Your IBM i system may be your most trusted platform—but trust without vigilance is dangerous.
Many organizations unknowingly run on outdated security levels, allow unrestricted file shares, or leave user accounts wide open for exploitation.
Hackers don’t need to outsmart IBM i—they just exploit the gaps left by weak IBM i security practices. The consequences are costly: encrypted data, stolen customer records, and compliance fines that could take years to recover from.
The good news? Each of these vulnerabilities are preventable.
This blog uncovers the top seven IBM security risks and shares practical fixes to help you take control before it’s too late.
File Shares Create Ransomware Entry Points
File shares often provide unrestricted access to sensitive areas of the system, such as the root directory. When a client device is compromised with malware, mapped drives connected via file shares allow the malware to infiltrate IBM i. Ransomware variants no longer just encrypt data; they also exfiltrate it, and threaten exposure if ransoms aren’t paid.
IBM i Security Solution:
- Reduce file shares to an absolute minimum. Remove all unnecessary shares and convert any read-write shares to read-only wherever feasible.
- Use IBM i 7.5’s authorization lists to restrict file share access to specific users and roles.
- Establish regular audits of file shares and user permissions to identify and mitigate risks before they are exploited.
- Block user-level mapping to root and critical system directories.
For organizations that rely heavily on file shares for operational workflows, invest in training to ensure users understand the risks of improper file sharing. Empower admins to conduct simulations of ransomware attacks to test the system’s ability to block malware at this entry point.
IBM i Security Levels Fail to Meet Modern Standards
Systems that run at QSECURITY levels 20 or 30 operate under dangerously outdated settings. At level 20, every user has All Object authority, which means they can access or modify anything on the system. Even level 30, which improves user restrictions slightly, falls short of today’s compliance and security demands.
IBM i Security Solution:
- Upgrade all systems to at least level 40, which provides robust user restrictions. Level 50, while more stringent, is only necessary for systems that handle highly sensitive data or regulatory requirements.
- Before any upgrades, use SQL services and audit journals to identify potential conflicts or access gaps that may arise at higher levels.
- Create a transition plan for systems at level 20. Ensure all users have their permissions reviewed and adjusted before removing All Object authority.
IBM organizations with critical workloads should implement automated monitoring tools to flag systems that still operate at low-security levels. Pair these efforts with policy-driven enforcement to prevent reversion to older levels.
Weak Passwords Invite Easy Attacks
Weak password policies remain one of the easiest vulnerabilities to exploit. Older configurations at password levels 0 or 1 restrict password length and complexity and make brute-force attacks easier. Hardcoded passwords in applications, FTP connections, and scripts further weaken security.
IBM i Security Solution:
- Move to password level 3 to enable passphrases up to 128 characters. These longer, more complex passwords make brute-force attacks exponentially harder.
- Adopt password level 4 in IBM i 7.5 for enhanced password standards.
- Audit all system connections and integrations for hardcoded credentials. Replace them with dynamic or encrypted alternatives where possible.
- Enforce advanced password rules, such as requirements for uppercase letters, special characters, and numbers.
Beyond stronger passwords, educate users about social engineering threats like phishing, which target credential security. Pair strong password policies with multi-factor authentication (MFA) for critical systems.
Misconfigured User Profiles Lead to Overexposure
Excessive permissions, such as All Object or Config, expose systems to accidental or malicious damage. Inactive profiles add to the IBM security risk and leave dormant credentials vulnerable to hackers.
IBM i Security Solution:
- Regularly review user profiles to ensure they align with the principle of least privilege. Grant only the permissions necessary for each user’s role.
- Use IBM i’s authority collection to determine the exact permissions needed by service accounts and privileged users, then refine them accordingly.
- Disable or delete inactive profiles immediately. With IBM i 7.5, automate this process with SQL services to save time and reduce human error.
- Conduct quarterly audits of user permissions to ensure no drift occurs over time.
Establish a clear process to onboard and offboards user with a strong focus on IBM i security. Include automatic expiration dates for temporary accounts and periodic reviews of privileged users’ activity logs.
Data Access Remains Largely Unsecured
Data in IBM i environments is often under protected due to public authority settings like *ALL, which grant unrestricted access to sensitive files and directories. Organizations frequently overlook the Integrated File System (IFS), a key target for ransomware.
IBM i Security Solution:
- Implement a deny-by-default policy for public authority, which restricts access to sensitive data unless explicitly authorized.
- Use IBM i 7.4 and later to enable authority collection for database files and IFS directories, to identify who accesses what and how often.
- Encrypt sensitive data, especially for backups and critical workloads.
- Define granular permissions for specific user groups and remove public access entirely.
Organizations that store customer or financial data should implement regular vulnerability scans to identify misconfigurations or overlooked files with excessive permissions.
Network Security is Poorly Monitored
External firewalls protect the perimeter but fail to monitor internal IBM i traffic. Without visibility into network activity, organizations cannot detect or block unauthorized use of FTP, ODBC, or SQL.
IBM i Security Solution:
- Deploy exit programs to control access to remote protocols, such as FTP, SSH, and SQL.
- Configure alerts for unauthorized access attempts. Integrate these alerts into current SIEM (Security Information and Event Management) solution for centralized monitoring.
- Limit protocol access to essential users and use network security rules to enforce restrictions.
Conduct regular tests of exit programs and remote connection rules to ensure they remain effective as workflows and user needs evolve.
Defense-in-Depth Strategies
Reliance on a single security measure, such as passwords or firewalls, leaves gaps that attackers can exploit. A comprehensive defense-in-depth strategy layers multiple controls to address vulnerabilities from different angles.
IBM i Security Solution:
- Set strong system values as a baseline for all configurations. Enforce strict password rules, lock down file shares, and remove public permissions on sensitive objects.
- Develop additional layers, such as encryption for sensitive files, exit programs for remote access, and monitoring tools for real-time insights.
- Regularly test your defenses with penetration tests to identify and address gaps.
Treat IBM i security as a living process. Establish policies for quarterly reviews of all security measures and adjust as threats evolve.
Take the Next Step: Achieve Zero Breaches with Zero Trust
IBM i security is no longer set it and forget it. Today’s threats require an active, multi-layered defense strategy that evolves with your organization’s needs.
The IBM i security vulnerabilities explored in this blog—file shares, weak password policies, misconfigured profiles, and others—underscore one truth: security depends on the choices you make. Every unchecked risk opens the door to breaches, ransomware, or data loss.
But where do you start? A structured, expert-backed approach matters. Download the eBook, Achieve Zero Breaches with Zero Trust: IBM i Security Strategies for 2025, to uncover a roadmap tailored for IBM i environments. Learn how Zero Trust principles secure every layer of your system and create a proactive defense against modern threats.
