Other Security Tips

These are a few general items that don't fall into any other specific security category. These items are recommendations that affect operating practices, application objects, and Webulator/400 operational characteristics.

Change user passwords periodically

It is always a good security practice to change user passwords from time to time. The QPWDEXPITV (password expiration interval) system value helps in the enforcement of these periodic changes. Another common recommendation concerning the creation of passwords is for them to contain a combination of characters and numbers (QPWDRQDDGT system value).

Specifically limit authority to key files and programs (no *PUBLIC *ALL)

Even without Internet access, users that sign on to your AS/400 only have access to the files, programs, and data that you provide for them. Prudent object management allows each user to have the authority that is appropriate for the completion of their job or function. This not only applies to users who will access the AS/400 via Webulator/400, but also to the default "*PUBLIC" user that provides authority to any user who signs on to the AS/400.

Limit access to other computers on your LAN

The AS/400 has the capability to communicate with other computer systems using SNA and TCP/IP protocols. As a result Webulator/400 users, with networking commands available, may have the capability to communicate with the other systems on your LAN. Specifically the STRPASTHR and TELNET commands give the user the capability to log on to remote AS/400s in your network. If security on the remote system is not configured to handle this unexpected access, that system may be vulnerable to a security breach.

Limit access to "Program/procedure", "Menu", and "Current library" on Sign On display

In some circumstances, the Program/procedure and Menu entry fields on the Sign On display are an open invitation for users to experiment with what is available for execution on your system. If you are planning to have "Signon screen" as your Webulator/400 sign on method, you may wish to create a new QDSIGNON display file (the file used to show the AS/400 Sign On display) that protects the Program/procedure, Menu, and Current library entry fields. More information about changing the Sign On display can be found in the AS/400 Work Management manual (SC41-3306).

Another aspect of this topic involves the "Allow signon overrides" element of the SIGNON parameter of the CHGWBLCFG command. This element allows for the override of these Signon screen parameters during Webulator/400 access. As a result, the discussion of considerations for allowing signon override should also be reviewed.

TERMTIME (CHGWBLCFG) must be less than QINACTITV

Since the AS/400 has the ability to detect and sign off (alternatively disconnect) terminal jobs that have been inactive for a specific period of time, it is possible for a Webulator/400 user to be presented with a Sign On display if the AS/400 inactivity timeout (system value QINACTITV) expires before the Terminal Timeout (TERMTIME parameter on the CHGWBLCFG command) value. There is also the possibility of a two (2) minute delay in the timing of the Webulator Terminal timeout value. As a result, it is recommended that, if you practice an inactivity timeout policy, the TERMTIME parameter be set to a value at least two (2) minutes less than the QINACTITV system value.

Do not change the public authority for the Web Server/400 commands

Because the Web Server/400 commands can change the way Webulator/400 functions, and also affects Internet access controls, it is not advisable to make them available to users outside your organization. They are installed with public authority *NONE and can be accessed by individual users with specific authority granted.