The first step in tightening up your security policies on any computer system, including the AS/400, iSeries and IBM i, are enforcing security on user logins and profiles. This is especially true for systems that can be connected to from the Internet either directly or even indirectly via a secured tunnel such as a VPN.

If you have been a little lax on basic security policies, that’s ok because there are several tools that come with the IBM i platform to help you get a handle on user profile security and other security settings in general.

Now to start off you should have your QSECURITY system value set to level 30, 40 or 50. The higher the better as far as the security conscious go. This is not exactly related to user profile security but it’s a good thing to do nevertheless.

But be forewarned if you plan on upping the security value from where you have it set today, it can possibly break your third party software programs. So be sure to check with your software provider or programmer before making that change, if you are fortunate enough to have a test system or LPAR be sure and test it out there first.

Change Expiration Schedule Entry CHGEXPSCDE to help you automatically disable or remove a profile, this of course will help if you know ahead of time if a person is being let go or leaving the company. But it’s a good practice to stay on top of disabling and cleaning out old profiles, especially when you consider the fact that users tend to share password and login information which leads me to my next tip.

Make use of a cool command to help find defunct profiles. It’s called ANZPRFACT or Analyze Profile Activity and it can help you identify which profiles have been dormant for a length of time and are candidates for deletion or removal. Believe me, when you have a couple hundred profiles on a system it’s very easy for one or two past employees to slip through the cracks.

But remember that IBM supplied profiles always begin with the letter Q and you shouldn’t be deleting those.

It’s time to tighten up those passwords. There are several system values that can help enforce stronger passwords, password expiration and rotation policies. Now your passwords probably don’t need to be as strong as Fort Knox by requiring all sorts of characters and numbers. But you should have a rotation policy in place the makes them change every ninety days or so and then use the QPWDRQDDIF system value to prevent them from using a prior password.

You should also look closely at the workstations people are using to access your system. Antivirus software is good but it is not foolproof. If you happen to find a user’s workstation has been infected with any sort of virus it’s a good practice to make them change all of their passwords. The viruses today tend to be very sophisticated and plant malware on the workstation like key loggers that may pick up and transmit sensitive passwords to who knows where.

Author Bio: Discover even more tips for maintaining your AS/400, iSeries and IBM i power system platforms by checking out John Andersen’s website at Power System Jump Start.

Category: Computers and Technology
Keywords: as400, iseries, i5, system i, ibm i