COMMAND
Axent
SYSTEMS AFFECTED
Axent ESM 5.0.1 Console
PROBLEM
Todd found following. Axent's latest release of its ESM product
was redesigned and supposedly revamped around it's new "Management
Console". The new management console is based on an underlying
Access Database. The console is password protected each time the
application is launched. However, when the user wants to change
the console password, the next time the application is launched
the database is inaccessible because the code does not update the
password on the database file.
The console that is currently available in version 5.0.1 stores
all manager data in an Access DB file
c:\program files\Axent\ESM Enterprise Console\Database\user.mdb
locally on the user's machine after policy runs are viewed and any
trend analysis is performed across various managers. The
workaround that Axent proposes is manager-related only and does
not fix the local password issue for the console (see below). The
connect as feature on the manager only allows you to connect to
the manager and does not update the local database because the
password passed to the database is still not recognized by Access
due to the change in the console that is not linked back to the
DB. The local database stores all manager data after it's
viewing and by following Axent's original work around of disabling
the Access password on the database file, the user leaves all
vulnerability information for his agents in an Access DB without
a password. This becomes a security issue if the local machine
is compromised. And considering the console runs only on NT or
Windows 95, this becomes very easy. Axent continuously fails to
thoroughly QA their products and this is only a defense for poor
product management not a valid work around. It should also be
noted that Access is not a secure mechanism for storing
vulnerability data and that passwords on Access DBs are easily
cracked, therefore disabling the password really means nothing
more than a few minutes saved in a compromise of the local system
running the console.
SOLUTION
However, question is what is the security issue is here. Sounds
like ESM is doing a good thing by passwording the console, but has
a bug in the password change code. If they're using the MS Access
native security, recovering the password is trivial, so in essence
there is no security there at all. One could make a case that
there should be, but the bug in password changing is hardly
relevant to that. Finally, tech support's recommendation that
the password be removed from the DB is perfectly reasonable when
you consider that it is utterly useless anyway.
The Work-Around:
1. Log into the ESM console with the new password.
2. Choose the "Connect as..." command from the pop-up menu by
right clicking on the ESM manager from which you received
the above error.
3. Enter the manager username and password in the manager
login dialog that is displayed, and check the "Save name
and password" option.
4. Repeat steps 2 and 3 for each ESM manager for which you
want to save the password.
5. From this point on, the ESM console will operate normally.
The above issue does not compromise the security of the ESM
manager or console. Only authenticated users can access ESM.
Please contact your AXENT support representative if you have
additional questions.