Before Client Access/400 V3R1M3, a TCP/IP PC5250 session would receive a random virtual device name from its connecting AS/400. A virtual device is an AS/400 device description that does not have hardware associated with it. It is used by Client Access/400, display station pass-through (DSPT), and Telnet to form a connection between the AS/400 and a physical workstation attached through a remote system, such as a PC, the Internet, or another AS/400. Prior to V3R1M3, the virtual device was dynamically assigned from a pool of devices beginning with the letters QPADEV, e.g., QPADEV0001 or QPADEV0002. This dynamic assignment made it impossible to determine what virtual device would be assigned to a TCP/IP PC5250 session, and AS/400 system values ensured that there was a limit to the number of virtual devices that could be created.
When you are using V3R1M3 and later of Client Access/400, the Windows 95/NT client allows the user to assign a static workstation name to the virtual device description. To assign a static virtual device name to your PC5250 session, select Communication from the PC5250 menu bar, then select Configure. On the Configure PC2520 window, enter your assigned device name in the Workstation ID field and save your configuration. The next time you start that session, it will use your assigned name instead of a random QPADEV device name.
The Good News
Using device naming solves two system administration problems. Prior to V3R1M3, there was no easy way to identify which virtual device was being used by which
user. With workstation naming, system administrators can now associate specific device names with specific users and locations. More importantly from a security view, associating a virtual device with a PC allows a static virtual device to be authorized to a specific user. It is now feasible to take full advantage of the protection afforded by the AS/400 Limit Security Officer Device Access (QLMTSECOFR) system value. QLMTSECOFR is a simple binary value that when set to 0 allows QSECOFRand other
users who have *ALLOBJ or *SERVICE authorityto sign on from any device. When set to one 1, QLMTSECOFR will only allow QSECOFR to sign on only to those devices where QSECOFR has specific authority. The dynamic assignment of virtual devices prior to this change made limiting QSECOFR authority sign-on to specific virtual devices unmanageable.
With QLMTSECOFR set to 1, this support can associate a device name with a specific user (such as the security officer). The device description used by a security officer can be authorized with *CHANGE authority for the individual user. Granting device description *CHANGE authority to the QSECOFR profile allows device use by any user who has *ALLOBJ or *SERVICE authority.
The Bad News
The Autoconfigure Virtual Devices (QAUTOVRT) system value was designed to limit the number of dynamically created virtual devices by placing an upper limit on how many virtual devices OS/400 will create. Allowing the system to automatically configure virtual devices makes it easier for users to break into your system using DSPT, TCP/IP PC5250, or Telnet. By limiting the number of QPADEV virtual devices, an intruder has a limited number of attempts at each virtual device, the limit being defined by the security officer using the Maximum sign-on attempts allowed (QMAXSIGN) system value. The actual limit is higher because the system sign-on limit is multiplied by the number of virtual devices that can be created by OS/400 (as defined by QAUTOVRT).
Now that the new device naming support is enabled, when QAUTOVRT is set to a value other than 0, Client Access PC5250 allows the hacker to create an unlimited number of named virtual devices simply by assigning a different workstation ID to the PC5250 session. To thwart this problem and prevent repeated attempts to guess a user profile password, you should set the Action to take for failed sign-on attempts (QMAXSGNACN) system value to disable the user profile. Setting QMAXSGNACN to 2 disables a user profile after the sign-on limit is reached (as specified in QMAXSIGN, which has a default value of 3), while setting QMAXSGNACN to 3 disables both the user profile and device after the failed sign-on limit has been reached. After all virtual devices are named, you can set the system value QAUTOURT to O to prevent the automatic creation of random QPAD and named virtual devices. After all virtual devices are named, you can set the system value QAUTOVRT to 0 to prevent the automatic creation of random QPAD and named virtual devices. Although named TCP/IP device sessions bypass the protective nature of QAUTOVRT, you can compensate somewhat by setting your QMAXSIGN and QMAXSGNACN system values correctly.
The Good Versus the Bad
Even though device naming introduces a minor security exposure to the AS/400, the improved system administration device naming provides far exceeds the minor exposure introduced. I would encourage all users to take advantage of this new support while securing their systems properly.
MC Press Online