Security considerations with DDM

From Try-AS/400
Revision as of 23:34, 23 July 2022 by PoC (talk | contribs) (New)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

DDM uses the QUSER profile by default, when another machine accesses files. This might pose a possible security issue, because data can be read and written by an anonymous user.

On the AS/400 DDM can be used by creating a DDM file with the CRTDDMF command, and using the RMTFILE parameter fields to point to a valid file on the remote server.

The RMTLOCNAME parameter can either point to a SNA/APPN node, or to an IP host name.

  • APPN/APPC is enabled by default on OS/400. As soon as an APPN adjacency has been configured between any two machines, DDM can be used. It's an APPC service which is started on demand by a requesting APPC client. Given the usually limited reach of SNA networks today, and the necessity of former APPN configuration steps, the chance of a really anonymous attacker abusing this capability is low.
  • If you don't need DDM functionality over TCP/IP transport, simply ENDTCPSVR SERVER(*DDM), and make sure you disable autostart (CHGDDMTCPA AUTOSTART(*NO)).
  • If you need DDM functionality over TCP/IP transport, make sure you set PWDRQD at least to *YES, better to *ENCRYPTED.

Weblinks

Retrieved from "http://try-as400.pocnet.net/index.php?title=Security_considerations_with_DDM&oldid=1163"