La tabella che segue mostra le porte TCP/IP aperte ed in ascolto su AS400
| Port ID |
Port Description |
| 21 |
ftp-control |
| 23 |
telnet |
| 25 |
smtp |
| 80 |
www-http |
| 110 |
pop3 |
| 137 |
netbios-ns |
| 139 |
netbios-ssn |
| 389 |
ldap |
| 397 |
APPCoverTCPIP |
| 445 |
cifs |
| 449 |
as-svrmap |
| 1967 |
Bsafe/Global Security |
| 1983 |
Bsafe/Global Security |
| 2001 |
as-admin-http |
| 5110 |
as-pop3 |
| 5544 |
as-mgtctrlj |
| 5555 |
as-mgtctrl |
| 8470 |
as-central |
| 8471 |
as-database |
| 8472 |
as-dtaq |
| 8473 |
as-file |
| 8474 |
as-netprt |
| 8475 |
as-rmtcmd |
| 8476 |
as-signon |
| 8477 |
as-netdrive |
| 8478 |
as-transfer |
| 8479 |
as-vrtprint |
|
CONFIDENCIAL - Data - TeamPROfessional - Cliente -
|
Analisi eseguita sul Sistema AS400 - Modello ________ Processore _________
Serial Number __________ Release AS400 ___________
|
Assessment Security and Audit AS400
Ecco una proposta utile per fare un' autoassessment del proprio sistema
e riuscire a misurare il livello di sicurezza impostato sul proprio AS400,
oppure per dubbi o conferme , richiedere gratuitamente un chekup a TeamPROfessional.
che invierà (confidencial) i risultati dell' analisi, che sarà eseguita
su 6 stampe che Vi verranno richieste.
Premessa
Tutti i professionisti della sicurezza informatica sanno cosa cercare quando si deve o si vuole verificare l' impostazione e/o lo status della sicurezza in una macchina Windows, Le conoscenze diffuse e molti strumenti e risorse disponibili in rete aiutano
le aziende e i responsabili della sicurezzaa tenere e mantenere le protezioni
e le regole sempre aggiornate. Anche per il System i (la piattaforma midrange IBM precedentemente nota come l'AS/400. iSeries , i5 ) riconosciuto di fatto come il sistema operativo immune da virus informatici,
andrebbero verificati i livelli di sicurezza attivati, e se accettati ,
essere consapevoli delle possibili esposizioni e rischi potenziali. Molti
sistemi AS400 contengono i dati mission-critical aziendali, ed il mantenimento di una configurazione sicura dovrebbe essere una priorità assoluta.
Tuttavia, molti di questi sistemi sono configurati con livelli minimi e spesso non controllati e gestiti nel tempo per avere un aggiornamento ed un certificato di buona salute da IT manager o dal responsabile della sicurezza impostata.Il suggerimento che TeamProfessional vuole dare , è quello di controllare
il Vostro sistema AS400 con un Autoassessment rispondendo a 6 domande e
considerazioni che descrivono le potenziali esposiszioni , oppure richiedere
ai nostri esperti un' assessment gratuito dello status attuale del sistema,
inviandoci le stampe prodotte da 6 comandi .
The remainder of the report details specific
vulnerabilities.
Warnings in the body of the report appear in red and the
following icons are used to indicate the degree of risk for a specific item. |
 -
Settings/definitions OK |
 -
Warning |
 -
High risk |
|
 |
 Domanda N1 - Accesso alla rete -
Sul Vostro AS400 collegato in rete e che consente l'accesso TCP/IP da stazioni
PC e/o Mobile con client/access e/o emulazioni 5250 o via Browser, con
richieste ODBC, SQL, File tranfer ecc. ritenete di aver attivato su AS400
un livello di sicurezza adeguato?
(Prima di risponere leggere le considerazioni suggerite)
 SI_____
 NO_____
|
Accessi Remoti di Servizi TCP/IP che possono essere
Protetti dagli Exit Programs su AS400
|
| Exit Point Server |
Descrizione |
| *DDM |
Alternate ODBC server |
| *DQSRV |
Client data queue server |
| *FILESRV |
Remote file server—used when drives are mapped
to integrated file system |
| *FTPCLIENT |
FTP client on the iSeries—used for requests
originating from the System i server |
| *FTPSERVER |
FTP server on the iSeries |
| *NDB |
ODBC and JDBC native database |
| *RMTSRV |
Remote command server |
| *RTVOBJINF |
ODBC and JDBC retrieve object info |
| *SQL |
ODBC and JDBC sign-on (logon) |
| *SQLSRV 1 |
ODBC and JDBC server |
| *SQLSRV 2 |
ODBC and JDBC server |
| *TELNET |
TCP/IP terminal emulation |
| *DATAQSRV |
Remote data queue server |
| *FTPREXEC |
Remote command through FTP |
| *REXEC_SO |
Remote command sign-on (logon) |
| *TFRFCL |
Client file transfer server |
Per valutare il rischio sul Vostro sistema potete controllare le porte attive ut
. Network access to the iSeries using FTP
| Check |
Result |
Current Risk/Suggestions |
Command |
| FTP logon |
Action successful |
HIGH RISK! An FTP connection can be made from the network to
your iSeries |
ftp 9.9.9.55 |
| FTP view library |
Action successful |
HIGH RISK! The contents of your iSeries libraries can be
viewed through an FTP connection |
ls bsafelib |
| FTP copy files from iSeries
|
Action successful |
HIGH RISK! Your iSeries files can be copied to a PC through
an FTP connection |
get bsafelib/bsafefile1 C:\leonid\RiskAssessment\bsafefile1
|
| FTP delete files |
Action failed |
OK. The selected iSeries file could not be deleted |
delete bsafelib/bsafefile2 |
| FTP overwrite files on iSeries
|
Action successful |
HIGH RISK! Your iSeries files can be overwritten via an FTP
connection from a PC |
put C:\leonid\RiskAssessment\bsafefile3 bsafelib/bsafefile1
|
| FTP CL command |
Action failed |
OK. The selected CL command could not be executed on your
iSeries through an FTP connection from a PC, by this user |
rcmd crtpf file(bsafelib/bsafefile4) rcdlen(10)
|
Network access to the iSeries using Remote Command
Remote command is a powerful and highly accessible means of
accessing the iSeries server from a remote location. It is enough to install
client access on any PC with a connection to your iSeries to give access to this
means of penetrating your iSeries.
The results listed below give a live
indication of the ease with which a selected user can manipulate your critical
files. |
The selected user did not achieve access to your iSeries
through the remote command server. But is this the case for all users in your
organization, including power users and senior staff?
|
| Check |
Result |
Current Risk/Suggestions |
Command |
| Create a new library |
Action failed |
OK. A library could not be created remotely on your iSeries
using remote command |
rmtcmd crtlib lib(bsfcmdlb) //9.9.9.55 |
| Create a new file |
Action failed |
OK. A file could not be created remotely on your iSeries
using remote command |
rmtcmd crtpf file(bsfcmdlb1/bsfcmdfl) rcdlen(10) //9.9.9.55
|
| Copy a system object |
Action failed |
OK. The selected system object could not be copied remotely
on your iSeries using remote command |
rmtcmd crtdupobj obj(crtclpgm) fromlib(qsys) objtype(*cmd)
tolib(bsfcmdlb1) newobj(bsfcmdcmd) //9.9.9.55 |
Network Access to the iSeries using the Database Server
The database server is among the most sensitive and highly
used gateways into your iSeries from the network. It is the means by which ODBC,
JDBC and Websphere applications and many IBM Client Access features make their
connection with the iSeries database. It is a particularly sensitive gateway
into your iSeries as it the means by which the database is accessed and
manipulated at the record and field level.
The results listed below give a
live indication of the ease with which a selected user can manipulate your data.
|
It can be clearly seen from the results that the
selected user can penetrate your iSeries through the database server and add,
change and delete data in your database. |
| Check |
Result |
Current Risk/Suggestions |
Command |
| Database logon |
Action successful |
HIGH RISK! An ODBC connection can be made from the network
to your iSeries |
Database Logon User Name - leonid; IP - 9.9.9.55; |
| Database view records |
Action successful |
HIGH RISK! Data can be displayed remotely on your iSeries
using the database server |
SELECT * FROM bsafelib.bsafepf1 |
| Database change records |
Action successful |
HIGH RISK! File contents can be changed remotely on your
iSeries using the database server |
UPDATE bsafelib.bsafepf1 SET bsafepf1 = 'dd' WHERE bsafepf1
= 'cc' |
| Database delete records |
Action successful |
HIGH RISK! Data can be deleted remotely on your iSeries
using the database server |
DELETE FROM bsafelib.bsafepf1 WHERE bsafepf1 = 'bb'
|
| Server Name |
Risk Assessment |
 File Transfer Server FTP |
Protected by Bsafe/Global Security |
| File Transfer Client FTP |
Protected by Bsafe/Global Security |
| TelNet |
Protected by Bsafe/Global Security |
| Remote Command Server |
Protected by Bsafe/Global Security |
| Data Base |
Protected by Bsafe/Global Security |
| Remote SQL |
Protected by Bsafe/Global Security |
| Data Queue |
Protected by Bsafe/Global Security |
| Distributed Data Management
|
Protected by Bsafe/Global Security |
| Pass-Through |
Protected by Bsafe/Global Security |
| File Transfer |
Protected by Bsafe/Global Security |
| Signon Server |
Protected by Bsafe/Global Security |
| File Server |
Protected by Bsafe/Global Security |
| Trivial File Transfer TFTP
|
Protected by Bsafe/Global Security |
| Central Server |
Protected by Bsafe/Global Security |
| Message Server |
Protected by Bsafe/Global Security |
| Virtual Print |
Protected by Bsafe/Global Security |
| Network Print |
Protected by Bsafe/Global Security |
| Work Station Gateway Logon
|
Protected by Bsafe/Global Security |
| Delete Journal Receivers |
Protected by Bsafe/Global Security |
| Power Down System Command
|
Protected by Bsafe/Global Security |
| Attention Keys |
Protected by Bsafe/Global Security |
| System Request Attention |
Protected by Bsafe/Global Security |
| Auxiliary Storage Limit |
Protected by Bsafe/Global Security
|
|
|
Domanda N2 - Sicurezza Librerie -
Sul Vostro sistema AS400 le librerie dati che contengono dati sensibili
e privati o comunque molto importanti per l' azienda, sono protette da
una adeguata sicurezza, con liste di autorizzazione che non consentono
l' uso improprio ad utenti comuni ?
SI_____
NO_____
|
 |
Domanda N3 - Sicurezza Integrate File System /* -
Sul Vostro sistema AS400 sono presenti alcune o diverse directory utente
oltre a quelle del sistema,
ritenete che l' impostazione della sicurezza su questi oggetti sia stato
realizzato correttamente?
SI_____
NO_____
|
 |
Domanda N4 - Sicurezza Profili Utente -
Sul Vostro sistema AS400 tutti i profili utente sono stati impostati con la classe e le autorizzazioni speciali,
previste dal ruolo dell' utente ed associati all' uso dei dati nel sistema
informativo aziendale?
ogni utente è associato al profilo di gruppo per ereditare in modo veloce
e diretto le autorizzazioni private agli oggetti?
SI_____
NO_____
| The user classes given to a user when creating or changing a
user profile control the default special authorities granted to the user. If you
wish to follow good practice it is advisable to define all users with the
'weaker' user classes except where absolutely necessary. The less power users
you have the less chance there is of wanted or accidental damage being caused.
|
Your user definitions have been analyzed and the number
of power users defined is disturbingly high. We suggest you urgently review your
user profile definitions. |
| User Class |
Description |
Total |
Percent |
Risk Assessment |
| *PGMR |
Programmer |
12 |
8 |
|
| *SECADM |
Security Administrator |
3 |
2 |
The number of users assigned as administrators is acceptable
|
| *SECOFR |
Security Officer |
27 |
19 |
Too many users are assigned as security officers |
| *SYSOPR |
System Operator |
7 |
5 |
The number of users assigned as system operators is somewhat
high |
| *USER |
User |
95 |
66 |
|
| |
All Users |
144 |
100 |
|
| The various special authorities granted to users are what
differentiate a power user on your iSeries from an ordinary user. |
The authorities of your users have been analyzed and the
number of power users is unnecessarily high. We suggest you review your user
profile definitions. |
| Authority |
Description |
Total |
Percent |
Risk Assessment |
| *ALLOBJ |
All object authority |
35 |
24 |
All objects authority granted to users not in class security
Officer or Administrator |
| *AUDIT |
Audit authority |
30 |
21 |
Auditing authority granted to users other than the system
security officer |
| *IOSYSCFG |
Input/Output system configuration |
34 |
24 |
I/O configurations authority given to users other than the
system security officer |
| *JOBCTL |
Job control authority |
46 |
32 |
No suggestions available |
| *SAVSYS |
Save system authority |
34 |
24 |
No suggestions available |
| *SECADM |
Security administrator authority |
36 |
25 |
Security administrator authority granted to users not in the
same class |
| *SERVICE |
Service authority |
31 |
22 |
No suggestions available |
| *SPLCTL |
Spool control authority |
33 |
23 |
No suggestions available |
| *USRCLS |
Special authorities granted based on User Class |
0 |
0 |
No suggestions available |
| |
All Users |
144 |
100 |
|
| Your iSeries password policy is defined by a group of system
values which can be controlled by the system administrator. The more stringent
the settings given to these system values the harder it will be to penetrate
your iSeries by guessing passwords. |
The findings of this risk assessment are that many of
your password policy settings deviate from IBM recommendations. The security of
your iSeries could be seriously compromised and we recommend you urgently review
your password policy. |
| Name |
Description |
Current Value |
Risk Assessment |
| QPWDEXPITV |
Password expiration interval specifies whether user
passwords expire or not, controls the number of days allowed before a password
must be changed. |
000120 |
High risk - Number of days before expiration interval
exceeds the recommended, this compromises the password security on your system
|
| QPWDLMTAJC |
Limit adjacent digits in password restricts consecutive
digits, provides additional security by preventing sequence of numbers as
passwords. |
0 |
Warning - Using sequence of numbers as passwords makes it
easy to guess |
| QPWDLMTCHR |
Limit characters in password specifies certain characters
that are not allowed in a password. |
*NONE |
High risk - Users are not prevented from forming actual
words for their passwords this compromises system security |
| QPWDLMTREP |
Restrict repeating characters restricts repeating characters
and prevents users from specifying passwords that are easy to guess |
0 |
High risk - The same characters can be repeated more than
once, this compromises the security on your system |
| QPWDLVL |
Password level the system can be set to allow for user
profile passwords from 1-10 or 1-128 characters |
0 |
Recommended - The password level of the system set as needed
|
| QPWDMAXLEN |
Maximum password length maximum number of characters for a
password |
5 |
High risk - specified maximum number of characters for a
password is far less than recommended, this compromise the security on your
system |
| QPWDMINLEN |
Minimum password length specifies the minimum number of
characters for a password |
3 |
High risk - specified minimum number of characters for a
password is far less than recommended, this compromises the security |
| QPWDPOSDIF |
Limit password character position requires a new character
in each position |
0 |
Warning - Allowing characters in the same positions as
previous password affects the security on your system |
| QPWDRQDDGT |
Require digit in password specifies whether a numeric
character is required in a new password |
0 |
Warning - Users are not prevented from forming all
alphabetic character passwords, this can influence the security on your system
|
| QPWDRQDDIF |
Duplicate password control prevents users from specifying
passwords that they have used previously |
6 |
Warning - Duplicate password control selected value not
sufficient, lapsed time too short, this can affect the security on your system
|
| QPWDVLDPGM |
Password validation program provides the ability for a
user-written program to do additional validation on passwords |
PASSVLDPGMSHLOMOANZ |
Warning - User-written validation programs can compromise
the security on your system |
|
|
Domanda N5 - Valori di Sistema
Sul Vostro sistema la sicurezza impostata nel SYSVAL QSECURITY è superiore al livello 30?
Sul Vostro sistema sono stati controllati tutti i possibili rischi di accesso
ai dati e controllati da corrette ipostazioni sui valori di sistema?
SI_____
NO_____
. System Values - Security
| Name |
Description |
Current Value |
Risk Assessment |
| QALWOBJRST |
Allow object restore option allows restore of
security-sensitive objects. checks occur during the installation of ptf and
restore of licensed programs |
*ALL |
High risk - Objects restored regardless of
security-sensitive attributes or validation errors, this compromises the
security on your system |
| QALWUSRDMN |
Allow user domain objects in libraries specifies where to
allow user domain objects that bypass authority checking and cannot be audited
|
*ALL |
Recommended - Domain objects that are not auditable allowed
in libraries and directories |
| QCRTAUT |
Create default public authority default authority for newly
created objects in ibm supplied qsys.lib file system |
*ALL |
High risk - Objects created with default public authority
for all operation and management rights |
| QRETSVRSEC |
Retain server security data allows server security
information to be retained: 0=retain 1=do not retain data. |
1 |
Warning - Retaining user authentication security data on a
target system when used via client-server interfaces can compromise system
security |
| QSECURITY |
System security level objects and operating system integrity
|
40 |
Recommended - Level of security selected is sufficient for
keeping Passwords, objects and operating system integrity |
| QSHRMEMCTL |
Shared memory control allows use of shared or mapped memory
with write capability: 1=allowed, 0=not allowed |
0 |
Warning - Programs running in different jobs are prevented
from accessing shared-memory objects |
| QSVRAUTITV |
Server authentication interval server authentication
interval system value (no longer used) |
2880 |
Recommended - The system value is no longer used by the
operating system and kept as a referrence |
| QUSEADPAUT |
Use adopted authority whether users can cause programs to
use adopted authority from calling programs |
*NONE |
Recommended - Use adopted authority, authorization lists can
be used to secure objects with similar security needs. |
| QVFYOBJRST |
Verify object on restore verifies object signatures during
restore. values:1-5 |
1 |
High risk - Do not verify signatures on restore, allowing
such a command or program represents an integrity risk to your system
|
|
|
Domanda N6 - Registrazione e Controllo
Sul Vostro sistema oltre alle politiche di prevenzione sono stati attivati
tutti gli strumenti di registrazione e controllo per consentire una operazione
di Audit se necessaria? Sul Vostro sistema sareste in grado di trovare
l' autore di una cancellazione di un file anche accidentale?.
SI_____
NO_____
| Value |
Description |
Setting |
Risk Assessment |
| *AUDLVL |
System auditing |
On |
System auditing events logged and may be audited |
| *OBJAUD |
Object auditing |
On |
Object auditing activity defined logged and may be audited
|
| *AUTFAIL |
Authorized failure |
On |
All access failure,Incorrect Password or User ID logged and
may be audited |
| *PGMFAIL |
System integrity violation |
On |
Blocked instructions,Validation failure,Domain violation
logged and may be audited |
| *JOBDTA |
Job tasks |
On |
Job start and stop data(disconnect,prestart) logged and may
be audited |
| *NETCMN |
Communication & Networking tasks |
On |
Action that occur for APPN filtering support logged and may
be audited |
| *SAVRST |
Object restore |
On |
Restore(PGM,JOBD,Authority,CMD,System State) logged and may
be audited |
| *SECURITY |
Security tasks |
On |
All security related functions(CRT/CHG/DLT/RST) logged and
may be audited |
| *SERVICE |
Services HW/SW |
On |
Actions for performing HW or SW services logged and may be
audited |
| *SYSMGT |
System management |
Off |
Registration,Network,DRDA,SysReplay,Operational not logged
and cannot be audited |
| *CREATE |
Object creation |
On |
Newly created objects, Replace exisitng objects logged and
may be audited |
| *DELETE |
Object deletion |
On |
All deletion of external objects logged and may be audited
|
| *OFCSRV |
Office tasks |
On |
Office tasks(system distribution directory,Mail) logged and
may be audited |
| *OPTICAL |
Optical tasks |
On |
Optical tasks(add/remove optical cartridge,Autho) logged and
may be audited |
| *PGMADP |
Program authority adoption |
On |
Program adopted authority, gain access to an object logged
and may be audited |
| *OBJMGT |
Object management |
On |
Object management logged and may be audited |
| *SPLFDTA |
Spool management |
On |
Spool management logged and may be audited |
| A small cross-section of actual activity - invalid user
names and passwords used when signing on - has been analyzed. It can be seen
that this information is logged in your system and may be audited.
|
| Entry Type |
Entry Code |
Description |
Count |
| PW |
P |
Failed signon due to incorrect password |
14 |
| PW |
U |
Failed signon due to incorrect user name |
0 |
|
|
