Disable users password by default To prevent unwanted access to our systems is a basic rule not to use the default password when creating the user and usually is equal to the profile name, as any user with a very basic knowledge of the system could access our system.
To know what is our current situation we can analyze the existing passwords with a system tool:
- GO Go to menu SECTOOLS .
- Select " 1. Analyze default passwords (ANZDFTPWD term), this mandate can select several options:
- * NONE: Just print the list of users with same password as the profile
- * DISABLE: Disable the user
- * PWDEXP: Expire the user's password to force changes on the next logon.
- To evaluate our state is recommended to use the value * NONE .
- can submit it may take a few minutes:
- SBMJOB CMD (ANZDFTPWD ACTION (* NONE)) JOB (ANZDFTPWD)
- then analyze the result from the list and act accordingly.
- If we do not control the creation of users, we can plan the implementation of this mandate but with the DISABLE option * or * PWDEXP:
- ADDJOBSCDE JOB (ANZDFTPWD) CMD (ANZDFTPWD ACTION (* DISABLE)) FRQ (* MONTHLY ) SCDDATE (* MONTHEND) SCDDAY (* NONE) JOBQ (* LIBL / QSYSNOMAX) TEXT ('Disable default user password')
- In this case we have chosen to turn off automatically and monthly users with a password equal to the profile, but we could have chosen to expire and force their hand.
- is advisable to do these actions with the user profile QSECOFR.
Another recommended action is to change the command to create user profiles (CRTUSRPRF) so that, by default, the password is equal to * NONE, so that after creating a user password should not and could not connect to the system:
- CHGCMDDFT CMD (QSYS / CRTUSRPRF) NEWDFT (' PASSWORD (* NONE) ')
After you manually assign a password that meets the policies and also would force its expiration in the first logon to the user to switch to the one you feel better:
- CHGUSRPRF USRPRF( New_User ) PASSWORD(krl2_lt5vz) PWDEXP( *YES )
