Sorry, you need to enable JavaScript to visit this website.

Unprotected Profiles

Submitted on Tue, 27.08.2019 - 09:55

User profile objects with at least *USE authority for *PUBLIC are usable by anyone on the system. If such profile has privileged access then anyone has who can run commands.

 


Countermeasures:

  • Grant remote command access (server or green screen) on a strict need to use basis.
  • Unused TCP services should not run or need to be blocked by exit point programs.
  • Unprotected profiles must not be tolerated.
  • CHGUSRPRF and CRTUSRPRF commands should be protected by exit point software.
  • Restricting the profile - CHGUSRPRF LMTCPB(*YES) - does not prevent remote command execution.
  • Disabling a profile does not stop it from beeing used in a submitted job.

 


Youtube Video: IBM i (AS/400, iSeries) Security 5 - Unprotected Profiles

Description: 

  • The unprotected *ALLOBJ user is used to run the ANZDFTPWD report and to upgrade the own profile to *SECOFR class:
    • Commands (that need *SECOFR authority) are written into a source physical file, using the SQL server.
    • The new program is then compiled with *OWNER authority and executed by the unprotected *ALLOBJ user (who can access the *SECOFR profile).