Hello, I have been involved in the implementation of Control SA where I work and although my knowledge is still lacking here is some more info. Control SA is made up of: Enterprise Security Station (ESS): This is the central administration database that holds a list of all employees (known as Enterprise Users). Each employee in the company has an EU account. This central account is then linked to every other account that the user has on various systems around the company (ie. Windows domain account, Unix account, Exchange Account, etc etc) through the use of SA Agents.. SA Agents: These are agents that communicate with various platforms (windows, unix, exchange and lots more.. the list is really quite good) and manage that system (add accounts, delete accounts, update password etc). Example: Employee named Joe Smith has an Enterprise User in Control SA called 'jsmith'. This EU is then connected to Joe's unix account named 'joe' on some unix box, as well as his 'jsmith' account on the local windows domain and his Exchange mailbox called 'joesmith'. Now if the security administrators want to change Joe's password, they can do so for all of Joe's accounts from the central EU account and it will propagate to all of Joe's accounts. Similarly if Joe changes his password on the unix box, this can propagate to all of Joe's other accounts (there are ESS options to turn this feature on or off). If Joe leaves the company, instead of having no idea which machines Joe has accounts on (or what they are named), we just simply delete his EU record and Control SA will delete all his accounts on all systems (as long as they have been linked to his EU record). SA Agents part 2: SA Agents are sometimes installed on the machine that needs to be managed ie. Unix SA Agents , others dont need to be installed on the machine to be managed, ie Windows Domain Agent and Exchange Agent - they just need a valid domain administrator account to work with. ESS keeps a picture of what accounts are where by communicating with the SA Agents. The SA Agent can inform the central ESS that the description for user 'joe' on some unix box has changed and pass that info along. In this way the Agents are non-obtrusive in that they dont change the way authentication works on the system in question, they just intercept changes and propagate that info to the central ESS, or progate changes from the ESS to the local system (ie password change). The real power comes from using things like job roles to automate creating accounts on all systems that a "HR" employee will need in one easy step. All communication between ESS and SA Agents can be encrypted, the strength of which im unsure. ESS is actually made up of more than just a database. It has gateways and routers that recieve SA Agent updates and pass them onto the database. Caveat: Its not all that easy to implement, but depends on the systems and process that it will integrate with. It can take awhile to get your head around the way BMC have done things. Often I find myself coding scripts to help with automation and feel as if these should have come standard. From a pen-test point of view, I havent dont any testing. There were some buffer overflow fixes recently for some BMC products I believe. I have a feeling that some of the ways that BMC have choosen to do things might be "questionable". Regards, Myxt > -----Original Message----- > From: desrosiers1at_private [SMTP:desrosiers1at_private] > Sent: Thursday,16 May 2002 11:13 > To: pen-testat_private > Cc: desrosiers1at_private > Subject: BMC Control-SA product > > Hello to all... > > I have a question that I hope will not be vague enough to > just solict links. I am currently involved in a test > that involves the deployment of a product made by BMC > called Control-SA as the front-end authentication > mechanism. I understand how the user profiles and a > users priviledges are tasked in a central repository, but > was more interested in how it performs the updates! Does > anyone have experience or know of its caveats or > weaknesses. > > Many thanks > Johnny Blade > > -------------------------------------------------------------------------- > -- > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please > see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri May 17 2002 - 10:49:43 PDT