|
A few months ago I wrote about the need to pay attention to how the
directories and objects in directories (such as stream files) are secured.
This month I'm expanding on that to discuss file shares, another feature
of the IFS that is often overlooked.
What is a file share?
A file share allows the directory it's associated with to be available
from network interfaces. Think of your network as a long hallway. As
you cruise down the hallway, most doors are closed, but there are a
few doors that are open (these are the file shares) and if you show
the guard your pass and it's valid (this is your i5/OS user profile
and password), you're allowed to enter the door off the hallway. Sometimes
only you can open the door and once opened, there's very little to see.
(This is an example of a file share for a directory that has no subdirectories
and contains only objects you or your group is allowed to work with.)
However, on occasion you may enter a door that takes you through a vast
labyrinth of rooms and other hallways with wide-open doors for all to
walk through. You may be amazed at the wealth contained in each of the
rooms. (This is an example of a file share that's been assigned to the
root ('/') directory. Once the root directory is shared, the QSYS.LIB
file system is shared. What does that mean? That means that, assuming
the user has sufficient i5/OS authority, all libraries are available
through your network including the database files in those libraries.
Imagine the "wealth" of information stored in those files!
File shares are often used to enable drive mapping. In the Windows
world, shares are often defined to enable drive mapping for file and
document sharing. The same can be implemented in the IFS. Imagine what
is available to you - and every user on the system, if you map a drive
to root and the object authority of all libraries and files is at least
*USE. All database files are now available through a Windows Explorer
session.
What's the Big Deal about File Shares?
File shares are not inherently a security risk, but they can be
if they are assigned to the wrong directory or the object level security
for the directory or library is not appropriate for its contents. Make
sure you are using the features of the SkyView products to automate
the checking of file shares and other policy settings.
Carol's Tech Tip
Using Risk Assessor to Examine File Shares
If you have the SkyView Risk Assessor product, the SKYSHARES report
lists all of the file shares, the directory they're assigned to and
whether they've been defined as read only or read/write. The QPSECPVT
report lists the public authority of root ('/') as well as root's subdirectories,
so that you can determine the level of risk the file shares pose to
your system. Risk Assessor also provides advice for controlling who
can create and modify file shares. Finally, Risk Assessor lists whether
a Guest profile has been defined which allows access to the system without
having an i5/OS profile and password.
Using Policy Minder to Manage File Shares
Policy Minder allows you to define which file shares your policy
allows on each system. Initializing the File Share category will gather
the shares currently on the system and define those as your initial
policy. You can analyze that list and determine whether any shares need
to be removed from the system. Then, when you run a compliance check
on the File Share category, the category will be out of compliance if
new file shares have been created or an existing file share removed
from the system. This compliance check automates the process of managing
file shares on your system. In addition, you can use the Directory Authority
category to automate the process of checking the authorities and ownership
of IFS directories and files, ensuring those settings remain in compliance
with your organizations policies.
SkyView Partners Solutions
-
With Risk Assessor you get comprehensive, easy-to-understand,
easy-to-produce and unbiased diagnostic reports that quite frankly
no other product in the marketplace will produce.
-
With Policy Minder, you take the time out of managing and
fixing the implementation details of your security policy,
as well as taking the guesswork out of your security compliance
status.
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in OS/400 and i5/OS security issues. Carol co-authored
the popular book, Experts'
Guide to OS/400 and i5/OS Security from 29th Street Press, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also a subject matter expert on
security for COMMON, security author for Experts Journal, contributing
author on security for System iNEWS and MC Press Online and the security
expert for search400.
|
