Users with unrestricted network access to the system have the authority to list all users on the system. Accounts with default password can then be found by trying out the profiles on that list.
Countermeasures:
- Disable accounts with default password on a daily basis.
- Grant access to remote command functions (as provided by RMTCMD, FTP, Rexec or SQL) on a need to use basis.
- From Version 7: Restrict access to the object statistics table.
- After too many incorrect sign on requests the IP should be blocked.
Youtube Video: IBM i (AS/400, iSeries) Security 2 - Default Passwords
Description: A simple user profile is used to retrieve a list of all profiles on the system and then tries to sign on each of them using the default password. When successful the special authorities are retrieved. The process stops when sufficient privileges have been detected.