Default User IDs Can Be a Potential Security Breach
It is possible to set up a subsystem in a manner that allows users to log on to your AS/400 without requiring them to enter a user ID or password. Why would you want to do this? You might have a situation in which you need to have a multitude of users who are restricted to very specific tasks and areas of your AS/400, but for whom you don?t want to set up individual profiles. This could be due to a high turnover rate in a given department, or perhaps you have a secure public terminal to allow some type of inquiry. Whatever the reason, you should know that this method is available and be familiar with how it works. That way, you can monitor for its use in any situation that you weren?t expecting. The default in the USER parameter on the Create Subsystem Description (CRTSBSD) command is *RQD, which means a valid user ID and password are required to use this subsystem. This means you must explicitly enter a valid user ID and password when you sign on. However, by placing a default valid user profile in that field, you are telling the system to use that profile for any job running in that subsystem. You could then set up default workstation device entries in that subsystem description, using the Add Workstation Entry (ADDWSE) command. Now, when a workstation device of that name attaches to the AS/400 (and it can be a partial name using the asterisk wildcard character), it will automatically be routed to that susbsystem. This workstation can now start an interactive job by having someone press the Enter key. No user ID or password is required, since one has already been entered in the USER parameter of the subsystem description. This technique works only at security levels of 30 or below. If you are using security auditing, an audit entry will be placed in the audit journal of type AF, subtype S. For levels 40 and 50, this method of logging on to your AS/400 is not supported. To prevent this type of unauthorized access, you should regularly review your subsystem descriptions for discrepancies and limit who has authority to change subsystem descriptions.
Midrange Computing, May 1997