Having your host connected to a network is a security exposure. FTP on a *non* z/os host is a grave risk, and should be disabled. Auditors that don't understand the difference are also risks.
FTP in and of itself does not grant access to data. It does facilitate access to data with a UACC other than NONE. To my thinking, *that* is the exposure, not FTP, TSO, or any other kind of host access. I personally like the RESTRICTED attribute. There, access has to be explicitly granted to each resource. UACC doesn't apply. I use that for several such situations. It is a little tricky to discover *all* of the needed resources. HTH and good luck. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ted MacNEIL Sent: Tuesday, September 12, 2006 4:23 PM To: [email protected] Subject: Access to FTP We recently found out (or rather our auditers found out) that you don't need a TSO segment to use FTP from a PC to z/OS. I tested with an id that was only defined to one CICS region. I could not sign on to TSO with it. But, I could access FTP. Our security and audit people think this is a security exposure. Two questions: 1. Is it? 2. If it is, how do we close it? When in doubt. PANIC!! NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
