First of all, it was my intent by posting this message to be informational to all that Axent ESM, a compliance monitoring tool by function that by default checks for the regular changing of account passwords at the OS level, has it's own internal issue with attempting to change it's own console password. This has nothing to do with manager level passwords, but rather the console password that is independent to the console operator. The console that is currently available in version 5.0.1 stores all manager data in an Access DB file(c:\program files\Axent\ESM Enterprise Console\Database\user.mdb) locally on the user's machine after policy runs are viewed and any trend analysis is performed across various managers. The workaround that Axent proposes is manager-related only and does not fix the local password issue for the console. The connect as feature on the manager that Toomey refers to only allows you to connect to the manager and does not update the local database because the password passed to the database is still not recognized by Access due to the change in the console that is not linked back to the DB. The local database stores all manager data after it's viewing and by following Axent's original work around of disabling the Access password on the database file, the user leaves all vulnerability information for his agents in an Access DB without a password. This becomes a security issue if the local machine is compromised. And considering the console runs only on NT or Windows 95, this becomes very easy. Axent continuously fails to thoroughly QA their products and this is only a defense for poor product management not a valid work around. It should also be noted that Access is not a secure mechanism for storing vulnerability data and that passwords on Access DBs are easily cracked, therefore disabling the password really means nothing more than a few minutes saved in a compromise of the local system running the console. My original intent was to point out the irony in a compliance monitoring tool from a company that claims to be a leader in Security Tools not being able to live up to it's own standards. However, I guess this has become a much bigger issue in which Axent has once again shown poor QA and product management. After further discussions with Axent about this issue, they have acknowledged this issue and ESM Product Management (I have no knowledge of Toomey being related to ESM product management) states that this is definitely an embarrasing issue that they will address as soon as a fix is available. __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:39 PDT