Limiting Sign-on Attempts
In order to prevent unauthorized access to your AS/400, you need to limit the number of unsuccessful sign-on attempts to your system. This is done through two system values: maximum sign-on attempts allowed (QMAXSIGN), and action to take for failed sign-on attempts (QMAX-SGNACN). QMAXSIGN sets the number of unsuccessful attempts allowed before taking some kind of action. I would suggest a maximum of three. If a user takes more than three attempts to sign on, someone needs to intervene.
QMAXSGNACN takes the action once QMAXSIGN has been met. The default value is a 1, meaning that the workstation is varied off. To re-establish contact with the AS/400, use the VRYCFG command. A value of 2 will disable the user profile. A user with *SECADM and *ALLOBJ special authorities will then need to set the status of the user profile to *ENABLED.
A value of 3 will both vary off the workstation and disable the profile.
- Tim Johnston
Automatic Password Expiration
To ensure the continued secured usage of a user profile, and keep users from obtaining other users' passwords, be sure to use PWDEXPITV value in the user profile. That will assure that passwords are being changed frequently. It can be set to a value of *SYSVAL, which incorporates the time from the system value QPWDEXPITV as an expiration time. Or, you can put a number of days in that field from 1-366. *NOMAX is also a valid value, but you should be careful about how you use it. Once the number of days since the last password change has expired, the user is forced to change his password.
- Tim Johnston
Don't Lose an Object's Authority When It's Re-created
If you compile a program using REPLACE(*YES), the values for the USRPRF and AUT parameters on the create commands are ignored and the values from the object being replaced are used.
- Christopher Andrle