S 4.213 Protecting the login process under z/OS

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Access to z/OS systems must be protected. This applies especially to the login process. The following recommendations should be considered here:

• All services and ports that are not required for access should be blocked. The possibility of restricting access to the services and ports required to the authorised access possibilities through RACF profiles should be considered.
• Passwords should be handled as described in safeguard S 2.11 Provisions governing the use of passwords. In the case of access from public networks (internet) to z/OS systems, the possibility that all the IDs can be blocked through the incorrect entry of passwords must be prevented. At present this can only be solved by the use of digital certificates. The option of stopping automation of the RACF Reply for IDs that have the SPECIAL attribute should be considered. This will prevent the possibility of all IDs with the SPECIAL attribute being blocked automatically.
• The file SYS1.UADS serves to ensure that, should RACF fail, it is still possible to access the system. Only IBMUSER or one (or more) emergency users should be entered in this file.

The recommendations described in safeguard S 4.15 Secure log-in also apply here.

Review questions:

• Is the access to z/OS systems, especially to the login process, protected?
• Are all services and ports that are not required for access blocked in the z/OS system?