199 lines
14 KiB
HTML
199 lines
14 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Secure your workstations" />
|
||
|
<meta name="abstract" content="After you secure printer output, you should secure your workstations. You authorize workstations just like you authorize other objects on the system. Use the EDTOBJAUT command to give users authority to workstations." />
|
||
|
<meta name="description" content="After you secure printer output, you should secure your workstations. You authorize workstations just like you authorize other objects on the system. Use the EDTOBJAUT command to give users authority to workstations." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvsetrscsec.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresobjauth.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresappadmin.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresodbcaccess.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresworkstationpwd.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresprotectserver.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresprotworkstation.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvresgateway.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzamvreswirelesslan.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="secstation" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Secure your workstations</title>
|
||
|
</head>
|
||
|
<body id="secstation"><a name="secstation"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Secure your workstations</h1>
|
||
|
<div><p>After you secure printer output, you should secure your workstations.
|
||
|
You authorize workstations just like you authorize other objects on the system.
|
||
|
Use the EDTOBJAUT command to give users authority to workstations.</p>
|
||
|
<p>Your system users have PCs on their desks as their workstations. They use
|
||
|
tools that run on the PC, and they use the PC to connect to the server. Most
|
||
|
methods of connecting a PC to IBM<sup>®</sup> Systems provide more function than workstation
|
||
|
emulation. The PC may look like a display to the system and provide the user
|
||
|
with interactive signon sessions. In addition, the PC may look to IBM Systems like
|
||
|
other computers and provide functions such as file transfer and remote procedure
|
||
|
call. </p>
|
||
|
<div class="p">As an IBM Systems
|
||
|
security administrator, you need to be aware of the following: <ul><li>Functions that are available to PC users who are connected to your system</li>
|
||
|
<li>IBM Systems
|
||
|
resources that PC users can access.</li>
|
||
|
</ul>
|
||
|
You may want to prevent advanced PC functions, such as file transfer
|
||
|
and remote procedure call, if your security scheme is not yet prepared for
|
||
|
those functions. Probably, your long-range goal is to allow advanced PC functions
|
||
|
while you still protect the information on your system. The topics that follow
|
||
|
discuss some of the security issues that are associated with PC access.</div>
|
||
|
<p><span class="uicontrol">Secure workstation data access</span></p>
|
||
|
<p>Some PC client software uses shared folders to store information on the
|
||
|
server. To access system database files, the PC user has a limited, well-defined
|
||
|
set of interfaces. With the file transfer capability that is part of most
|
||
|
client/server software, the PC user can copy files between the server and
|
||
|
the PC. With database access capability; such as a DDM file, remote SQL, or
|
||
|
an ODBC driver; the PC user can access data on the server.</p>
|
||
|
<p>In this environment, you can create programs to intercept and evaluate
|
||
|
PC-user requests to access server resources. When the requests use a DDM file,
|
||
|
you specify the exit program in the distributed data management access (DDMACC)
|
||
|
network attribute. For some methods of PC file transfer, you specify the exit
|
||
|
program in the client request access (PCSACC) network attribute. Or, you can
|
||
|
specify PCSACC (*REGFAC) to use the registration function. When the requests
|
||
|
use other server functions to access data, you can use the WRKREGINF command
|
||
|
to register exit programs for those server functions.</p>
|
||
|
<p>Exit programs, however, can be difficult to design, and they are rarely
|
||
|
foolproof. Exit programs are not a replacement for object authority, which
|
||
|
is designed to protect your objects from unauthorized access from any source.</p>
|
||
|
<div class="p">Some client software, such as IBM iSeries™ Access for Windows<sup>®</sup>,
|
||
|
uses the integrated file system to store and access data on IBM Systems. With
|
||
|
the integrated file system, the entire server becomes more easily available
|
||
|
to PC users. Object authority becomes even more essential. Through the integrated
|
||
|
file system, a user with sufficient authority can view a server library as
|
||
|
if it is a PC directory. Simple move and copy commands can instantly move
|
||
|
data from a system library to a PC directory or vice versa. The system automatically
|
||
|
makes the appropriate changes to the format of the data. <div class="note"><span class="notetitle">Note:</span> You can use
|
||
|
an authorization list to control the use of objects in the QSYS.LIB file system.</div>
|
||
|
The
|
||
|
strength of the integrated file system is its simplicity for users and developers.
|
||
|
With a single interface, the user can work with objects in multiple environments.
|
||
|
The PC user does not need special software or APIs to access objects. Instead,
|
||
|
the PC user can use familiar PC commands or “point and click” to work with
|
||
|
objects directly.</div>
|
||
|
<p>For all systems that have PCs attached, but particularly for systems that
|
||
|
have client software that uses the integrated file system, a good object authority
|
||
|
scheme is critical. Because security is integrated into the i5/OS™ product,
|
||
|
any request to access data must go through the authority checking process.
|
||
|
Authority checking applies to requests from any source and to data access
|
||
|
that uses any method.</p>
|
||
|
<p><span class="uicontrol">Object authority with workstation access</span></p>
|
||
|
<p>When you set up authority for objects, you need to evaluate what that authority
|
||
|
provides for the PC user. For example, when a user has *USE authority to a
|
||
|
file, the user can view or print data in the file. The user cannot change
|
||
|
information in the file or delete the file. For the PC user, viewing is equivalent
|
||
|
to reading, which provides sufficient authority for the user to make a copy
|
||
|
of a file on the PC. This may not be what you intend.</p>
|
||
|
<p>For some critical files, you may need to set the public authority to *EXCLUDE
|
||
|
to prevent downloading. You can then provide another method to view the file
|
||
|
on the server, such as using a menu and programs that adopt authority. Another
|
||
|
option to prevent downloading is to use an exit program that runs whenever
|
||
|
a PC user starts a server function, other than interactive signon.</p>
|
||
|
<p>You can specify an exit program in the PCSACC network attribute by using
|
||
|
the Change Network Attribute (CHGNETA) command. Or, you can register exit
|
||
|
programs by using the Work with Registration Information (WRKREGINF) command.
|
||
|
The method that you use depends on how PCs are accessing data on your system
|
||
|
and which client program the PCs use. The exit program (QIBM_QPWFS_FILE_SERV)
|
||
|
applies to iSeries Access
|
||
|
and Net Server access to integrated file system. It does not prevent access
|
||
|
from a PC with other mechanisms, such as FTP or ODBC.</p>
|
||
|
<p>PC software typically provides upload capability also, so that a user can
|
||
|
copy data from the PC to a server database file. If you have not set up your
|
||
|
authority scheme correctly, a PC user might overlay all of the data in a file
|
||
|
with data from a PC. You need to assign *CHANGE authority carefully. Review
|
||
|
Appendix D in the <a href="../books/sc415302.pdf" target="_blank">iSeries Security Reference</a> to understand what authority
|
||
|
is required for file operations.</p>
|
||
|
<p>Users must have *CHANGE authority to sign on at a workstation. If the QLMTSECOFR
|
||
|
system value is no (0), the security officer or anyone with *ALLOBJ authority
|
||
|
can sign on at any workstation. If the QLMTSECOFR system value is yes (1),
|
||
|
use these guidelines to set authority to workstations:</p>
|
||
|
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th valign="top" width="34.94897959183674%" id="d0e91">Users allowed to
|
||
|
sign on at workstation</th>
|
||
|
<th valign="top" width="23.214285714285715%" id="d0e93">Public authority</th>
|
||
|
<th valign="top" width="20.918367346938776%" id="d0e95">QSECOFR authority</th>
|
||
|
<th valign="top" width="20.918367346938776%" id="d0e97">Individual user authority</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" width="34.94897959183674%" headers="d0e91 ">All users</td>
|
||
|
<td valign="top" width="23.214285714285715%" headers="d0e93 ">*CHANGE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e95 ">*CHANGE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e97 ">Not required</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="34.94897959183674%" headers="d0e91 ">Only selected users</td>
|
||
|
<td valign="top" width="23.214285714285715%" headers="d0e93 ">*EXCLUDE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e95 ">No authority</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e97 ">*CHANGE</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="34.94897959183674%" headers="d0e91 ">Selected users and users with
|
||
|
authority to all objects</td>
|
||
|
<td valign="top" width="23.214285714285715%" headers="d0e93 ">*EXCLUDE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e95 ">*CHANGE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e97 ">*CHANGE</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" width="34.94897959183674%" headers="d0e91 ">All users except users with authority
|
||
|
to all objects</td>
|
||
|
<td valign="top" width="23.214285714285715%" headers="d0e93 ">*CHANGE</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e95 ">No authority</td>
|
||
|
<td valign="top" width="20.918367346938776%" headers="d0e97 ">Not required</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<div class="p">As an IBM Systems
|
||
|
security administrator, you need to be aware of the following: <ul><li>Functions that are available to PC users who are connected to your system</li>
|
||
|
<li>Resources of IBM Systems that PC users can access. </li>
|
||
|
</ul>
|
||
|
You may want to prevent advanced PC functions, such as file transfer
|
||
|
and remote procedure call, if your security scheme is not yet prepared for
|
||
|
those functions. Your long-range goals probably include allowing advanced
|
||
|
PC functions while you still protect the information on your system.</div>
|
||
|
<p>Before you restrict access to the system operator message queue, use the
|
||
|
EDTOBJAUT command to secure workstations, based on the information in your
|
||
|
Output Queue and Workstation Security form.</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<ul class="ullinks">
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresobjauth.htm">Object authority with workstation access</a></strong><br />
|
||
|
When you set up authority for objects, you need to evaluate what that authority provides for the PC user.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresappadmin.htm">Application administration</a></strong><br />
|
||
|
Application Administration is an optional component of iSeries Navigator, the graphical user interface (GUI) for the iSeries server.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresodbcaccess.htm">Prevent ODBC access</a></strong><br />
|
||
|
Open database connectivity (ODBC) is a tool that PC applications
|
||
|
can use to access iSeries data as if the data is PC data.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresworkstationpwd.htm">Security considerations for workstation session passwords</a></strong><br />
|
||
|
This topic discusses the security concerns over passwords being exchanged between workstations and servers.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresprotectserver.htm">Protect the server from remote commands and procedures</a></strong><br />
|
||
|
This topic explains why you need to consider how remote commands and procedures can be run on your server.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresprotworkstation.htm">Protect workstations from remote commands and procedures</a></strong><br />
|
||
|
IBM iSeries Access for Windows provides the capability of receiving remote commands on the PC.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvresgateway.htm">Gateway servers</a></strong><br />
|
||
|
Your system may participate in a network with an intermediate or gateway server between the iSeries system and the PCs.</li>
|
||
|
<li class="ulchildlink"><strong><a href="rzamvreswirelesslan.htm">Wireless LAN communications</a></strong><br />
|
||
|
Some clients might use the iSeries Wireless LAN to communicate to your system without wires.</li>
|
||
|
</ul>
|
||
|
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvsetrscsec.htm" title="This information helps you establish resource security for workstations and printers by setting ownership and public authority to objects, as well as specific authority to applications.">Implement resource security</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|