This topic describes the security risks and recommendations for
workstations.
You might want all users to be able to sign on at any available workstation
and perform all authorized functions. However, if you have workstations that
are either very public or very private, you might want to ensure that unauthorized
users do not access functions on those workstations.
Risks associated with workstations- Using a workstation in a public location for unauthorized purposes
- If people outside your company can easily access locations, they could
potentially see confidential information. If a system user leaves a workstation
signed on, someone from outside the company might be able to walk up and access
confidential information.
- Using a workstation in a private location for unauthorized purposes
- A workstation located in a private location gives an intruder the opportunity
to spend long hours trying to circumvent your security without being observed.
- Using the playback function or a PC signon program on a display station
to circumvent security measures
- Many display stations have a record and playback function, that allows
users to store frequently used keystrokes and repeat them by pressing a single
key. When you use a personal computer as a workstation on the system, you
can write a program to automate the signon process. Because users frequently
use the signon process , they might decide to store their user IDs and passwords,
rather than typing them every time they sign on.
What to do to keep your workstation secure
You need to identify which workstations might pose a security risk. The
following information suggests ways to keep your workstation secure. Record
your choices on the Workstations and Printers section of the Physical
Security Planning worksheet. Also see Example: Physical security planning form—workstations and printers.
- Avoid placing workstations in very public or private locations.
- Remind users that recording a password in a display station or in a PC
program violates system security.
- Require users to sign off before leaving a workstation.
- Take measures, such as using the inactive timer system values (WINACTITV
and QINACTMSCQ), to prevent users from leaving workstations in public locations
without signing off the system.
- Restrict access to vulnerable workstations:
- Permit only user profiles with limited function.
- Prevent people with security officer or service authority from signing
on at every workstation using the QLMTSECOFR system value.
- Restrict users from signing on at more than one workstation at the same
time using the QLMTDEVSSN system value.
- Restrict *CHANGE authority to printers and other devices.
Example: Physical security planning
form—workstations and printers
Table 1. Physical
security planning form: Workstations and printers| Workstations and printers |
|---|
| Workstation or printer name |
Its location or description |
Security exposure |
Protective measures to be taken |
| DSP06 |
Loading docks |
Too public |
Automatic signoff. Limit functions that can
be completed at the workstation. |
| RMT12 |
Remote sales office |
Too private |
Do not let security officer sign on there. |
| PRT01 |
Accounting office |
Confidential information, such as price
lists, could be seen. |
Place printer in a locked room. Remind users
to pick up confidential output within 30 minutes. |