© 2010 The PowerTech Group, Inc.
All Rights Reserved
A comprehensive audit should review the signon messages provided by the system.
ISO 27002 (17799) 11.5.1 - Secure Log-On Procedures
Access to operating systems should be controlled by a secure log-on procedure.
The original Signon Screen supplied from IBM should be modified to prevent the input of Initial Library, Initial Program, and Current Library. The source code for Display file QDSIGNON is shipped in file QGPL/QDDSSRC and can be modified so that the above mentioned fields are either hidden, or not input capable.
An additional change that should be considered is the posting of a message on the Signon Screen that identifies the system as proprietary and confidential.
Sample language might resemble: This computer system contains proprietary and confidential property of XYZ Company, Inc. Permission to access must be explicitly authorized by XYZ.
After QDSIGNON is modified, all interactive subsystems, save one, should be modified to use the new Signon screen. The exception is the controlling subsystem QCTL. This exception protects against the eventuality that user profile QSECOFR should ever be prevented from signing onto a subsystem because of missing objects. The factory shipped defaults for subsystem QCTL and user profile QSECOFR will always allow QSECOFR to signon to the system.
AS/400 signon screen provides numerous clues to a user when they fail at a signon attempt. An unwelcome outsider can use these messages to gain knowledge about your system security naming conventions and standards. Some of these messages in the QCPFMSG message file bear changing to thwart this possibility.
The following Signon error messages should be modified* so as to provide an outside attacker with few clues to why access is being refused;
CPF1107 CPF1107 - Password not correct for user profile.
CPF1118 CPF1118 - No password associated with user &1.
CPF1120 CPF1120 - User &1 does not exist.
CPF1133 CPF1133 - Value &1 is not a valid name.
*The recommended text for each of these messages is:
Logon refused. Not a valid user and password combination.
© 2010 The PowerTech Group, Inc.
All Rights Reserved