> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Ted MacNEIL > Sent: Tuesday, September 12, 2006 4:23 PM > To: [email protected] > Subject: Access to FTP > > > We recently found out (or rather our auditers found out) that > you don't need a TSO segment to use FTP from a PC to z/OS. > > I tested with an id that was only defined to one CICS region. > I could not sign on to TSO with it. > But, I could access FTP. > > Our security and audit people think this is a security exposure. > Two questions: > 1. Is it? > 2. If it is, how do we close it? > > When in doubt. > PANIC!!
Why would it be? Users can only download data in datasets to which they have READ access. Users can only upload data into datasets to which they have ALTER or maybe UPDATE access. Why does a CICS-only user have any access what so ever to any dataset? Since all access would be via CICS, the user him/herself does not need access to the actual DSN. Sounds the the security is too lax to me. If you must "do something", then I guess you need to implement FTCHKPWD exit to somehow determine if a user is allowed to "logon" to ftp. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
