PowerTech's Compliance Assessment performs a valuable service to hundreds of IBM i shops each year.
With the New Year and a new operating budget, it's time for many companies to start a security project. However, based on some of the calls I've received recently, there remains a lack of clear direction regarding the tasks and priorities.
Occasionally, there are known vulnerabilities that clearly need to be mitigated as soon as possible—such as application users running with *ALLOBJ special authority. But often, there isn't a thorough understanding of what's wrong with a server's configuration or what should be addressed first.
One approach to this problem is to hire a security consultant to perform a full audit of the environment and map out the priority of the resolutions. Unfortunately, the number of professionals that truly understand IBM i security is small; the number that you can hire to perform a good-quality audit is even smaller. As a result, those professionals typically are very busy and command a premium fee for their services.
Scan Your System Security in Just 10 Minutes
A better option is to start with PowerTech's Compliance Assessment, a unique tool that can scan an IBM i server in less than 10 minutes and display the results in a dynamic browser-based application. When I contract with customers to perform a deep-dive audit, I always start with this scan so I know the environment I'm walking into. It also helps them justify the expense of the full audit.
The assessment runs from a networked PC. Execution requires the Adobe Flash plug-in, Java Runtime Environment (JRE), and TCP access to your server running IBM i. PowerTech arranges for a security consultant to interpret the findings. As an added benefit, you can rerun the assessment multiple times over a seven-day period, against any partitions you like.
The Compliance Assessment reviews six critical areas of configuration:
System Security—The most influential components of IBM i configuration are found in a number of system values. The most important ones for security, such as the server's master security level (QSECURITY), are compared to best practices to ensure we are building on a solid foundation.
User Access—Users often have access to data through powerful desktop tools like FTP, ODBC, and remote command. IBM included more than 30 hooks (exit points) in the operating system to allow programs to verify the authenticity of requests originating from these tools. We check to see if any programs are being used to provide protection.
User Security—A user profile is the most important control between an end-user and the application data. Correctly configuring and maintaining profiles is critical to ensuring user credentials are not compromised. Reviewing numerous problem areas such as profile inactivity, default passwords, and public accessibility helps ensure those profiles are as strong as they can be.
Public Authority—Users who have permission to use a command line or to run tools like Excel often can access data without going through the approved application. IBM i has a unique authority called *PUBLIC that applies to all users who aren't explicitly granted or denied access. This section determines if *PUBLIC access to your application libraries has been secured (see Figure 1).
Figure 1: The Public Authority section shows user access to system libraries. (Click images to enlarge.)
System Auditing—IBM i contains powerful auditing features—once they're correctly activated. Often this is not the case, or the events being collected are insufficient. Verification of the configuration can provide peace of mind that you have a comprehensive log of events. The assessment also checks whether the system has a log reporting tool installed to provide forensics analysis of the logged data.
Admin Rights—A common vulnerability is overly powerful users. Administrative rights—known as special authorities—often are granted to users without business justification. Reviewing the assignment of these authorities can ensure that there are no surprises when someone uses an authority they don't understand (see Figure 2).
Figure 2: The Admin Rights section shows how many users have special authorities.
After analyzing the results, you can review the recommended steps to remediate the vulnerabilities. Or simply ask the PowerTech security expert how our comprehensive suite of solutions can help.
A Compliance Assessment provides the starting point for any security project by highlighting the current state of security on your server. It continues to be one of PowerTech's most popular offerings. Visit us to learn more about the Compliance Assessment and to request one for yourself.