From: Chris McDonald STEWS-IM-CM-S (1/28/93) To: orvis%llnl.gov@wsmr-simtel20.ar, Mail*Link¨ SMTP Product Test 26 ******************************************************************************* PT-26 Revised July 1991 ******************************************************************************* 1. Product Description: PC-WATCHMAN Access Control Software (ACS) is an access control product for MS-DOS and PC-DOS compatible systems. 2. Product Acquisition: PC-WATCHMAN ACS is available from Harcom Security Systems Corp., 130 William Street, New York, NY 10038. Harcom's telephone number is 212-766-1802. A single copy is $59.00. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN 258-7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received a copy of ACS, version 2.2, from Harcom for evaluation purposes in late November 1990. In May 1991 Harcom provided me an evaluation copy of version 2.4+. b. I tested the product on a Unisys PC, Model 3137, MS-DOS 3.10, 512KB and on a Zenith PC, Model 248, MS-DOS 3.30, 640KB. ACS is advertised to work with MS-DOS and PC-DOS versions 2.11 and higher. It requires 4K of resident memory and works with Microsoft Windows. c. ACS is the fifth software access control package which I have tested over the last two years. It provides single user password authentication, boot protection, automatic timeout upon keyboard activity, and an audit record of invalid access attempts. d. The emphasis of ACS is to provide a low cost solution to access control. It strives for ease of installation and succeeds. e. Installation of ACS is completely menu-driven. The "Install" portion of the user's manual is two pages and accurately reproduces what you see on the screen. Installation results in the modification of the config.sys file, in the modification of the master boot sector of every hard drive, and in the modification of the partition tables for each logical volume on each drive. f. Discussions with the vendor's representative revealed that some users had reported difficulties with installing ACS on Zenith systems at version 2.2. This proved to be true for my Zenith test system. Although installation "appeared" to be successful, rebooting the system to activate ACS failed with version 2.2. However, version 2.4+ corrected whatever the problem was. g. The identification and authentication of a user relies on an individual password and optionally on biographical data supplied by the user. During the installation a user chooses a password which can be as large as 16 characters or numbers. Passwords are case sensitive. The user must also supply answers to three "challenge" questions which activate whenever the user fails to input the proper password within a specified number of chances. There are three standard "BIODATA" challenges: (1) Mother's Maiden Name (2) Father's Middle Name (3) Place of Birth h. In the event a user fails to supply the correct password, ACS prompts the user for answers to all three BIODATA challenges. The user must supply the correct answers, or else a "security violation" alarm flashes to the screen along with an obnoxious pulsating tone. If the user properly supplies the information, the "authentication is confirmed" and access permitted. However, the user must at this point change his or her password. i. The BIODATA feature really impressed me. It saves a user who has forgotten a password, and who does not want to completely remove ACS for access to the system. For an attacker there are some interesting problems. Although the user's manual identifies the three standard BIODATA challenges, a user has the option to add an additional two challenges of his or her own creation. There is also the option to enter "false" data into the three known challenges to frustrate an attacker who has perhaps researched the legitimate user's history. Finally, the requirement to change a password upon the invocation of the BIODATA authentication might alert a legitimate user to a "penetration" when he or she attempted to logon and was denied access. j. One might attempt to bypass the password protection scheme by using a system disk to boot from the system's floppy drive. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive with Norton Utilities were similarly unsuccessful. ACS by default installs boot protection. This might frighten many users who worry about what happens if the system cannot boot from the C: drive. ACS does provide a "safeguard" which by accident I had to utilize. When the Zenith test system failed to boot after ACS installation, I used the REWRITE program on the installation disk to successfully remove boot protection. While one test of the safeguard may not be statistically significant, one should never quarrel with success. k. I intentionally "failed" the password and BIODATA challenges on several occasions. Each time the system did display a security violation alarm and did sound the PC speaker until the system was turned off. ACS records these unsuccessful logon attempts and notifies the user of such attacks when he or she next successfully logs on. The notification takes the form of this message: "Warning: Attempts have been made to access your PC since you last signed on: [ACS inserts number of attempts] attempts were made; the latest attempt was at [ACS inserts data and time]". The user has the option to save this information or to reset the record. l. I tested all of the password and BIODATA options. All options are menu-driven and extremely easy to change. By default ACS installs these values: (1) Incorrect Password Counter = 3 attempts before BIODATA challenge (2) Automatic Password Expiration = 90 days (3) Automatic Timeout on Keyboard Inactivity = 15 minutes (4) BIODATA Challenges = 3 responses minimum (5) Password Length = 5 positions minimum The user can set a password value up to 16 characters and/or numbers. The program is case sensitive so a user should ensure he or she remember which characters were entered in lower case and which were entered in uppercase. The BIODATA options allow for adding an additional two challenges as well as for changing the response for the three defaults (i.e., mother's maiden name, father's middle name, and place of birth). Finally, the user may change the settings on keyboard inactivity, on password expiration and on incorrect password entries before biodata challenges. m. I tested some of the advanced options which include the ability to have a "hotkey" timeout for locking the system during periods of temporary absence; to configure the manner in which the security system interfaces with the operating system; and to specify the colors of the password window if the user has a color monitor. These options were similarly menu-driven and presented no difficulties. n. The removal of the program requires the authorized user to sign on and to issue a single "REMOVE" command from the ACS subdirectory. I experienced no problem with the command. 5. Product Advantages: a. ACS offers common sense protection features for personal computers. b. The product appears to function as documented. The installation is simple. Version 2.4+ has an Access Control Software manual which is readable and helpful. There is also an Administrator's Addendum which would be valuable in trouble-shooting problems. c. The vendor provides telephonic support at no additional charge. My conversations with the vendor's representative were productive. I had the impression that I was dealing with an individual who was knowledgeable of the philosophy behind specific control features of the program. f. Site licenses are available. While I was not in a position to negotiate a formal price quotation, I was told that $15.00 per copy for an order of 100 copies was in the ballpark. For larger orders the unit cost would probably decline. 6. Product Disadvantages: a. ACS is essentially a single user control program. While two users 3 could "share" a password and BIODATA information, this seems neither desirable nor feasible. b. There may be user resistance to any type of control on personal computers. It may be difficult, in the absence of written policy which mandates the installation of an access control package, to find an audience for ACS. 7. Comments: The use of ACS must be a function of a realist assessment of one's particular operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment and without the user community's commitment to the installation. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). It turns out that Harcom Security Systems does market a hardware/software access control product under its PC-WATCHMAN "family". This product offers significantly more security protection, assuming your risk management assessment identifies a higher threat level. ACS, as presently configured, will probably never be submitted to the National Computer Security Center for evaluation under its subsystem criteria because it does not provide the four functional requirements associated with the subsystem interpretation. I do not personally see this as a significant problem. Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a recent Department of Energy training workshop. While the product defeated was one other than ACS, the description of the attack methodology appears independent of a specific vendor. The good news is that the methodology requires a sophisticated skill level. FOR FURTHER REFERENCE: PRODUCT TEST NUMBER PRODUCT PT-2 SECUREPC PT-14 PC-VAULT PT-15 PROTEC PT-16 PC/DACS PT-40 ALLSAFE PT-45 VIRUS PREVENTION PLUS PT-50 MENUWORKS PT-54 TRUSTED ACCESS [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 4 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;28 Jan 1993 19:02:27 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU29RKZ2QOERWTB6@icdc.llnl.gov>; Thu, 28 Jan 1993 19:02 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU29R6GWIOERWYZL@icdc.llnl.gov>; Thu, 28 Jan 1993 19:01 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13776; Thu, 28 Jan 93 19:02:13 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA13769; Thu, 28 Jan 93 19:01:57 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Thu, 28 Jan 1993 20:01:04 -0700 (MST) Resent-date: Thu, 28 Jan 1993 19:02 PST Date: Thu, 28 Jan 93 19:57:14 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 26 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis%llnl.gov@wsmr-simtel20.army.MIL Resent-message-id: <01GU29RKZ2QOERWTB6@icdc.llnl.gov> Message-id: <9301290301.AA13769@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis%llnl.gov@wsmr-simtel20.army.MIL" ======================================================================