Guidance from the SANS Institute on setting System i system value settings.

The purpose of this document is to assist anyone configuring or auditing iSeries and System i (formerly known as AS/400) system values. This document should only serve as an informational guide and represents a security consultant's opinion on what the "Best Practice" setting should be in a typical corporate environment. Appropriate system value settings for the reader's environment may differ due to varying circumstances.

This paper begins with a brief introduction of the iSeries platform. Next, a high level overview of how an iSeries machine functions is given, which leads into specifically discussing the system values.

Fifteen of the most important system values have been chosen and will be analyzed in the following paper.

Although system values from all areas of the iSeries platform are analyzed, an emphasis has been placed on system values related to iSeries security. Each system value bullet point contains a description of what that value controls and an explanation for each option associated with the system value. Last, a Best Practice setting is suggested in addition to the reasoning behind such a suggestion.

The IBM AS/400 (short for Application System/400), is a line of minicomputers that was introduced in 1988 and is still a popular choice today among IT Professionals and a wide range of companies. However, the AS/400 has recently become known as the iSeries. All models of the iSeries are run on a version of the Motorola/IBM 64 bit RISC (Reduced Instruction Set Computer) PowerPC processor specifically optimized for the OS/400 operating system. The iSeries is IBM's midrange series of computer systems used primarily for business applications, most of which are written in RPG III and RPG IV. There are 25,000 applications and 3,000 client/server applications that run on the iSeries machines. The iSeries serves in a variety of networking configurations: as a host or intermediate node to other AS/400s and System/3x machines, as a remote system to mainframe controlled networks and as a network server to PCs. It is capable of supporting up to sixteen area networks, each with hundreds of clients.

On the iSeries, all user and system data structures are held in objects (files, folders, libraries, menus, programs, user profiles, etc.). It is possible to see in the objects only via their defined interfaces. iSeries operates on object-level security. The iSeries comes with four major operating system components: Integrated Communications, Integrated Database, Integrated Work Management, and Integrated Security. The functions within the Integrated Security component protect all objects and data from unauthorized access. The iSeries has default values known as system values, which can be used to control the operations of the system. System values are a part of iSeries and cannot be created by a user. However, most can be changed to customize your system according to your requirements. System values are used as default parameters in many commands and object descriptions. Other system values control the operation of certain parts of the operating system.

READ MORE ]