In the last issue, I discussed the problem of authorized iSeries users downloading sensitive files to their PC. Many recent headlines point to this problem as a standard method used in privacy invasion and identity theft cases. I discussed the preferred method of using network server exit point programs as the means to control network data access and file transfers. As I stated, the other method I see people use in their attempts to control data access is the iSeries Access tool named Application Administration. Application Administration is pretty neat, but it is not a tool that can be used to secure your data, though many folks think it is.

What Is Application Administration?

When you install iSeries Access on a Windows client PC, you can optionally install the Application Administration feature. Application Administration provides a GUI for the system administrator to configure the control of certain client applications that have been identified as controllable. Some of the familiar controllable applications include

• 5250 Display and Printer Emulation
• Data Transfer -- including FTP and iSeries Access file transfer
• ODBC
• OLE DB provider
• Remote command -- command line
• iSeries Navigator

You can also use Application Administration in conjunction with Management Central to enable you to control Windows client applications from a central system. I have seen many instances in which Application Administration has been used to try to control FTP, ODBC, file transfer, and other data access and data transfer tools. However, IBM did not design Application Administration to be used as a security tool or as a substitute for object-level security and network server exit point programs.

Are You Trying to Control FTP and ODBC with Application Administration?

When someone tells me that they use Application Administration to control who can use the iSeries FTP server to transfer files, I point them to the IBM statement that says:
"Do not use Application Administration as a security tool. Application Administration was designed for customizing the functions available on your client PC. You should not use Application Administration for administering security on your client PC . . ."
You can read further to learn what the exposures are.

Application administration controls do not work at the i5 server level -- they work at the Windows PC client level. Changes made in Application Administration trickle down to the PC client the next time the client is loaded, or within 24 hours.

Let's say your user is running a Linux, a Unix, or an Apple Mac system. Any controls set by Application Administration are not in effect. The reason is that Application Administration places all PC client restrictions in the Windows registry. If the user is not running Windows, he has no restrictions imposed by Application Administration, and he can FTP all day long regardless of what Application Administration might say. Or, what if he uses REGEDIT to modify the Windows registry settings? Secure? NO!

So, How Do I Control Network Data Access?

If you read the last issue of the newsletter, you'll see my seemingly endless discussion of using network server exit point programs. To control access to your sensitive data, you need to secure the data and/or run exit point programs. You cannot reliably use Application Administration to secure this.