From: Robinson, Darrin (drobinso@ue.com.au)
Date: Thu May 16 2002 - 20:15:51 EDT
Hello,
I have been involved in the implementation of Control SA where I work and
although my knowledge is still lacking here is some more info.
Control SA is made up of:
Enterprise Security Station (ESS): This is the central administration
database that holds a list of all employees (known as Enterprise Users).
Each employee in the company has an EU account. This central account is
then linked to every other account that the user has on various systems
around the company (ie. Windows domain account, Unix account, Exchange
Account, etc etc) through the use of SA Agents..
SA Agents: These are agents that communicate with various platforms
(windows, unix, exchange and lots more.. the list is really quite good) and
manage that system (add accounts, delete accounts, update password etc).
Example:
Employee named Joe Smith has an Enterprise User in Control SA called
'jsmith'. This EU is then connected to Joe's unix account named 'joe' on
some unix box, as well as his 'jsmith' account on the local windows domain
and his Exchange mailbox called 'joesmith'. Now if the security
administrators want to change Joe's password, they can do so for all of
Joe's accounts from the central EU account and it will propagate to all of
Joe's accounts. Similarly if Joe changes his password on the unix box, this
can propagate to all of Joe's other accounts (there are ESS options to turn
this feature on or off). If Joe leaves the company, instead of having no
idea which machines Joe has accounts on (or what they are named), we just
simply delete his EU record and Control SA will delete all his accounts on
all systems (as long as they have been linked to his EU record).
SA Agents part 2: SA Agents are sometimes installed on the machine that
needs to be managed ie. Unix SA Agents , others dont need to be installed on
the machine to be managed, ie Windows Domain Agent and Exchange Agent - they
just need a valid domain administrator account to work with.
ESS keeps a picture of what accounts are where by communicating with the SA
Agents. The SA Agent can inform the central ESS that the description for
user 'joe' on some unix box has changed and pass that info along. In this
way the Agents are non-obtrusive in that they dont change the way
authentication works on the system in question, they just intercept changes
and propagate that info to the central ESS, or progate changes from the ESS
to the local system (ie password change).
The real power comes from using things like job roles to automate creating
accounts on all systems that a "HR" employee will need in one easy step.
All communication between ESS and SA Agents can be encrypted, the strength
of which im unsure. ESS is actually made up of more than just a database.
It has gateways and routers that recieve SA Agent updates and pass them onto
the database.
Caveat: Its not all that easy to implement, but depends on the systems and
process that it will integrate with. It can take awhile to get your head
around the way BMC have done things. Often I find myself coding scripts to
help with automation and feel as if these should have come standard.
>From a pen-test point of view, I havent dont any testing. There were some
buffer overflow fixes recently for some BMC products I believe. I have a
feeling that some of the ways that BMC have choosen to do things might be
"questionable".
Regards,
Myxt
> -----Original Message-----
> From: desrosiers1@attbi.com [SMTP:desrosiers1@attbi.com]
> Sent: Thursday,16 May 2002 11:13
> To: pen-test@securityfocus.com
> Cc: desrosiers1@attbi.com
> Subject: BMC Control-SA product
>
> Hello to all...
>
> I have a question that I hope will not be vague enough to
> just solict links. I am currently involved in a test
> that involves the deployment of a product made by BMC
> called Control-SA as the front-end authentication
> mechanism. I understand how the user profiles and a
> users priviledges are tasked in a central repository, but
> was more interested in how it performs the updates! Does
> anyone have experience or know of its caveats or
> weaknesses.
>
> Many thanks
> Johnny Blade
>
> --------------------------------------------------------------------------
> --
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT