User profile objects with at least *USE authority for *PUBLIC are usable by anyone on the system. If such profile has privileged access then anyone has who can run commands.
Countermeasures:
- Grant remote command access (server or green screen) on a strict need to use basis.
- Unused TCP services should not run or need to be blocked by exit point programs.
- Unprotected profiles must not be tolerated.
- CHGUSRPRF and CRTUSRPRF commands should be protected by exit point software.
- Restricting the profile - CHGUSRPRF LMTCPB(*YES) - does not prevent remote command execution.
- Disabling a profile does not stop it from beeing used in a submitted job.
Youtube Video: IBM i (AS/400, iSeries) Security 5 - Unprotected Profiles
Description:
- The unprotected *ALLOBJ user is used to run the ANZDFTPWD report and to upgrade the own profile to *SECOFR class:
- Commands (that need *SECOFR authority) are written into a source physical file, using the SQL server.
- The new program is then compiled with *OWNER authority and executed by the unprotected *ALLOBJ user (who can access the *SECOFR profile).