Académique Documents
Professionnel Documents
Culture Documents
Where allowed to run: All environments (*ALL) Threadsafe: No The Analyze Default Passwords (ANZDFTPWD) command allows you to print a report of all the user profiles on the system that have a default password and to take an action against the profiles. A profile has a default password when the profile's password matches the user profile name. When the system is operating at password level 2 or 3, both the uppercase and lowercase values of the user profile name are checked. However, mixed case values of the user profile name will not be checked. For example, if the user profile JAMES has a password of 'JAMES' or 'james' it will be detected as having a default password; but passwords of 'JaMeS' or 'James' will not be detected as default passwords. Restriction: You must have *ALLOBJ and *SECADM special authorities to use this command. The format of the report depends on what action is taken against the profiles. When no action is taken, each entry will contain the user profile name, the user profile's status (STATUS), whether the profile's password is expired (PWDEXP), and the text description associated with the profile (TEXT). When an action is taken against the profiles, each entry will also contain the user profile's STATUS and PWDEXP values after the profile has been changed. The list of user profiles with default passwords is also put in the system file QASECPWD in library QUSRSYS. Each entry contains the user profile name, the user profile STATUS and PWDEXP values before and after the profile is changed, and the user profile TEXT value. If no action was requested, the second set of STATUS and PWDEXP values will be blank.
Parameters
Keyword Description ACTION Action taken against profiles Choices Single values: *NONE Other values (up to 2 repetitions): *DISABLE, *PWDEXP Notes Optional
Action taken against profiles (ACTION) The action to be taken against the user profiles that have a default password. The possible values are: *NONE No action is taken against profiles with a default password. *DISABLE The user profile STATUS field is set to *DISABLED. *PWDEXP The user profile PWDEXP field is set to *YES.
Examples ANZDFTPWD ACTION(*DISABLE *PWDEXP) This command analyzes all user profiles on the system. Any user profiles on the system that have a default password will be disabled and their passwords will be set to expired. Error messages *ESCAPE Messages CPFB301 Cannot open file &2 in library &3. CPFB302 Not authorized to check for default passwords.
Using *NONE for the ACTION merely produces the default-passwords report. It doesn't perform any actions against the dangerous profiles. System and political situations may require you to manually--rather than automatically--take action when dealing with default password users. So IBM allows you to run ANZDFTPWD in a reporting mode only. A prudent plan would be to produce this report automatically on a weekly basis by adding a scheduled entry in the OS/400 job scheduler (which can be accessed by adding a scheduled task command through the Management Central function of OpsNav, or through the green-screen Work with Job Schedule Entries, or WRKJOBSCDE, command). If you want to automatically change user profiles with default passwords, you can run ANZDFTPWD with ACTION set to either the *DISABLE or the *PWDEXP value. You would use the *DISABLE setting as follows: ANZDFTPWD ACTION(*DISABLE) OS/400 will automatically disable any default password user from signing on to your system, and these users will have to come to your department to be re-activated for access. This is drastic action and you might want to run the command in report mode first to make sure you don't accidentally disable any high-ranking figure's user profile, such as your company president, without giving that person a warning. But in terms of security, this will tightly close any default password holes in your system. A less drastic way of dealing with these passwords is to expire the user profile by setting ACTION to *PWDEXP. With an expired password, the next time a default-password user logs in to the system, OS/400 will him them to change his password before he can sign on. This is a nice way to handle the situation because it allows the user--not the system administrator--to straighten out the password without any technical assistance. The down side is if a hacker discovers a default password profile, he can simply change the password himself and then he still has complete access to the system. The important thing to remember is that expiring a password limits your exposure to hackers; it doesn't eliminate it. Regularly running ANZDFTPWD on your system is good policy. And don't think that you can ignore default passwords if your AS/400 isn't attached to the Internet. Internal users are just as capable of committing mischief with someone else's ID as an outside hacker is. A disgruntled user could easily damage your data if you're not vigilant. So if you're responsible for OS/400 security, it's a good idea to get comfortable with ANZDFTPWD and check for default passwords often.
the next issue of Four Hundred Guru). So there is a secondary source of default passwords on your system that you need to watch out for. In i5/OS, it takes two steps to solve the default password security issue. First, you need to detect and change (or disable) any existing default passwords on your system to eliminate the risk of hacking, which is the subject of this week's article. You may also want to set up an auditing technique to find new default passwords as they occur. Second, you need to look at your system settings and modify them to prevent additional default passwords from being generated, which will be covered next week.
This information is also stored in the QASECPWD file in the QUSRSYS library. So if you decide to run ANZDFTPWD as a scheduled job, you could create a program that reads the QASECPWD file and processes it according to your shop's needs. Once you have the report, you can make some decisions on what to do with your default password users. ANZDFTPWD provides two options for dealing with default passwords. You can either disable all user profiles with default passwords or you can set all the default password profiles to a status of expired (*EXPIRED), which will force these users to change their passwords the next time they sign on to the system.
To disable all system users with default passwords, run the ANZDFTPWD command this way: ANZDFTPWD ACTION(*DISABLE) To expire all default passwords on your system, you would run ANZDFTPWD this way: ANZDFTPWD ACTION(*PWDEXP) However, a word of caution is in order here. I highly recommend that you first review the User profiles with default passwords report or QASECPWD file before taking either of these actions. There may be specific reasons some users have default passwords--I'm not advocating their usage, but sometimes people are allowed to have this capability--or it may cause a major shock to your users and help desk if you disable several user profiles at once. Prudence is called for in handling these situations, and you may need to manually work with each user to decide how to resolve the problem.