If you expose the SE/HMC LAN to the corporate LAN, then you would be subject to the same restrictions. Such 'default' ID's would attract attention, and, depending on the specific auditor, there might be a demand to disable/delete them.
And this make perfect sense if you think about it in a MS context. But, even so, these countermeasures don't seem to improve the risk/benefit much that I can see. I remain a huge fan of physical air gaps. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jousma, David Sent: Tuesday, April 07, 2009 7:43 PM To: [email protected] Subject: Re: HMC and LDAP It is worth noting that we chose to leave the IBM supplied accounts like SYSPROG, ACSADMIN, SERVICE in place as they are for this exact reason, however of the 10 accounts defined, only 2 of us know those passwords. _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Services [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB1G p 616.653.8429 f 616.653.8497 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Hal Merritt Sent: Tuesday, April 07, 2009 2:24 PM To: [email protected] Subject: Re: HMC and LDAP Kind of a chicken and egg. How can you IPL if your LDAP server is not responding? Remember, as is, the MF can shrug off any LAN issues. You have the power to put the operation of the MF at the mercy of the company LAN. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Corjan Nota Sent: Tuesday, April 07, 2009 10:44 AM To: [email protected] Subject: Re: HMC and LDAP We are thinking to authenticate operators on our company wide LDAP Server residing on AIX behind a VPN with SSL/TLS. Not my preferred platform, but I can live with it for now and we'll see how things are going. Security management defines all operator userids on the HMC and in the Active Directory. I don't expect operator handling will go much better, but maybe there will be more awareness and ...it's a management decision. Maybe we can migrate to the LDAP Tivoli Directoy Service on z/OS in the nearby future (not implemented yet), but then we will get specific operator authentication problems if this LDAP system must be IPL-ed. Whatever we choose: an envelop procedure is always necessary. Corjan Nota This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
