Re: Password Issue in Axent ESM 5.0.1 Console

[toddag98 () YAHOO COM (Todd Hathaway)]

First of all, it was my intent by posting this message
to be informational to all that Axent ESM, a
compliance monitoring tool by function that by default
checks for the regular changing of account passwords
at the OS level, has it's own internal issue with
attempting to change it's own console password.  This
has nothing to do with manager level passwords, but
rather the console password that is independent to the
console operator.  The console that is currently
available in version 5.0.1 stores all manager data in
an Access DB file(c:\program files\Axent\ESM
Enterprise Console\Database\user.mdb) locally on the
user's machine after policy runs are viewed and any
trend analysis is performed across various managers.
The workaround that Axent proposes is manager-related
only and does not fix the local password issue for the
console.  The connect as feature on the manager that
Toomey refers to only allows you to connect to the
manager and does not update the local database because
the password passed to the database is still not
recognized by Access due to the change in the console
that is not linked back to the DB.  The local database
stores all manager data after it's viewing and by
following Axent's  original work around of disabling
the Access password on the database file, the user
leaves all vulnerability information for his agents in
an Access DB without a password.  This becomes a
security issue if the local machine is compromised.
And considering the console runs only on NT or Windows
95, this becomes very easy.  Axent continuously fails
to thoroughly QA their products and this is only a
defense for poor product management not a valid work
around.  It should also be noted that Access is not a
secure mechanism for storing vulnerability data and
that passwords on Access DBs are easily cracked,
therefore disabling the password really means nothing
more than a few minutes saved in a compromise of the
local system running the console.  My original intent
was to point out the irony in a compliance monitoring
tool from a company that claims to be a leader in
Security Tools not being able to live up to it's own
standards.  However, I guess this has become a much
bigger issue in which Axent has once again shown poor
QA and product management.  After further discussions
with Axent about this issue, they have acknowledged
this issue and ESM Product Management (I have no
knowledge of Toomey being related to ESM product
management) states that this is definitely an
embarrasing issue that they will address as soon as a
fix is available.
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com