Ted MacNEIL wrote:
We recently found out (or rather our auditers found out) that you don't
need a TSO segment to use FTP from a PC to z/OS.
I tested with an id that was only defined to one CICS region.
I could not sign on to TSO with it.
But, I could access FTP.
Our security and audit people think this is a security exposure.
Two questions:
1. Is it?
2. If it is, how do we close it?
FTP access does not require TSO, it requires OMVS segment.
However there is also "default OMVS segment for everyone" - see
CL(FACILITY) BPX.DEFAULT.USER.
Having own OMVS segment or default'ed one you also have access to ftp.
Is access to ftp dangerous ?
It depends. In fact it is one of the interfaces, similar to IND$FILE in
TSO. Is IND$FILE dangerous ? IMHO not, because user can download only
those files to he's permitted. It can be UACC(READ) or access list entry.
If you want to close ftp to those people you can do the following:
1. Close ftp server on z/OS. No ftp at all.
2. Delete BPX.DEFAULT.USER and use OMVS segments only. IMHO the most
reasonable method.
3. Play with some exits to deny ftp only.
4. Use TCP/IP router facilities to block ftp ports to specific networks.
Possibly ftp is needed to "internal" machines and few named external
ones, but not to thousands of clerks in the WAN.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html