Very early edition of AS/400 Internet Security FAQ.
This information comes from MANY MANY sources.
None of this knowledge is unique to AcmeNews.com LLC.
I claim no copy protection of this document.

Chapters;

1         AS/400 User profiles to secure
 1a
 1b
2         SMTP Settings
 2a          Protect from relaying
3


Chapter 1  USER PROFILES
------------

 ISSUE 1 - Default Profiles

The following profiles need to be secured
QSECOFR
QSYSOPR
SYSOP
*ADMIN

Set the following to pwd *none at level 40 or 50.
PGM
CHGUSRPRF  USRPRF(QPGMR) PASSWORD(*NONE)          
CHGUSRPRF  USRPRF(QUSER) PASSWORD(*NONE)          
CHGUSRPRF  USRPRF(QSRV) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QSRVBAS) PASSWORD(*NONE)        
                                                       
CHGUSRPRF  USRPRF(QBRMS) PASSWORD(*NONE)          
CHGUSRPRF  USRPRF(QEJB) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QFIREWALL) PASSWORD(*NONE)      
CHGUSRPRF  USRPRF(QIJS) PASSWORD(*NONE)               
CHGUSRPRF  USRPRF(QNETSPLF) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QNFSANON) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QNOTES) PASSWORD(*NONE)             
CHGUSRPRF  USRPRF(QPM400) PASSWORD(*NONE)             
CHGUSRPRF  USRPRF(QPRJOWN) PASSWORD(*NONE)            
CHGUSRPRF  USRPRF(QQSNAP) PASSWORD(*NONE)             
CHGUSRPRF  USRPRF(QRJE) PASSWORD(*NONE)               
CHGUSRPRF  USRPRF(QSVCDRCTR) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QTIVOLI) PASSWORD(*NONE)            
CHGUSRPRF  USRPRF(QTIVROOT) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QTIVUSER) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QTMHHTP1) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QTMHHTTP) PASSWORD(*NONE)           
CHGUSRPRF  USRPRF(QTMPLPD) PASSWORD(*NONE)            
CHGUSRPRF  USRPRF(QTMTWSG) PASSWORD(*NONE)            
CHGUSRPRF  USRPRF(QUMB) PASSWORD(*NONE)               
ENDPGM   
Some of these should have PASSWORD *NONE which will prevent
anyone from signing on as these users.  This will also prevent
hackers from being able to disable these accounts and bring down
services such as HTTP, APPC, etc.

 Issue 2 - Default DST Accounts

IBM supplies the following DST profiles on every iSeries that is
shipped:
QSECOFR
QSRV
22222222
11111111

You will need to go into DST and change these passwords.  These are NOT the
same users that you see when you do a WRKUSRPRF.  They are completely different.

Changing user IDs and passwords for Dedicated Service Tools users
After you create a user profile for the security officer, you need to change Dedicated Service Tools (DST) profiles. IBM provides three profiles for performing service on your system by using DST. IBM ships these profiles with standard user IDs and passwords. IBM ships both the DST security capability user ID and password and the QSECOFR password with a value of QSECOFR. These are two different passwords. You changed the QSECOFR password the first time you signed on to the system. You must now change the password for the DST security capability user ID. Changing these passwords is important for the security of your system. To change the DST user IDs and passwords, use either the Manual initial program load (IPL) Procedure or the Manual Mode Procedure. 

Manual IPL Procedure 

This procedure requires you to IPL the AS/400 to change the user ID and password. 

Put the keylock switch or the keystick in the Manual position. 
From the SETUP menu, select the Power on and off tasks option. 
Select the Power off the system immediately and then power on option. Press the Enter key. The system does an attended IPL. 
Your display goes blank for several minutes. When the system displays the IPL or Install the System menu, select option 3 (Use Dedicated Service Tools). 



+--------------------------------------------------------------------------------+
|                          IPL or Install the System                             |
|                                                                                |
|Select one of the following:                                                    |
|                                                                                |
|           1. Perform an IPL                                                    |
|           2. Install the operating system                                      |
|           3. Use Dedicated Service Tools                                       |
|           4. Perform automatic install of the operation                        |
|           5. Save Licensed Internal Code                                       |
|                                                                                |
+--------------------------------------------------------------------------------+
 


Type the DST security capability user ID and password on the DST Sign On display. IBM ships your system with user ID and password values of QSECOFR. 
Select options only in the specified sequence. The system requires this sequence to successfully reset the passwords. 
Menu or display name  Select this option:  
Use DST menu  5 (Work with DST environment)  
Work with DST Environment menu  11 (Change DST User Profiles)  
Change DST User Profiles  1 (Change the DST basic capability user profiles)  
Change DST User Profiles  2 (Change the DST full capability user profiles)  
Change DST User Profiles  3 (Change the DST security capability user profiles)  

Type the new user ID or password in the User or Password field. If the user ID or password is changed, you will see a screen that requests confirmation. Type the new user ID or password again on this screen for verification. 



+--------------------------------------------------------------------------------+
|                    Change DST xxxxx Capability User Profile                    |
|                                                                                |
|Type choices, press Enter.                                                      |
|                                                                                |
| xxxxx capability                                                               |
|                                                                                |
|   User . . . . . . . . . . . . . . . . . . . .  ________                       |
|                                                                                |
|   Password . . . . . . . . . . . . . . . . . .  ________                       |
|                                                                                |
+--------------------------------------------------------------------------------+
 


Write down the user IDs and passwords and keep them in a safe place with the password for the QSECOFR profile. 
Manual Mode Procedure 

The following procedure does not require you to IPL the AS/400 to change the password. Therefore, you can use it in production environments. 

Put the system in manual mode. 
Enter 21 in the indicator lights and press the Enter key. 
Sign-on to the DST sign-on screen at the system console. 
You can do this while the system is operational. 

Attention 

If you lose or forget both the QSECOFR and the DST security capability passwords, you may need to install your operating system again to recover them. Contact your service provider for assistance. The topic Recovering a lost DST or QSECOFR password tells how to recover one of these passwords if you know the other. 
You must provide the DST basic capability password whenever your system needs service. No one can service your system without this password. 











 Issue 3 - Default Passwords

 ANZDFTPWD
 
 Run this command.  It will generate spooled output.  Any user profile
 that is listed has their password set to their userID.  Change the 
 user profile to *DISABLED, or set their password to expire, or
 change their password.  You should not use default passwords.


Chapter 2  SMTP SETTINGS
----------------------------------------------------
A.  Protect from Relaying.
    From WRKDIRE, make sure you do not have an *ANY *ANY Rule.
    If you have this, SMTP will allow any e-mail to relay from your
    system.  If you do not, they relaying will be denied.

Chapter 3  HTTP SERVER
----------------------------------------------------
 Issue 1 - viewing JSP source

 It is possible through HTTP server and servlet engine configurations
 that HTML and/or JSP source could be view at the browser.

 HTTP Server There are configuration settings that could be made
 where JSP source could be displayed in the browser, such as
 placing JSPs in the document root of the HTTP server.  Also, in
 regards to html pages, if you use a PASS directive that allow all
 file types to be served
 (e.g. Pass /MYsamples/* /QIBM/UserData/MyHtml/*) then you
 could see the HTML source.  If the directive is qualified by file type
 (e.g. Pass /MYsamples/*.html /QIBM/UserData/MyHtml/*) you can prevent
 the request ending with '/' from being serviced.

 Servlet Engine:
 The problem description does not mention what Servlet
 engine/JSP processor
 that is being used.  If it is WebSphere, if you have a file serving
 servlet in your web application, it will try to service the
 request for
 http://www.foo.com/getsource.jsp/.  Like the PASS example
 above, if you
 limit the types of requests to be served my the simple file
 servlet by file type,
 you can prevent the source from being displayed.  To do so:
 1.  select the simple file servlet for the web app.
 2.  modify the URI in the servlet web path list.
      a) start by modifying the existing URI.  It may look
 something like
 default_host/webapp/myapp/
      b) change to something like  default_host/webapp/myapp/*.html
 3.  Continue adding URIs for other file types (*.gif, etc...)
 4.  Click Apply
 5.  Restart the web application