User Profile Considerations
The security of your system may be strengthened by making some changes to the
user profiles configured to run from the Webulator/400 product. Depending
upon your system's security requirements these changes may apply system wide.
- Specify "*NONE" for ATNPGM user profile parameter
- The ATNPGM user profile parameter specifies the attention key
handling program for this user. The attention key handling program
is a program that is started when the attention key is pressed.
If not properly configured, this program may allow the user to get
outside the realm of the initial sign on program specified for the user.
If *SYSVAL is specified for this parameter, the attention key handling
program set up for all users on the system will be available to the
user running through Webulator/400. By specifying *NONE for this
parameter using the CHGUSRPRF command, the attention key is disabled
for this user. Another way to disable this function is within the
Webulator/400 button configuration. However,
by doing it through the user profile you are disabling the attention
key for the user no matter which URL the user obtains access through.
- Revoke authority to SYSREQ (QSYS/QGMNSYSR)
- If the user has the ability to invoke the system request (SYSREQ)
menu, they have the ability to carry out requests that, from a security
point of view, you may not want them to do. For example,
they would be able to sign off which would present them with a sign on
screen. If you have configured this user profile name to be an auto
sign on URL then you may not want the user to be able to get to a sign
on screen, allowing them to guess at user IDs and passwords. Or, they
would have the ability to view the system operators messages, or send
messages to other users on the system, (which, if nothing else may be an
annoyance). To revoke the authority to the system request menu, change
the authority on the QSYS/QGMNSYSR object.
- Set the user profile's limit capabilies (LMTCPB) user profile parameter
- The user profile's limit capabilities parameter allows or disallows
the user's ability to enter commands and change the initial menu,
initial program, or current library during sign on. There are three
different values the LMTCPB can be set to: *NO, *PARTIAL, or *YES.
*YES is the most limiting and *NO is not at all limiting.
- Set the expiration date in the user profile to *NOMAX
- When setting password expiration times, you should keep in mind
that the AS/400 allows the user to change their password when the
expiration time is drawing near (7 days before expiration). It is
best to set Webulator/400 users who will be using automatic sign on or
user authentication sign on to process password expiration in one of
the following ways:
- Set the password for the user profile of the user to never expire.
This can be done using the PWDEXPITV(*NOMAX) parameter on the
CHGUSRPRF or CRTUSRPRF commands.
- Manually change the password for the user prior to the
expiration time warning period.