Security considerations for workstation session passwords

Passwords being exchanged between workstations and servers is a great security concern. There are several factors to be considered when planning workstation session password security.

Typically, when a PC user starts the connection software, such as IBM i Access, the user types the user ID and password for the server once. The password is encrypted and stored in PC memory. Whenever the user establishes a new session to the same server, the PC sends the user ID and password automatically.

Some client/server software also provides the option of bypassing the Sign On display for interactive sessions. The software will send the user ID and encrypted password when the user starts an interactive (5250 emulation) session. To support this option, the QRMTSIGN system value on the server must be set to *VERIFY.

When you choose to allow bypassing the Sign On display, you need to consider the security trade-offs.

Security exposure: For 5250 emulation or any other type of interactive session, the Sign On display is the same as any other display. Although the password is not displayed on the screen when it is typed, the password is sent over the link in unencrypted form just like any other data field. For some types of links, this may provide the opportunity for a would-be intruder to monitor the link and to detect a user ID and password. Monitoring a link by using electronic equipment is often referred to as sniffing. You can use Secure Sockets Layer (SSL) to encrypt communication between IBM i Access and the IBM i platform. This protects your data, including passwords, from sniffing.

When you choose the option to bypass the Sign On display, the PC encrypts the password before it is sent. Encryption avoids the possibility of having a password stolen by sniffing. However, you must ensure that your PC users practice operational security. An unattended PC with an active session to the system provides the opportunity for someone to start another session without knowing a user ID and password. PCs should be set up to lock when the system is inactive for an extended period, and they should require a password to resume the session.

Even if you do not choose to bypass the Sign On display, an unattended PC with an active session represents a security exposure. By using PC software, someone can start a server session and access data, again without knowing a user ID and a password. The exposure with 5250 emulation is somewhat greater because it requires less knowledge to start a session and begin accessing data.

You also need to educate your users about the effect of disconnecting their IBM i Access session. Many users assume, logically but incorrectly, that the disconnect option completely stops their connection to the server. In fact, when a user selects the option to disconnect, the server makes the user’s session available for another user. However, the client’s connection to the server is still open. Another user can walk up to the unprotected PC and access server resources without entering a user ID and password.

You can suggest two options for your users who need to disconnect their sessions:
  • Ensure that their PCs have a lockup function that requires a password. Locking makes an unattended PC unavailable to anyone who does not know the password.
  • To completely disconnect a session, either log off Windows or restart the PC. This ends the session to the system.