ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvtcpserverstart.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Control which TCP/IP servers start automatically" />
<meta name="abstract" content="As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP." />
<meta name="description" content="As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP." />
<meta name="DC.Relation" scheme="URI" content="rzamvtcpsecurenv.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="tcpserverstart" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Control which TCP/IP servers start automatically</title>
</head>
<body id="tcpserverstart"><a name="tcpserverstart"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Control which TCP/IP servers start automatically</h1>
<div><p>As security administrator, you need to control which TCP/IP applications start automatically when you start TCP/IP.</p>
<div class="section"><h4 class="sectiontitle">Commands for starting TCP/IP</h4><p>Two commands are available for starting TCP/IP. For each command, the system uses a different method to determine which applications or servers to start.</p>
<dl><dt class="dlterm"><span class="synph"><span class="kwd">STRTCP</span> <span class="var">Start TCP/IP</span></span></dt>
<dd>The system starts every server that specifies AUTOSTART(*YES). Security recommendations:<ul><li>Assign *IOSYSCFG special authority carefully to control who can change the autostart settings.</li>
<li>Carefully control who has authority to use the STRTCP command. The default public authority for the command is *EXCLUDE.</li>
<li>Set up object auditing for the Change server-name Attributes commands (such as CHGTELNA) to monitor users who attempt to change the AUTOSTART value for a server.</li>
</ul>
</dd>
<dt class="dlterm"><span class="synph"><span class="kwd">STRTCPSVR</span> <span class="var">Start TCP/IP Server</span></span></dt>
<dd>You use a parameter to specify which servers to start. The default when this command ships is to start all servers.</dd>
<dd class="ddexpand">Security recommendations:<ul><li>Use the Change Command Default (CHGCMDDFT) command to set up the STRTCPSVR command to start only a specific server. This does not prevent users from starting other servers. However, by changing the command default, you make it less likely that users will start all servers by accident. For example, use the following command to set the default to start only the TELNET server:<samp class="codeph">CHGCMDDFT CMD(STRTCPSVR) NEWDFT(’SERVER(*TELNET)’)</samp><div class="note"><span class="notetitle">Note:</span> When you change the default value, you can specify only a single server. Choose either a server that you use regularly or a server that is least likely to cause security exposures (such as TFTP).</div>
</li>
<li>Carefully control who has authority to use the STRTCPSVR command. The default public authority for the command is *EXCLUDE.</li>
</ul>
</dd>
</dl>

<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. </caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e64">Server</th>
<th valign="bottom" id="d0e66">Default value</th>
<th valign="bottom" id="d0e68">Your value</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e64 ">Telnet</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*YES)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">FTP (file transfer protocol)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*YES)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">BOOTP (bootstrap protocol)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">TFTP (trivial file transfer protocol</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">REXEC (remote EXECution server)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">RouteD (route daemon)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">SMTP (simple mail transfer protocol)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*YES)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">POP (post office protocol)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">HTTP (hypertext transfer protocol)<sup>1</sup></td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">ICS (Internet connection server)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">LPD (line printer daemon)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*YES)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">SNMP (simple network management protocol) </td>
<td valign="top" headers="d0e66 ">AUTOSTART(*YES)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">DNS (domain name system)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">DHCP (dynamic host configuration protocol)</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">NSMI</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td valign="top" headers="d0e64 ">INETD</td>
<td valign="top" headers="d0e66 ">AUTOSTART(*NO)</td>
<td valign="top" headers="d0e68 ">&nbsp;</td>
</tr>
<tr><td colspan="3" valign="top" headers="d0e64 d0e66 d0e68 "><div class="note"><span class="notetitle">Note:</span> 1. With the IBM<sup>®</sup> HTTP Server, you use the CHGHTTPA command to set the AUTOSTART value.</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvtcpsecurenv.htm" title="This topic provides general suggestions for steps that you can take to reduce the security exposures in the TCP/IP environment on your system.">Secure your TCP/IP environment</a></div>
</div>
</div>
</body>
</html>