Several articles have been written about how to change the sign-on display file. But why should you change the sign-on display file and what changes should you make to stay compliant and secure?

First, to learn more about how to change the display file, view the following articles:

IBM Information center

System iNetwork article by Gary Guthrie

Additionally, I recommend making the following security/compliance related changes to the sign-on display file.

First, remove the literals for "Initial Program," "Initial Menu," and "Current Library." Do not delete the data fields themselves, just the literal text. Then, set display attributes to protect (PR) and non-display (ND) for the associated data fields. These data fields must exist on the screen, but they should be protected and hidden from view. That leaves only a prompt and input-capable fields for user ID and password. Gary Guthrie's article above explains this part very well.

Removing the capability to input the initial program, menu, and current library will prevent a user from overriding these values that are stored in their user profile. A user with Limit Capabilities *NO can override any of these by simply typing them into the sign-on display. So we want to hide and protect the fields in order to force a user to go to their pre-configured initial program instead of going to a program like QCMD, which would present the command entry display.

Next, insert some "go away" text on the screen. This text should say something like this:

This computer system contains private and proprietary information of XYZ Company. If you are not explicitly authorized by XYZ Company to enter this system at this time, disconnect immediately. Violators will be prosecuted.

Check with your security policy or legal department for the exact wording to use at your company.

Note: Never change the sign-on Display file used by your controlling subsystem--usually named QCTL. Only change the display for your application interactive subsystems like QINTER. The reason for this is that if you make a mistake on the QCTL or other controlling subsystem sign-on display, you may not be able to sign-on to the system console.

Don't Give It All Away on the Sign-on Screen

There's another issue with the sign-on screen that you may want to address: The default messages sent to a user who enters an invalid user ID or password provides too much information to someone trying to break in to your system. You should modify the following sign-on error messages in message file QCPFMSG so as to give an attacker fewer clues to why access is being refused. The message IDs and default text are:

CPF1107 -- Password not correct for user profile
CPF1118 -- No password associated with user &1
CPF1120 -- User &1 does not exist
CPF1133 -- Value &1 is not a valid name

Use the WRKMSGD (Work with Message Description) command to change the message text on these messages to say something simple like "Log-on refused." Because message file QCPFMSG is refreshed in an operating upgrade, you'll need to make this change each time you install a new release.