Other Security Tips
These are a few general items that don't fall into any other specific security
category. These items are recommendations that affect operating practices, application
objects, and Webulator/400 operational characteristics.
- Change user passwords periodically
It is always a good security practice to change user passwords from time to time. The
QPWDEXPITV (password expiration interval) system value helps in the enforcement of
these periodic changes. Another common recommendation concerning the creation of
passwords is for them to contain a combination of characters and numbers (QPWDRQDDGT
- Specifically limit authority to key files and programs (no *PUBLIC *ALL)
Even without Internet access, users that sign on to your AS/400 only have access to the files,
programs, and data that you provide for them. Prudent object management allows each user
to have the authority that is appropriate for the completion of their job or function. This not
only applies to users who will access the AS/400 via Webulator/400, but also to the default
"*PUBLIC" user that provides authority to any user who signs on to the AS/400.
- Limit access to other computers on your LAN
The AS/400 has the capability to communicate with other computer systems using
SNA and TCP/IP protocols. As a result Webulator/400 users, with networking
commands available, may have the capability to communicate with the other
systems on your LAN. Specifically the STRPASTHR and TELNET commands give the
user the capability to log on to remote AS/400s in your network. If security on the
remote system is not configured to handle this unexpected access, that system may
be vulnerable to a security breach.
- Limit access to "Program/procedure", "Menu", and "Current library" on Sign On display
In some circumstances, the Program/procedure and Menu entry fields on the Sign On display
are an open invitation for users to experiment with what is available for execution on your
system. If you are planning to have "Signon screen" as your Webulator/400 sign on method,
you may wish to create a new QDSIGNON display file (the file used to show the AS/400 Sign
On display) that protects the Program/procedure, Menu, and Current library entry fields. More
information about changing the Sign On display can be found in the AS/400 Work
Management manual (SC41-3306).
Another aspect of this topic involves the "Allow signon overrides" element of the SIGNON
parameter of the CHGWBLCFG command. This element
allows for the override of these Signon screen parameters during Webulator/400 access.
As a result, the discussion of considerations
for allowing signon override should also be reviewed.
- TERMTIME (CHGWBLCFG) must be less than QINACTITV
Since the AS/400 has the ability to detect and sign off (alternatively disconnect) terminal
jobs that have been inactive for a specific period of time, it is possible for a Webulator/400 user
to be presented with a Sign On display if the AS/400 inactivity timeout (system value
QINACTITV) expires before the Terminal Timeout (TERMTIME
parameter on the CHGWBLCFG command) value. There is
also the possibility of a two (2) minute delay in the timing of the Webulator Terminal timeout value.
As a result, it is recommended that, if you practice an inactivity timeout policy, the
TERMTIME parameter be set to a value at least two (2) minutes less than the QINACTITV
- Do not change the public authority for the Web Server/400 commands
Because the Web Server/400 commands can change the way Webulator/400 functions,
and also affects Internet access controls, it is not advisable to make them available to
users outside your organization. They are installed with public authority *NONE
and can be accessed by individual users with specific authority granted.