Password synchronization made easy

In today's mixed network environment, users have too many passwords to remember and each environment has different rules for password quality and aging. Understandably, users forget their passwords and frequently get locked out by each system's intruder-detection policy. Single sign-on (SSO) appears as an elegant solution, yet SSO might be too complex and expensive to implement in your environment. When SSO doesn't work, you need to consider consistent sign-on. CSO's core function is password synchronization.

SSO technology requires a user to log on once to an SSO application, which then actively signs the user on to all systems and applications. In contrast, CSO ensures that each user's password is the same on every system. The user still logs on to each system but doesn't have to remember different passwords. And when a user must change passwords, the CSO application replicates the change to each of the user's accounts. Many good CSO products are available, including Schumann Security Software's Security Administration Manager/Password Synchronization (SAM/PS) and Mercury Information Technology's P-Synch 3.5. (For information about how I tested SAM/PS and P-Synch 3.5, see the sidebar "Criteria for Evaluating Products.")

SAM/PS
SAM/PS supports Windows NT, Windows 9x, Novell NetWare 3.x and 4.x, and IBM's OS/390 and OS/400. The software also supports the following UNIX versions: IBM's AIX, Sun Microsystems' Solaris, and HP's HP-UX. And the product supports mainframe security-management systems such as IBM's Resource Access Control Facility (RACF), CA-ACF2, and CA-Top Secret.

SAM/PS can replicate password resets, changes, account deletions, suspensions, and resumptions in multiple directions. The product uses several components to accomplish these tasks. You install SAM/PS as an IBM Virtual Telecommunications Access Method (VTAM) application on the mainframe that sends and receives account changes to client and server systems. The product integrates to RACF (and other security systems) by plugging routines into RACF-user exits. You must install the SAM/PS service on an NT server that acts as the central junction for replication to and from the mainframe, UNIX systems, and NetWare. You use a SAM/PS daemon to install UNIX systems that SAM/PS manages. NetWare doesn't require any software on the servers or client workstations. NT's SAM/PS service replicates account changes to NetWare through Novell's intraNetWare Client, which you must install on the SAM/PS NT server.

When a mainframe administrator resets a password from RACF, RACF calls SAM/PS's user-exit routine associated with password resets. The user-exit routine sends the account change to the mainframe's SAM/PS program, which records the account change in a log for fault-tolerant recovery purposes and forwards the account change to the SAM/PS service running on an NT server. NT's SAM/PS service makes the same change to related accounts on NT domain controllers. Then, NT's SAM/PS service replicates the change to Novell Directory Services (NDS) trees and NetWare 3.12 servers through the intraNetWare Client for NT. Finally, SAM/PS contacts the SAM/PS daemon on UNIX systems with the change. The program follows the same process for deleted, suspended (i.e., disabled in NT), and resumed accounts.

While installing SAM/PS on NT, you specify the systems that must exchange information about account changes. Screen 1 shows the dialog box for setting up replications with an OS/390 mainframe. Notice that you can control both replication directions for each account change. You can also control the sending of account changes from other mainframes and UNIX systems to your system. UNIX and NetWare systems have similar options, except these systems have restrictions. Users can't initiate account suspensions or resumptions from UNIX, only password changes. You can't initiate any changes from NetWare, and because SAM/PS connects through intraNetWare instead of a custom NetWare loadable module (NLM), NetWare requires that you specify an administrative username and password.

One of SAM/PS's most important features is letting users continue to change their NT domain-account passwords through the usual dialog box on their NT or Win9x workstations. SAM/PS detects a password change when a user uses the native Windows dialog box, and the product replicates the change to all other accounts for that user. SAM/PS also enforces the RACF password policy defined on the mainframe by installing a notification package on domain controllers. A notification package is a user-supplied (in this case vendor-supplied) DLL that NT calls whenever users change their passwords. The DLL evaluates the proposed password against user-specified rules before NT records the change. This process gives SAM/PS the chance to forward the change to other systems for synchronization. SAM/PS also lets you initiate password changes from UNIX by replacing the password-reset utilities with a custom version that sends the change to the SAM/PS server on NT.

As a security consultant, I appreciate the sophistication and level of control RACF offers, and the fact that SAM/PS extends some of that control to other environments. SAM/PS also gives users a seamless transition for changing passwords. Users can continue using the usual utility to change their passwords in the environment they are most comfortable with, and they need to make a change only once.

SAM/PS doesn't handle user mapping (i.e., connecting different user IDs to the same person) directly on NT; instead, the program relies on functionality in the mainframe component or mapping functionality in Microsoft's SNA Server. So you might need to implement SNA Server if you're an OS/390 shop and your accounts don't follow the same naming convention. And you might have other applications and systems that SAM/PS doesn't support. Because Schumann Security Software supplies excellent sample code, you can write DLLs that let you plug in custom replication agents for other systems.

I like how SAM/PS performs, although password changes from NT are slow because the program validates the changes through two extra systems. However, the product's advantages offset this minor wait. I also found SAM/PS's audit logging and automatic recovery from system failures to be robust and well integrated into NT's event log. The software's documentation is thorough and easy to understand, and separate user guides exist for each OS. Technical support was responsive. The company licenses SAM/PS based on $10 to $30 per user, and I found the product worthwhile, especially for sites already using RACF.

SAM/PS
Contact: Schumann Security Software * 301-483-8807
Web: http://www.schumannsoftware.com
Price: $10 to $30 per user, plus maintenance on volume
System Requirements: Windows NT, Windows 9x, Novell NetWare, OS/390, OS/400, or UNIX, 24MB of RAM for NT 3.51 or later; 32MB of RAM for UNIX, 5MB of hard disk space for NT 3.51 or later; 1MB of hard disk space for UNIX

P-Synch 3.5
P-Synch 3.5 supports NT, UNIX, and NetWare. The software works from a user-account database that must regularly rebuild from extracts on all synchronized platforms.

P-Synch provides extract scripts or programs for most of the platforms, but support for some systems, including mainframes, is conspicuously missing—leaving you to write the extracts. You must schedule these extracts and deliver them to the P-Synch server—usually on a nightly basis. You also must maintain several text-configuration files that specify the systems to synchronize and the files that need administrator credentials. You schedule P-Synch to rebuild an internal FoxPro-format database from the text-configuration files. To map dissimilar user IDs to actual users, you maintain a text file of username associations. Users and administrators execute password changes and resets from the Web browser by pointing to Common Gateway Interface (CGI) scripts on the P-Synch server, which you can easily link to the rest of your intranet. The CGI script accepts the user's credentials and new password and executes the change based on accounts and systems in the FoxPro database.

Screen 2 demonstrates changing a password. Notice in Screen 2 that P-Synch lists the rules for a new password. The screen also shows the option Change passwords on which systems?, which details the accounts that can receive a password change. You can hide this option from the user.

P-Synch offers two ways to change passwords. The program uses the appropriate client APIs to change passwords on most systems, which means you don't have to install special software on each system. The program can also change passwords from a P-Synch executable that you run on a client's workstation. You don't need to install the utility on each workstation because the product runs the utility from one place on the server. Both of these methods let you make changes without affecting workstations; however, you must retrain users.

Setting up the software's extract jobs and manually editing text-configuration files isn't overly complex, but I found the process time-consuming and cumbersome. The documentation is full of examples, and the company's support staff walks you through the installation and setup over the telephone.

P-Synch's wide support of systems and options for extensibility are ultraflexible and designed for nonprogrammers. If the software doesn't natively support your application, you can use one of several methods to roll your own replication agent. First, you specify a Telnet or HTTP script if the system supports either of those protocols. P-Synch runs the script, replacing the username and password as necessary. The product lets you write similar scripts for systems that require you to enter a series of commands at the command prompt or run a program in which you specify the credentials as parameters. P-Synch lets you script GUI interaction for Windows programs that don't employ scripting or have an automated way of changing passwords. The software loads the Windows application and makes the key and button selections for the user. For mainframe applications, P-Synch has a terminal emulation agent that lets you script your way through password changes on mainframe screens.

The software provides acceptable fault tolerance and recovery with its own log file, but for tracking purposes, I prefer integration between P-Synch's logging file and NT's event log. The product lets you specify sophisticated controls over content, which help you require hard-to-guess passwords. The way the application accepts password changes is also helpful because the program tells you when something is wrong with the password.

P-Synch's other noteworthy features include user exits for integration to your call-management system and the ability to delegate the authority to reset passwords without giving all other administrative privileges to the Help desk staff. You can also extract personal information from your human resources system and link the information to the user record in the product's database. Administrators can look up the employee information to verify a user's identity over the telephone. To further relieve support personnel, you can let users reset their forgotten passwords by supplying this information to P-Synch.

Finding the Right Fit
SAM/PS and P-Synch protect the administrator credentials that they store, and both products are subject to each platform's vulnerabilities while changing passwords. Mapping user IDs to the actual user is problematic to CSO products, and both products have a problem with this feature. SAM/PS has the best functionality, but only if you're a mainframe shop. Another problem common to both products is the extra task necessary when creating new user accounts. I found SAM/PS and P-Synch to be good products, but you need to fit an application to your environment and needs. If ease of installation, reliability, and flexibility are the most important issues for your environment, I recommend SAM/PS. And SAM/PS will give you added value if your company uses RACF extensively. But if supporting many platforms is important for your environment, P-Synch has the best programmable agents. P-Synch also has a lot of innovative features, and the company's support staff is outstanding.

P-Synch 3.5
Contact: Mercury Information Technology * 403-233-0740
Web: http://www.m-tech.ab.ca
Price: $20 for a 50-minimum-user license; $13 per user over 500 users. Additional fees include a licensing fee capped at $100,000 (about 7700 users) and a maintenance fee of 20 percent of the licensing fee.
System Requirements: 166 MHz Pentium MMX or better, Windows 2000, Windows NT, Novell NetWare, OS/2 LAN Manager, Digital Equipment Pathworks, Samba, UNIX, and mainframe systems that support a Telnet session, 32MB of RAM, plus 32MB per 1000 users, 50MB of hard disk space