Controlling PC Access

December 8, 2004 Hey, Wayne O

First of all, thank you for your good Web site and your very useful essays. I have some questions about AS/400 security. I would like to find a solution to prevent access to the database, running remote commands from PCs, and PC file transfers.

Of course, we want to give permission to users to be able to run programs that use files or objects for reading and updating. I have followed your recommendation to specify *EXCLUDE for *PUBLIC when securing files with the Grant Object Authority (GRTOBJAUT) command, but doing so prevents our users from running any program that uses database files.

–Aivazian

You have two separate problems, Aivazian: controlling PC access and allowing users to run applications. The good news is that one solution will solve most of the problems you mentioned.

Application-Only Access

You were very close when you set the public access to data files to *EXCLUDE. This authority prevents users from accessing data files from PCs. As you discovered, the users of application programs get a “not authorized” message when they attempt to run an application program whose authority is set to *EXCLUDE. The solution is to have the application programs adopt the authority of the owner of the data.

Using adopted authority allows users to access the data only while an application is running. This is the basis for a security strategy I call application-only access, or AOA.

The principle of AOA is to give users access to data while in the application, but no access (or read-only access) while outside of the application. You simply need to adopt access in the application.

To make programs adopt, two steps are required:

1. The programs need to be owned by the user profile that also owns the data. I recommend an application owner profile (OWNPRDDTA). This profile should have no password, in order to prevent sign-on, and should not be a group profile.

2. The programs need to be compiled with the option USRPRF(*OWNER). You can also use the CHGPGM command to change programs to adopt.

You can read more about application-only access in the paper on my Web site.

A second problem you mentioned was how to prevent PC users from using the Remote Command (RMTCMD) command. IBM has provided the exit program capability to screen requests from PC users so you can use exit programs to block file transfer and remote commands. Exit programs can also stop FTP, ODBC, and JDBC access to the database.

You have two choices for exit programs: Application Administration and third-party exit programs. Let me summarize both and then make a recommendation.

Application Administration

IBM has provided simple exit programs that you can activate using iSeries Navigator (formerly known as Operations Navigator) Application Administration. When you right-click the System icon, iSeries Navigator displays a pop-up panel that shows Application Administration. Select Application Administration and sign on as a user with security administrator (*SECADM) special authority.

When you select the “Client Applications” tab on the Application Administration panel, you will see another panel. At the bottom of this panel, notice that the checkbox for Remote Command – Command Line is not checked. I did this to prevent remote commands for users. You can also prevent users from using file transfer operations by deselecting the options next to specific functions.

Application Administration is very flexible. To allow only selected users to use a function, go to the Customize Access panel, select the function, and then add the specific users who are allowed to use that function.

One limitation of Application Administration is that this support controls access to the function. For example, you can use application administration to prevent file transfer operations; however, application administration is an “all or nothing” decision. You can’t allow a user to use file transfer for specific files and block access to other files. To get that level of control, you have to purchase third-party exit programs.

Third-Party Exit Programs

Third-party vendors (NetIQ, PowerLock, Kisco, and others) have written exit programs that allow you to define rules that control the actions of PC users. The function is similar to the Application Administration function provided by IBM, but the third-party exit programs offer more flexibility. For example, some exit programs allow you to permit users to run specific remote commands while preventing other commands.

If you wish, you can write your own exit programs, but I do not recommend that you attempt to do all of the research and testing required to implement your own programs. You will save money in the long run by purchasing exit programs from several of the vendors.

–Wayne O. Evans

Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. Click here to contact Wayne O. Evans by e-mail.