We will never stop saying it, the IBM i is the most securable platform, but it doesn’t come that way. It’s up to you to ensure that you properly secure access to your system, grant users the appropriate authority to objects, and put tools in place to prevent problems from happening. This includes the IFS.
The IFS is the integrated file system designed to support streaming input and output and manage the storage of those objects. The IFS has a tree structure, similar to a Windows PC where you can store files and objects. With a common interface, users can access their locally stored files and other objects on the IBM i. It’s the access to these other objects that is why you need to secure your IFS properly. You don’t want the wrong person getting to your data.
There are three things we recommend you do to protect your IFS from unwanted access or, worse, having your data corrupted or held ransom.
#1 – Eliminate unnecessary IFS File share
If you have root shares happening on your IFS, eliminating them should be your top priority. Sharing the root is like granting someone access to your C:/ drive. We’ve found that most people don’t realize that everything below the root becomes accessible when you do this. That’s right when you share the root; you expose your system.
We recommend you change the root to *Read/Execute to best protect your IFS data. If you are on IBM i 7.4, you can take advantage of authority collection and run it over file shares. This will allow you to identify what is in use and make the change in a controlled way. However, this needs to be done carefully, as changing authorities can break applications, depending on how they are coded.
Once you have properly secured the root, you should look at the other folders below the root to ensure that they have the proper level of security too. It’s essential to start at the root first and work your way down the tree to ensure that you protect all of your sensitive files.
#2 – Tighten object-level security
Once you restrict access to your IFS file shares, you can start to put additional user and object-level security controls in place. The idea is you want to structure access to your IFS the same way you approach DB2 access, by providing users …