Password synchronization made easy
In today's mixed network environment, users have too many passwords to remember and each environment has different rules for password quality and aging. Understandably, users forget their passwords and frequently get locked out by each system's intruder-detection policy. Single sign-on (SSO) appears as an elegant solution, yet SSO might be too complex and expensive to implement in your environment. When SSO doesn't work, you need to consider consistent sign-on. CSO's core function is password synchronization.
SSO technology requires a user to log on once to an SSO application, which then actively signs the user on to all systems and applications. In contrast, CSO ensures that each user's password is the same on every system. The user still logs on to each system but doesn't have to remember different passwords. And when a user must change passwords, the CSO application replicates the change to each of the user's accounts. Many good CSO products are available, including Schumann Security Software's Security Administration Manager/Password Synchronization (SAM/PS) and Mercury Information Technology's P-Synch 3.5. (For information about how I tested SAM/PS and P-Synch 3.5, see the sidebar "Criteria for Evaluating Products.")
SAM/PS
SAM/PS supports Windows NT, Windows 9x, Novell NetWare 3.x and 4.x, and IBM's OS/390 and OS/400. The software also supports the following UNIX versions: IBM's AIX, Sun Microsystems' Solaris, and HP's HP-UX. And the product supports mainframe security-management systems such as IBM's Resource Access Control Facility (RACF), CA-ACF2, and CA-Top Secret.
SAM/PS can replicate password resets, changes, account deletions, suspensions, and resumptions in multiple directions. The product uses several components to accomplish these tasks. You install SAM/PS as an IBM Virtual Telecommunications Access Method (VTAM) application on the mainframe that sends and receives account changes to client and server systems. The product integrates to RACF (and other security systems) by plugging routines into RACF-user exits. You must install the SAM/PS service on an NT server that acts as the central junction for replication to and from the mainframe, UNIX systems, and NetWare. You use a SAM/PS daemon to install UNIX systems that SAM/PS manages. NetWare doesn't require any software on the servers or client workstations. NT's SAM/PS service replicates account changes to NetWare through Novell's intraNetWare Client, which you must install on the SAM/PS NT server.
When a mainframe administrator resets a password from RACF, RACF calls SAM/PS's user-exit routine associated with password resets. The user-exit routine sends the account change to the mainframe's SAM/PS program, which records the account change in a log for fault-tolerant recovery purposes and forwards the account change to the SAM/PS service running on an NT server. NT's SAM/PS service makes the same change to related accounts on NT domain controllers. Then, NT's SAM/PS service replicates the change to Novell Directory Services (NDS) trees and NetWare 3.12 servers through the intraNetWare Client for NT. Finally, SAM/PS contacts the SAM/PS daemon on UNIX systems with the change. The program follows the same process for deleted, suspended (i.e., disabled in NT), and resumed accounts.
While installing SAM/PS on NT, you specify the systems that must exchange information about account changes. Screen 1 shows the dialog box for setting up replications with an OS/390 mainframe. Notice that you can control both replication directions for each account change. You can also control the sending of account changes from other mainframes and UNIX systems to your system. UNIX and NetWare systems have similar options, except these systems have restrictions. Users can't initiate account suspensions or resumptions from UNIX, only password changes. You can't initiate any changes from NetWare, and because SAM/PS connects through intraNetWare instead of a custom NetWare loadable module (NLM), NetWare requires that you specify an administrative username and password.
One of SAM/PS's most important features is letting users continue to change their NT domain-account passwords through the usual dialog box on their NT or Win9x workstations. SAM/PS detects a password change when a user uses the native Windows dialog box, and the product replicates the change to all other accounts for that user. SAM/PS also enforces the RACF password policy defined on the mainframe by installing a notification package on domain controllers. A notification package is a user-supplied (in this case vendor-supplied) DLL that NT calls whenever users change their passwords. The DLL evaluates the proposed password against user-specified rules before NT records the change. This process gives SAM/PS the chance to forward the change to other systems for synchronization. SAM/PS also lets you initiate password changes from UNIX by replacing the password-reset utilities with a custom version that sends the change to the SAM/PS server on NT.
As a security consultant, I appreciate the sophistication and level of control RACF offers, and the fact that SAM/PS extends some of that control to other environments. SAM/PS also gives users a seamless transition for changing passwords. Users can continue using the usual utility to change their passwords in the environment they are most comfortable with, and they need to make a change only once.
SAM/PS doesn't handle user mapping (i.e., connecting different user IDs to the same person) directly on NT; instead, the program relies on functionality in the mainframe component or mapping functionality in Microsoft's SNA Server. So you might need to implement SNA Server if you're an OS/390 shop and your accounts don't follow the same naming convention. And you might have other applications and systems that SAM/PS doesn't support. Because Schumann Security Software supplies excellent sample code, you can write DLLs that let you plug in custom replication agents for other systems.
I like how SAM/PS performs, although password changes from NT are slow because the program validates the changes through two extra systems. However, the product's advantages offset this minor wait. I also found SAM/PS's audit logging and automatic recovery from system failures to be robust and well integrated into NT's event log. The software's documentation is thorough and easy to understand, and separate user guides exist for each OS. Technical support was responsive. The company licenses SAM/PS based on $10 to $30 per user, and I found the product worthwhile, especially for sites already using RACF.