Protect workstations from remote commands and procedures

IBM® iSeries™ Access for Windows® provides the capability of receiving remote commands on the PC.

You can use the Run Remote Command (RUNRMTCMD) command on the server to run a procedure on an attached PC. The RUNRMTCMD capability is a valuable tool for system administrators and help-desk personnel. However, it also provides the opportunity for damaging PC data, either deliberately or accidentally.

PCs do not have the same object authority functions as iSeries servers. Your best protection against problems with the RUNRMTCMD command is to carefully restrict the system users who have access to the command. IBM iSeries Access for Windows provides the capability to register which users can run remote commands on a specific PC. When the connection is via TCP/IP, you can use the properties control panel on the client to control remote-command access. You can authorize users by user ID or by the remote system name. When the connection is via SNA, some client software provides the capability to set up security for the conversation. With other client software, you simply choose whether or not to set up the incoming-command capability.

For each combination of client software and connection type (such as TCP/IP or SNA), you need to review the potential for incoming-commands to attached PCs. Consult the client documentation by searching for “incoming command” or “RUNRMTCMD”. Be prepared to advise your PC users and network administrators about the correct (secure) way to configure clients to permit or prevent this capability.