2010 app only access

© Wayne O Evans Consulting 2010

AOA Application Only Access

1

Presented by

Wayne O. Evans



2

DISCLAIMERThe security recommendations and any programming source are offered "AS IS" for your consideration. Wayne O. Evans Consulting makes nowarranties or representations as to the quality of the examples.ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE SPECIFICALLY DISCLAIMED.

REPRODUCTIONPermission is granted to make a limited number of copies of this material for non-commercial purposes, provided this page and the title page are included iSeries and OS/400 are registered trademarks of the IBM corporation

Client Access Express



3

Webster's Dictionary

Hacker"An expert at programming and solving problems with a computer."

Hackers do not always apply their expertise in appropriate ways

(The clever are not always good.)



4

The HACKER is likelyto be a curious employee

within your company

Curiosity is the one of the permanent and certain

characteristics of a vigorous mind



5

You must take the initiative to

protect your datafrom hackers



6

Application Only Access

GeneralQuery ConsiderationsLimitations

Conclusion

IntroductionAOA Implementation

Outline



7

Close the DoorRestrict the Ways

to Access Data

Example• Menu Security• Exit programs

Resource SecurityRestrict Access

to Production Data

Example • Object authority • Library authority

BEST

Strategies to Protect Data



8

Close the DoorLimitations

• No protection outside of application

• May miss a back door. New doors each release

• Some doors have no locks

Strengths• Easy to

Implement• Widely used

in OS/400



9

Resource SecurityStrengths• Protects from all

methods of access• Protection outside of

application• Design will protect

future interfaces

Limitations• Not easy to

implement as menu security

• Potential performance considerations



10

WorkstationEmulation

Fixed FunctionDisplays

Menu security was effective when users had no other system access

Menu Security

Today OS/400 has other ways to

access data

Menu Security – 1980s



11

Exit Programs can restrict requests from PC

WorkstationEmulation PC

ExitProgram

Menu Security


PC adds Other Ways to Access Data• Workstation• Messages• Printer Support• Shared Folders &

Documents• Remote Commands• File Transfer• API – Data Queue• API – ODBC• IFS



12

1. The SOURCE system sends a to OS/400 TARGET

SOURCESYSTEM

TARGET SYSTEM

request

request2. OS/400 calls the exit program named in network attribute DDMACC or PSCACC3. User exit program looks at request and sets return code 1= accept request 0= reject request

DDMACC or PCSACC

EXIT1

EXIT1 request

Exit Programs



13

• Workstation Pass Through

• DDM• Submit Remote

Command• File Access

• TCP/IP FTP

Exit Programs can restrict some, but not ALL network

requests

Network Access Adds Ways to Access DataWorkstationEmulation PC

ExitProgramMenu

Security




14

CONSLUSION:Must use other controls

No exits available

Network Access With No Exits• ICF – Program Start

Requests• User Applications• QY2FTML

• Remote Data Base• Some non-IBM ODBC

drivers



15

Data Access Exposure

DESTRUCTION Accidental or intentional deletion of data

MODIFICATION Changing of data content

DISCLOSURE Reveal data content

Potential Loss of Information



16

Object Owner is Group Profile

ProductionData

Users are authorized to ➤ Delete ➤ Modify ➤ DisplayDoes not protect data

USER

ProductionOwnerGroupProfile

EndUser

EndUser

EndUser

Security Implementation



17

JDE

Production Data Production Data Production Data

JDE Profile owns production data

EndUser

EndUser

EndUser

End users are members of JDE group

End users share ownership of production dataUsers are authorized to Delete Modify Display

Security Implementation



18

EndUser 1. xxxxx

2. xxxxx3. xxxxxOption __

End users are limited to menus

LMTCPB(*YES) prevents entry of commands

• Some users may be authorized to enter commands

Client Access/400 users may be allowed to perform functions not on application menu• File Transfer (Upload and Download)• Run CL Commands

Menu Security



19

Production Data

*PUBLIC *ALL

Users are authorized to ➤ Delete ➤ Modify ➤ DisplayDoes not protect data

USER

*PUBLIC authority *ALLSecurity Implementation



20

Selecting Level of Access

Production Data

*ALL

Object Authority

Users are authorized to ➤ Display ➤ Modify ➤ Delete USERUSERUSER

Does not protect data

*CHANGE*USE

*EXCLUDE No user access to dataSTOP



21

2. Selected users have access to programs that adopt needed authority

GOApplication

Program

ADOPTOWNER

USERUSERUSER

1. No user authority to data

Production Data

USERUSERUSER *EXCLUDE

STOP




22

The user must be authorized to all objects required

PGM1

PGM 2

PAYROLL

FILE_B

PGM1PGM2

PAYROLLFILE_B

Without Adopted Authority



23

Program adoption gives a user access while a program is running.

OWNER PGM2 PAYROLL FILEB

Program owneris authorized

to objects

PGM1

PGM 2

PAYROLL

FILE_BPGM1

ADOPT

OWNER

User is authorizedto the program The user is notauthorized toother objects

Adopted Authority



24

PAYROLL

PGM1PGM2

PAYROLLFILE_B

QUERYDFUFile Transfer

• Granting users authority ➤ Introduces potential exposure

• Adopted authority eliminates the need to give users access

Access denied

QUERY

PGM1

Adopted Authority



25



Conclusion


Outline



26

ProductionData

End users are members of group that owns production data

Ownership allows users to ➤ Delete ➤ Modify ➤ Display


EndUser

EndUser

EndUser

Existing Implementation



27

ProductionData

Initial program in user profile names the entry

program for the application

End User

Application Program

Application controls the

users access to data

INLPGM

Existing Implementation



28

1. Program must be observable * Not true for some third party applications 2. Changing the program may invalidate you warranty

Application Program

CHGPGM PGM( ) USRPRF(*OWNER)

Application Program

ADOPTOWNER

Conclusion: Do not modify application programs

LIMITATIONS

How to Adopt Authority



29

BeforeEnd User

INLPGMPGM1

PGM1ApplicationProgram

AfterEnd User

INLPGMSHELL1

PGM1ApplicationProgram

SHELL1CALL PGM1

ADOPTOWNER

1. Create SHELL program that adopts

2. Change user profile initial program (INLPGM)

How to Adopt Authority



30

Interactive Jobs• Adopted authority gives the application access• Called programs get adopted authority propagated

Submitted Jobs• DO NOT get adopted authority

Production Data

BatchProgram

SHELL1CALL PGM1

ADOPTOWNER

Design Considerations



31

The entry (first) programcan adopt and propagateadopted authority to called programsMay be multiple entry programs

Some installations solve problem of finding the entry

program by having every program adopt

BatchEntry Pgm

ADOPTOWNER

ADOPTOWNER

ADOPTOWNER

ADOPTOWNERBatch

Entry Pgm

ADOPTOWNER

How to Adopt in Batch



32

2. Restrict *PUBLIC access to shell program Authorize selected users

*PUBLIC - *EXCLUDEGRPAPP1 - *USE

1. Create a shell program to adopt

PGM CALL QCMD ENDPGM

ADOPT1ADOPTOWNER

3. Change routing entry to call shell program

Subsystem Description

Routing EntryNBR RTGDTA PGM 1 *ANY ADOPT1


Routing EntryNBR RTGDTA PGM 1 *ANY QCMD

Before After

Shell Program for Batch



33

QUESTION: How do I handle a mix of users some that adopt different groups?ANSWER: Create a routing program that CALLS programs that adopt different owners.

RoutingPgm

Pgm1ADOPTGRP1

Pgm2ADOPTGRP2

Pgm3ADOPTGRP3

Batch Considerations



34

QUESTION: How does program determine what program to call for a user?ANSWER: The program checks the users authority (CHKOBJ) before calling.

Public - *EXCLUDEGTP1 -*USE



Public - *USEQCMD

RoutingPgm

Pgm1ADOPTGRP1

Pgm2ADOPTGRP2

Pgm3ADOPTGRP3




35


AOA_QCMD1 ADOPTGRP1


AOA_QCMDn ADOPTGRPn


Routing EntryNBR RTGDTA PGM 1 *ANY AOA_QCMD

PGM if user is authorized TFRCTL AOA_QCMD1

: if user is authorized TFRCTL AOA_QCMDn

TFRCTL QCMDENDPGM

AOA_QCMD

Public - *EXCLUDEGRPn -*USE





36

AOA_QCMD Program /************************************************************//* Name: AOA_QCMD *//* Program used as a routing entry for the batch subsystem *//* This program transfers to programs that adopt *//* CHKOBJ is used to avoid logging any authority violations*//************************************************************/PGM AOA_QCMD1:CHKOBJ OBJ(AOA_QCMD1) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO AOA_QCMD2) TFRCTL AOA_QCMD1 AOA_QCMD2:RCVMSG MSGTYPE(*EXCP) CHKOBJ OBJ(AOA_QCMD2) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO AOA_QCMD3) TFRCTL AOA_QCMD2 /* repeated for each group */AOA_QCMDn:RCVMSG MSGTYPE(*EXCP) CHKOBJ OBJ(AOA_QCMDn) OBJTYPE(*PGM) AUT(*EXECUTE) MONMSG CPF0000 EXEC(GOTO QCMD) TFRCTL AOA_QCMDn QCMD: RCVMSG MSGTYPE(*EXCP) TFRCTL QSYS/QCMDEXIT: ENDPGM



37

An Alternative To Adoption

•Swap Don’t Adopt Replace adopted authority with a dynamic change of the group profile

• Swap will replace the authority for a user

• Adopt will add to the authority for a user



38

Swap• Swap is traditionally

used to change the user profile for a job

UserProfile

OtherUser

ProfileSWAP

• Swap can be used to change the group profile

GROUP

UserProfile

SWAP

OtherGROUP

UserProfile



39

Should I Adopt or Swap?

?

??

?

?

?

??

?

?

?

?

?

???

?

?



40

Comparison of Techniques

• Less Performance – Adopted authority is checked last

• Requires two options – Batch Adopt – Interactive Adopt– Server Swap

• Adopts lasts for invocation– Easy to drop adopted access– Automatic drop when

application ends

• Better Performance

• Same solution in – Batch– Interactive– Server Jobs

• Swap lasts for job• Can transfer of created

objects to group profile automatically



41

or• Either technique works • Differences are minor – almost

a tossup

Comparison of Techniques

Swap unless you need to drop



42

Swap Group /****************************************************/ /* SWAPGROUP -- Swap Group profile */ /* This program changes the group profile. */ /* Swap the process to use the new group profile */ /* */ /* Installation instructions */ /* 1. Compile program */ /* CRTCLPGM PGM(LIB/SWAPGROUP ) */ /* SRCFILE( ) USRPRF(*OWNER) */ /* 2. Change owner of the program to user QSECOFR. */ /* Adopted authority allows the program to swap */ /* user profiles without providing a password */ /* CHGOBJOWN OBJ(LIB/SWAPGROUP) */ /* OBJTYPE(*PGM) NEWOWN(QSECOFR) */ /****************************************************/PGM &NEWGROUP DCL &NEWGROUP *CHAR 10 DCL &OLDGROUP *CHAR 10 DCL &USER *CHAR 10 DCL &STATUS *CHAR 10 DCL &HANDLE *CHAR 12



43

Swap GroupRTVJOBA USER(&USER) /* single stream the job */ ALCOBJ SWAP *DTAARA *EXCLUSIVE WAIT(500) RTVUSRPRF USRPRF(&USER) STATUS(&STATUS) + GRPPRF(&OLDGROUP) CHGUSRPRF USRPRF(&USER) STATUS(*ENABLED) + GRPRPF(&NEWGROUP) CALL QSYGETPH (&USER '*NOPWD' &HANDLE) CHGUSRPRF USRPRF(&USER) STATUS(&STATUS) + GRPPRF(&OLDGROUP) DLCOBJ SWAP *DTAARA *EXCLUSIVE CALL QWTSETP (&HANDLE) ENDPGMMust single stream job to prevent two jobs trying to

swap same profile at same time



44

Can library security be used to

protect data??

??

?

?

?

??

?

?

?

?

?

???

?

?



45

1. Restrict access to library Authorize the library to users that should access the objects in the library2. *PUBLIC access to objects in the libraryEasy to manage authority

GRPSALES - *USE *PUBLIC - *EXCLUDE

*PUBLIC-*CHANGEPGM*PUBLIC-*USE

LibraryWhat is Library Security?



46

*PUBLIC - *EXCLUDE

Interactive

1. Initial program can adopt authority need2. Add library to library list

APP_LIB

Initial Program

ADOPTOWNER

Library Security



47

JOB

1. Interactive user submits a batch job Application

Program

ADOPTOWNER

JOBQJOBJOBJOBJOB2. Batch job is placed on JOBQ

JOBJOB

JOBJOB

3. Batch job fails to start

JOBWhy?

Conclusion: Library security causes a problem in batch

*PUBLIC *EXCLUDELIBDefault for submitted

jobs is to use library list from batch job

"Not authorized to Library"

STOP

Problem with Batch Job Start



48

What is wrong with this solution?

Get avoid not authorized failure Authorize group to library *PUBLIC - *EXCLUDE

GRPAPP1- *USE

*PUBLIC-*CHANGE

LIBBatch job will start

USER Users in group can access the production data directly

Just what we are trying to stop

Can not use library security;Must secure individual objects

Attempt to Fix Batch Problem



49

or*PUBLIC - *EXCLUDE GRPAPP1 - *USE

Exclude *PUBLIC andauthorize the group

*USE - Read only access OK*EXCLUDE - No access allowed

outside application

LIB

Solution1. Authorize *PUBLIC to library or

*PUBLIC-*USE

2. Secure the individual objects in production libraries *PUBLIC-

*USE or*EXCLUDE

Secure Individual Objects



50

For best performance: 1. Authorize the OWNER2. Optionally authorize a second using the PGP (Primary Group Profile) authority of object. This is the read-only profile used by Query

Owner: OWNAPP1 - *ALLPGP: GRPREAD1 - *USEDefault: *PUBLIC - *EXCLUDE

How to Secure ObjectsOwner and Primary Group Profile



51

LIBRARY Authorization ListGRPREAD1 *USEGRPREAD2 *USEGRPPGMR *USE*PUBLIC *EXCLUDE

When multiple users must be authorized to objects authorization lists are recommended:1. One location to secure multiple objects2. Can change the authority for open files

How to Secure ObjectsAuthorization Lists



52

?

??

?

?

?

??

?

?

?

?

?

???

?

?

Can I make these changesand still keep my system

operational?

Yes use the followingprocess…



53

• Successful implementation takes time• Make changes gradually to avoid disruption of production


EndUser

EndUser

EndUser

Current

GRP_APP1GroupProfile

EndUser

EndUser

EndUser

OWN_APP1

ProductionOwner

AOA Implementation



54


EndUser

EndUser

EndUser

Current

2. Create new group profile


No change to current users

3. Create programs used to swap/adopt

1. Change *PUBLIC authority forproduction objects

4. Create test user profile

TestUser

AOA Implementation



55


EndUser

EndUser

EndUser

Current


EndUser

EndUser

Current


Current

5. Test applications using test profile 6. Change one end user to new group and adopt/swap profiles


TestUser

8. Change remaining end users 7. Test applications by end user

EndUser

EndUser

EndUser

AOA Implementation



56



Conclusion


Outline



57

REQUIREMENTS

Query users are allowed READ-ONLY access

QueryUSER



58

Allow Read-Only access for QUERYWhy?

*EXCLUDE

Production Data

USER

Application Program

ADOPTOWNER

Query

QueryUSER ADOPT

Read Only

QUERY allows OUTFILE capability with the potential of accidental modification of

production data, if the user is authorized

REQUIREMENTS



59

3. Interactive queries work *EXCLUDE

Production Data

Query

10. Run Query1. User selects option for query

2. Run program that adopts read-only access

ApplicationProgram

ADOPTRead Only

Do you want users running interactive queries?

Query Implementation



60

Batch QUERY

4. RUNQRY command invokes command processing program to run the query

10. Run Query in Batch1. Interactive user

selects option to run a query in batch

2. Batch job is submitted for RUNQRY command

JOBQRUNQRY

RUNQRYRUNQRY

RUNQRYRUNQRYRUNQRYRUNQRYRUNQRYRUNQRYRUNQRY

3. Batch job startsRUNQRYRUNQRY

RUNQRYRUNQRY

Batch Query Overview



61

*EXCLUDE

ProductionData

SBMJOB1. Batch queries get “Not Authorized” message

Query STOP

Two potential problems:

SBMJOB

QueryRouting

Program

ADOPTOWNER

2. Batch query has read and write access routing program adopts

REQUIREMENT“Allow Read-Only access for QUERY”

Batch Query Considerations



62

1. Adopt read only access2. Prevent any adopted access that allows write

Two problems to solve:

Solution:

Query

Shell Program

ADOPT Read Only

Write a shell program1. Adopt a user profile that has read only access DROP

2. Create shell program with attribute USEADPAUT(*NO) preventing previous adopted authority

Batch Query Considerations



63

IBM Batch QUERY

➤ Create a new RUNQRY command to call a user program that adopts a profile with read only access.➤ Specify USEADPAUT(*NO) to prevent and other adopted authority

IBM Batch QUERY

RUNQRY

CALLIBM_CPP

ADOPTRead Only

RUNQRY

As shipped by IBM Modification

DROP




64

How to Adopt in Batch

The query can access the data using the adopted

read-only access to production data.

IT WORKS!!

What problem exists with this solution?

Level 40-50 prevents use of internal system interfaces with state/domain protection

IBM Batch QUERY

CALLIBM_CPP

ADOPTRead Only

RUNQRYDROP




65

• Create an alternate RUNQRY command

• Execute the IBM QSYS/RUNQRY

Shell Program

ADOPTRead OnlyRUNQRY

IBM Batch QUERY

QSYS/RUNQRY

• Rebuild command RUNQRY string

Can not CALLthe IBM CPP

at level 40 or 50

IBM Batch QUERY

CALLIBM_CPP

ADOPTRead OnlyRUNQRY

STOP

DROP

How to ADOPT at Level 40



66

ALTSYS*PUBLIC - *USE1. Create the library ALTSYS

PGM

RUNQRYADOPT

READ ONLY2. Put “new” RUNQRY command and PGM in ALTQSYS3. Put ALTSYS on the library list before QSYS QSYS

QUSRSYSCHGSYSVAL QSYSLIBL (ALTQSYS QSYS QUSRSYS…)

ALTSYS

AOA Implementation



67

• Can not adopt for PC initiated jobs– If you start router with user profile of

the production owner, the application works but user can use interfaces to perform operations outside of application

• Difficult to distinguish a request from a valid PC application and ad hoc request by PC user (hacker)

AOA Limitations



68

How to get access to data- Cannot adopt when PC request starts job.

PGMCannotadopt

request

AOA Limitations



69

PROBLEM How to get access to data… Cannot adopt when PC request starts

PGMCannotadopt

request

SOLUTION 1. Use exit program to swap to OWNER profile

2. Use stored procedures that can adopt

AOA Limitations



70

PGMCannotadopt

request

Exit Program CALL QSYGETPHCALL QWTSETP

API used to swap user profile of job

Registration Facility

Exit Pgm Name

EndUser

Profile

OwnerUser

ProfileSWAP

Swap in Exit Program



71

Stored ProcedureDynamic SQL Request

SELECT ... CALL PGK

Server Job

SQLPKG

ADOPTOWNER

Server Job

SQLServer

*EXCLUDE

ProductionDataSTOP

ODBC ODBC

Comparison of Methods



72

The authority is checked using the user profiles of the application

server job and the owner of the SQL package.

CRTSQLRPG PGM( ) SRCFILE( ) USRPRF(*OWNER) DYNUSRPRF(*OWNER)

SQLPKG

ADOPTOWNER

Creating the Stored Procedure



73

Is the from a valid application or a hacker? - The request looks the same from PC program or hacker ad hoc request.

request

request

This is an area where more IBM support could be added

AOA Limitations



74

Is the from a valid application or a hacker?

request

Data Queue

SOLUTION (Proposed)1. Before starting the have the PC application send to an encoded message to a data queue 2. The exit program that swaps user profiles or the SQL procedure would receive from the data queue and verify the request

Data Queue

request

AOA Solution



75



Conclusion


Outline



76

Overview Application Only Access

Security implementation strategy that restricts access to production data

except for selected applications

STOP ProductionData

PC accessNetwork Access

Other access



77

Users are allowed to access production data when using

authorized programs.

ProductionData

GOUSER

Application Program

ADOPTOWNER

Programs adopt authority of data owner




78

OWN_APP1

ProductionOwner

Production data and programs are owned by a user profile whose only

purpose is to OWN objects

ProductionData Files

Application Programs

ADOPTOWNER


ADOPTOWNER


ADOPTOWNER




79

Application Program

ADOPTOWNER


EndUser

EndUser

EndUser

Users are members of group profiles. The group profiles are authorized to run application programs that adopt needed access for production data




80

• Uses OS/400 security

Client AccessCommand Entry

Network Access

• Protects Data Today

• Protects Data in Future

• Can be integrated into existing menu security systems




81

• Can be used for existing applications ➤ Little or no change to existing programs ➤ New shell programs ➤ No change to user interface• Has been used successfully in several OS/400 installationsIt takes time to convert an existing application




82

• If you have additional questions or want more information please contact me!

Phone: (520) 578-7785 [email protected]

www.WOEvans-security.com



83

Estimation of Work Involved• We are embarking on a project to set up

Application Only security. Of course we have been put into a position where we need to estimate the amount of time it will take to implement the changes.

• I would need much more detail to do an estimate but the following are some of the items that would affect an estimate. Here are some of issues that will affect the amount of time



84

Estimation of Work Involved• Does management support project or are

you going to have to justify each change?– YES, management supports efforts and is

willing to make some change to business practices and operations.

– NO, don't waste your company’s time and your efforts.

Get full management support or find another task



85

Estimation of Work Involved• Are you already at security level 40?

NO – get to security level 40 before starting

• Do you have good security practices in place (help desk, change management)?NO – project will be more difficult

add 10-50% to estimate

• Are objects currently owned by established owners? NO – when objects are owned by programmers and

developers, add 50% to final estimate



86

Estimation of Work Involved• Do you have object management

software/tools to assist in security changes?– PentaSafe’s PSSecure OAM tool perform tasks

such as:- change ownership of objects- change authority of objects- check for compliance to “security model”

NO – add 5-10 days to create simple toolsYES – do you know how to use tools?

(NO - add 1 day to learn tools)



87

Estimation of Work Involved• How many vendor packages are you

running?– All our software is home grown; we have source (this is

best situation; unless software is a nightmare, changes can be done in 2 days)

– Most users are running same software with the same application owner group profile; one major software vendor like JDE, MAPICS, etc. (add 3 days to write simple shell programs)

– Multiple vendors where users run one or more software packages and switch between them (Add 2 days to sort out how to approach implementation and 5 days for programs)



88

Estimation of Work Involved• How well do you understand security

implementation on existing software?– Add time to learn application security design

• Are your users running ODBC, IFS, or file transfer?

– Add 2-4 days to write exit programs to swap group profiles

Design MUST use swap because cannot adopt in server applications.



89

Estimation of Work Involved• Are users running query tools over

production files? NO – are you sure? Can save 2-5 days YES – next question is important…

• How security sensitive is your data?Low – users can "read" data for PC downloads

and query without restrictions (setting public authority to *USE is OK)

High – users should not access data except in selected applications (add 5-7 days to adopt read only access)



90

Estimation of Work Involved• Do you have a test environment or must

changes be made on a production system?No – add 50% if you must avoid disrupting

production• Are you running data mining or tools?

Yes – add 10-20% to total estimate to get tools to run with proper access

2010 app only access

Technology

pc11 wayne o evans consulting

aoa application

access data

access network access

access menu security

access pc

system access

access outlineapplication