Try this: http://www.as400.ibm.com/tstudio/secure1/advisor/secwiz.htm
-----Original Message----- From: Mark Wolcenski [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 9:36 AM To: [EMAIL PROTECTED] Subject: AS/400 and security assessment Greetings, I now have my first security client and am conducting an initial -- and very limited -- security assessment (< 40 hrs) for an AS/400 based firm. It's a greatly cutback first part of a complete, three-part security assurance strategy. Background: This client is about to open up his systems to 3000+ internet located users. The new web-facing system will provide hooks, via websphere technology, to access AS/400 V5R1 databases. This is a very risky move (albeit absolutely necessary) from a paper based data (fax) input by local, on site, employee users to real-time input via internet based users. My role: The initial work is limited to vulnerabilities related to a few, non-AS/400 elements (results in needed associated patches/hotfixes/updates and recommended configs,et al); a limited review of their very short computer usage/security policy; and lastly, the reason for this posting, I will be commenting on AS/400 V5R1. This last item will be in the form of "notes" including a list recommended security sites and potential activities. There will be no vuln/pen testing on this run -- although I have and will continue to recommend this. My question: Does anyone have any "little" gems of wisdom to pass along to me regarding the AS/400 piece? Thanks! PS: In fact, I'll listen to anything anyone cares to pass on.
