Run SQL Scripts- Automating Your Analysis

Of course, by now you should realize that you don’t have to re-create your SQL. You can use the Save function in Run SQL Scripts to save your work. What I suggest you do is put all of the SQL that you need to run regularly into a separate Run SQL Script file; then run …

Ensure All Connections Are Using Strong Encryption – Securing the Connection to IBM i

The other consideration for encryption is the strength of the algorithms in use. The system values that control the strength of encryption on the system are the QSSL* system values. I describe the three values and how they work together in chapters 3 and 10 of IBM i Security Administration and Compliance, Third Edition. IBM …

NETSTAT – Securing the Connection to IBM i

One way to look at all connections is to use the Work with TCP/IP Network Status (WRKTCPSTS) command, aka NETSTAT. Choosing to look at the IPv4 and IPv6 connections will show you the established connections and which server they’re connected to. The server name will indicate whether the connection is secure, typically by adding either …

Encrypted Sessions – Securing the Connection to IBM i

I can’t emphasize enough the need to encrypt all sessions—not just communications out of your network, but internal communications as well. Why, you ask? Because if malware or an intruder makes its way into your network, all data (including user IDs and passwords flowing around your network in cleartext) will be read, especially the user …

Discovering Who’s Using SSH – Securing the Connection to IBM i

Before you limit which profiles can use SSH, you may want to determine who’s already using it so you can either allow the access or make the conscious choice to prevent it. There’s no specific audit journal entry type for SSH access, but I’ve discovered that you can determine SSH access by examining either the …

Other Best-Practice Settings – Securing the Connection to IBM i

You may also want to change some of the default settings in your SSH configuration file. For example, I recommend that you do not let QSECOFR use SSH. (QSECOFR is a well-known profile. If someone is going to try to access your system, that’s a profile they know exists on all IBM i systems like …

Controlling Who Can Use SSH – Securing the Connection to IBM i

One of the servers I am going to spend a bit of time on is Secure Shell (SSH) because it’s become widely used and SSH clients are readily available. If you’re not controlling what can be installed on your users’ desktops, an SSH client such as PuTTY can be download, installed, and in use in …

TCP/IP Servers – Securing the Connection to IBM i

I’m not going to discuss the security considerations of each TCP/IP server; I did that in IBM i Security Administration and Compliance, Third Edition. What I want to encourage you to do is review the servers that you have autostarting and determine if that’s the right setting. If you aren’t using it, change the autostart …

Listing the Function ID Settings – Implementing Function Usage (Application Administration)

If you want to have a different way of viewing these settings or need to print a report or send it to a spreadsheet or file, you have a few options. You can use the Work with Function Usage (WRKFCNUSG) or Display Function Usage (DSPFCNUSG) commands. But the output is display or spooled file only …

Controlling Access to ACS Features- Implementing Function Usage (Application Administration)

To find the functions defined that allow you to control ACS, scroll over to the Category column and filter using “ACS.” Use the same techniques as the ones I described for controlling access to Navigator for i. The only difference is that there’s not one function that shuts off access to all features. Controlling Access …