NT Security Risks - AS/400 and SNA Server

VERSIONS AFFECTED

Windows NT SNA Server 2.11 and 3.0

DESCRIPTION

When you attach to shared folders on an AS/400 using SNA Server, where the security level is set to 30 or higher, and security has been set on the folders to allow limited access, after the first user connects to a shared folder, all subsequent users acquire the first user's access permissions to shared folders.

This problem occurs when SNA Server is sharing a single Local APPC LU when communicating to an AS/400. The security for shared folders on the AS/400 (when security is set to level 30 or higher), is tied to the controller. In this case, the AS/400 views the controller as its Remote LU, or SNA Server's Local APPC LU.

The transaction program which supports the shared folders function on the AS/400 identifies a user based on the SNA Server Local APPC LU name being used. Therefore, if multiple SNA Server users are sharing the same Local APPC LU for use with shared folders, you are able to view each other's AS/400 folders. Due to the design of the AS/400 shared folders feature, the first shared folder's user to connect over a Local APPC LU determines the AS/400 security rights for the remaining users who connect over the same Local APPC LU.

For Microsoft' information on this, see their Knowledge Base article: http://www.microsoft.com/kb/articles/q138/0/01.htm

DEFENSE

Create a separate LU (Local to the SNA Server) for each user and pair each LU with the AS/400's LU. Then each user accesses a separate controller and has appropriate access to shared folders. In addition, each shared folder's client application must be configured with a unique Local APPC LU alias. If you prefer to leave this field empty, the SNA Server administrator can assign a default Local APPC LU alias for each user using SNA Admin (2.x) or SNA Server Manager (3.x) configured on the user record.

Microsoft's Status

According to Microsoft, "IBM has stated that this is ' by design,' since shared folders were originally intended to be accessed directly and not over parallel sessions from a single LU-LU pair. The AS/400 is manufactured by IBM, a vendor independent of Microsoft; Microsoft makes no warranty, implied or otherwise, regarding this product's performance or reliability."