | Default password are easy to guess |
| Password
same as Userprofile value |
70 | 49 | User & password are easy to guess |
| IBM Pwd same
as User Profile value |
1 | 1 | Change Default IBM supplied passwords |
| Disabled
Users |
75 | 52 | Disabled users require maintenance |
| Previous
SignOn |
124 | 86 | Previous users signon require maintenance |
| SignOn Last
Changed |
136 | 94 | Users needs to change passwords more often |
| All Users | 144 | 100 |
| The active network connections are the ports currently in use or in listing mode waiting for activity. |
There are known ports open and in listing mode. |
| IP Address | Current Connections |
| Well Known Port | 27 |
| 9.9.9.14 | 2 |
| 9.9.9.64 | 2 |
| 9.9.9.77 | 8 |
| 192.168.0.102 | 2 |
| Port ID | Port Description | Current Connections | Risk Assessment |
| 21 |
ftp-control | 1 | Known Port open in listening mode |
| 23 |
telnet | 8 | Known Port open in listening mode |
| 25 |
smtp | 1 | Known Port open in listening mode |
| 80 |
www-http | 1 | Known Port open in listening mode |
| 110 |
pop3 | 1 | Known Port open in listening mode |
| 137 |
netbios-ns | 1 | Known Port open in listening mode |
| 139 |
netbios-ssn | 1 | Known Port open in listening mode |
| 389 |
ldap | 1 | Known Port open in listening mode |
| 397 |
APPCoverTCPIP | 1 | Known Port open in listening mode |
| 445 |
cifs | 1 | Known Port open in listening mode |
| 449 |
as-svrmap | 5 | Known Port open in listening mode |
| 1967 |
Bsafe/Global Security | 1 | In use by Bsafe/Global Security |
| 1983 |
Bsafe/Global Security | 1 | In use by Bsafe/Global Security |
| 2001 |
as-admin-http | 1 | Known Port open in listening mode |
| 5110 |
as-pop3 | 1 | Known Port open in listening mode |
| 5544 |
as-mgtctrlj | 1 | Known Port open in listening mode |
| 5555 |
as-mgtctrl | 1 | Known Port open in listening mode |
| 8470 |
as-central | 1 | Known Port open in listening mode |
| 8471 |
as-database | 1 | Known Port open in listening mode |
| 8472 |
as-dtaq | 1 | Known Port open in listening mode |
| 8473 |
as-file | 1 | Known Port open in listening mode |
| 8474 |
as-netprt | 1 | Known Port open in listening mode |
| 8475 |
as-rmtcmd | 4 | Known Port open in listening mode |
| 8476 |
as-signon | 1 | Known Port open in listening mode |
| 8477 |
as-netdrive | 1 | Known Port open in listening mode |
| 8478 |
as-transfer | 1 | Known Port open in listening mode |
| 8479 |
as-vrtprint | 1 | Known Port open in listening mode |
| ©Copywrite Bsafe Information Systems 2005. This document, format and content, are the property of Bsafe Information Systems Ltd. It cannot be copied, distributed or used in any way without the express permission, in writing, of Bsafe Information Systems Ltd. |
|
|