There are several things that you should be aware of....and this is only a partial list... 1) make sure all of the IBM default user ID's (QSECOFR, QPGMR, QSYSOPR, etc.) have the passwords changed to a non-trivial one, or set to *NONE so they cannot signon. 2) secure the root of the IFS so there is no public rights to it. 3) be careful about having FTP or Telnet activated to your production box, if it is necessary, I would recommend some sort of exit program software to monitor for someone using these. 4) check out whether devices are being autoconfigured, both remote devices and virtual devices. I would configure the minimun number of devices needed (if any) and then set these values off. 5) secure your program and data libraries with authority lists or object authority, making the programs *use only for *PUBLIC and the minimun necessary for the data. 6) check to find out what programs have adopted authority (there is a menu option from the menu SECTOOLS that will create a report of these items). Verify it these programs really need adopted authority. 7) Only start the TCP servers that are required for your web hosting, turn the others off. 8) restrict access to qsys.lib from the ifs. anyway...these were some of the key issues raised when I had a security audit last year. They are mostly general AS/400 security things that should be done anyway. Hope this helps Ron