From: Chris McDonald STEWS-IM-CM-S (1/28/93) To: orvis%llnl.gov@wsmr-simtel20.ar, Mail*Link¨ SMTP Product Test 38 ****************************************************************************** PT-38 July 1991 ****************************************************************************** 1. Product Description: Empower II is a software product to provide a variety of protection features for the Macintosh. 2. Product Acquisition: Empower II is available from Magna Customer Support, 2540 North First Street, Suite 302, San Jose, California 95131. Magna has a toll free number, current as of the end of May 91, 1-800-755-Magna. In May 1991 Magna ran a special introductory offer for version 4.0 of Empower I and Empower II. The introductory offer was $85.00 for Empower I and $150.00 for Empower II. Empower I users could upgrade to Empower II which offers additional features for access control and for multi-user environments. These prices compared favorable with those from various third party software firms. Site licenses are also available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Directorate of Information Management, White Sands Missile Range, NM 88002-5030, DSN: 258- 7548, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I obtained my copy directly from Magna under its introductory offer. I had previously received a hypercard demonstration disk on both Empower I and Empower II capabilities. All tests occurred on a Macintosh IIcx running system 6.0.5 with a 80MB hard drive. The test period extended from 10 May 1991 through 25 July 1991. The version tested was 4.0.1. b. Magna shipped an Empower II User's Guide, an Empower II distribution disk with registration card/license agreement, and an Empower Tools disk. The User's Guide had a quick start section which accurately described installation and removal of the program. The Empower Tools disk contained two applications: (1) an emergency program to remove volume lock controls; and (2) Version 2.4 of DISINFECTANT (reference PT-9). c. One installs Empower by inserting the distribution disk into any floppy drive, dragging the Empower icon to the system folder on the hard drive, and restarting the Macintosh. When the system restarts, an Empower dialog box will prompt the first user to enter a name and password. This user automatically receives security administrator status. At this point the security administrator can configure a variety of security options through the Empower control panel. d. The "Administrator" button in the control panel displays four main dialog boxes: (1) Protect = Protect or Release an Empower Volume (2) Users = Define User Names, Passwords and Groups (3) Preferences = Set Empower Volume Preferences (4) Access Log = Set Access Logging Preferences The administrator has the responsibility to set the types and levels of protection available through the individual dialog boxes. I tested all of these boxes and constructed user accounts with differing configurations. A brief summary of those tests follows. e. By default Empower installs without "volume lock" engaged. This means that one can startup the Macintosh from a floppy and bypass most of Empower's protection mechanisms. The default is clearly appropriate to allow an administrator the time to become familiar with the program and to avoid locking oneself out of a system. The administrator has several options in engaging volume lock. First, one can lock the volume. With this option one can still startup the Macintosh with a floppy, but cannot access the volume protected under Empower without entering a valid administrator's name and password. The user receives the following message: "Empower is required to access volume HardDrive". Two buttons appear: "Administrator" and "OK". If the user chooses "Administrator", he or she must enter the correct administrator's name and password to access the volume protected. Second, one can lock the volume and "disable startup from the floppy drive". With this option any user who attempts to startup the Macintosh with a floppy receives this message: "Empower has disabled startup from floppy drives". Again two buttons appear: "Administrator" and "OK". Third, one can "disable floppy drives after startup". The user, who attempts to download information after normal system startup, or who attempts to upload information after startup, will receive this message: "The floppy drives have been disabled by Empower. See your security administrator." f. All Preference options functioned as described in the documentation. The User's Guide did not show all the warning messages which occur if one chooses options 2 and 3. In reading the documentation one would assume that there would be no way to override option 2, when in fact the administrator still has this privilege. The distinction between option 1 and 2 is subtle. If one disables startup from a floppy through option 2, then one can control which "system folder" runs. I used ResEdit, Fedit, MacSnoop and Mac Tools Deluxe in attempts to access information on a protected volume when either option 1 or option 2 had been selected. I was unable to access information on the volume. But I must qualify this result by stating that I am in no way an expert user of these various programs. g. Registering new users is well-described in the documentation. The administrator can specify a name, password and project id (optional) for each user. There is even a provision for establishing "guest" users under controlled conditions and for assigning users to groups for further identification and auditing purposes. Only an administrator can create new users, assign original passwords, and grant "security administrator" status to another user. Both authorized users and security administrators may change passwords. The administrator can assign all access privileges and limit access to Desk Accessories in the establishment of a new account. h. The fact that users may change their passwords does not present a problem if the administrator configures the Password Preference options 2 properly. There are a myriad of options to strength password generation and selection. These include: (1) The ability to require mixed case characters (2) The ability to require the use of special characters (3) The ability to specify minimum password length (4) The ability to force new password after a specified period of time or event i. All Registration and Password options functioned as described in the documentation. If an administrator establishes password options, these options apply to all registered users, to include the administrator. The "force new password" feature has some very nice options in that one can force a change at day intervals, at week intervals, at month intervals, or at intervals based upon the frequency of password use. The change password application is "smart" enough to force a user to enter a different password when expiration occurs. However, I did discover that a user can change his or her password prior to expiration and reuse the same password. The User's Guide does not discuss this point. j. The administrator through the Access Log dialog box in the security administrator's menu sets all access logging preferences. One has the option to activate these events: (1) User Activity = Startup, Shut Down, Register (2) Security Administrator Activity = Protect/Release, Set Preferences, Access Loggin, Create User, Remove User, Create Group, Remove Group, Revoke Member (3) Folders and Files = Open Data File, Open Resource File, Create File, Delete File, Rename File (4) Access Privileges = Set Privileges for a Folder (5) Security Violations = Invalid Name, Invalid Password, Access Denied (6) Macintosh Events = Mouse Activity, Disk Insert, Network, Device Driver, Etc. k. All access log options functioned as described in the documentation with two exceptions. (1) When I had engaged volume protection with the option to disable startup from the floppy drive, I intentionally entered the incorrect name and password of the administrator after startup from the floppy drive. Since only the administrator can allegedly override such protection, I wanted to verify 3 that other registered users without administrator status could not execute this capability. When I reviewed the audit logs of these tests, I found no record of these "security violations". Although a non-administrator name and password was never accepted as valid, there was no record of the attempts. (2) The record of security administrator activity was occasionally misleading. For example, when I set the preference to disable startup from a floppy and to disable the floppy after startup, the audit trail record gave a complete printout of all features ever selected under that particular dialog box--not just these two preferences selected. I received the following audit log: "Preferences, Disable startup from floppy, Disable floppy after startup, Disable auto encryption, Screen lock-out enabled, Auto logon is enabled, Command Key enable, No drawing during screen lock-out, Any user allowed to register after lock-out, Screen lock-out key enabled". The record in summary did not reflect what was actually done at a particular time and date, but rather gave a summary of all preferences made by the administrator to the point in time. There were several instances in which this occurred. I repeated all the experiments a minimum of three times. l. There were two additional preferences tested: screen lock-out and encryption. I tested all options which functioned as documented. The encryption option supports both the Data Encryption Standard (DES) and a proprietary algorithm. The documentation does not describe the particular DES implementation mode utilized. I did telephone Magna technical support on 16 July 1991 to ask several questions, to include the DES mode. The technical representative did not know the answer to the DES question, but said he would have someone call me. I was impressed with the speed of the DES implementation, but am not qualified to comment on how well it actually implements Federal Information Processing Standard 46-1. I tested a number of options available with the DES component. All appeared to function as documented. I did view all encrypted files/folders with Fedit and Mac Tools Deluxe and could not see any encryption key or any clear text information. m. A major distinction between Empower I and Empower II is the latter's ability to customize folder access privileges for individual registered users. One has the ability to set privileges for folders and files, and to assign these access privileges to owners, groups, or everyone. I created three different users and several test folders with different access privileges for these users. In all cases Empower II controls functioned as documented. I also used ResEdit, Fedit, MacSnoop and Mac Tools Deluxe in attempts to circumvent those controls. I was never successful, but must repeat I am not an expert user. There is an important advisory in the User's Guide on page 7-2 which states: "Some utility applications and desk accessories are very powerful. It is recommended you test any utility which allows you to create, delete, rename or duplicate files". o. A final observation during the tests was that all Macintosh viral detection programs in my possession could not scan those Empower files critical to its operation once Empower was installed on a protected volume (i.e., Empower Pref and Empower Startup files). This is obviously a good feature since one would not want a critical file opened, deleted, renamed or moved 4 until one had removed volume protection. The detection programs included Disinfectant (2.5.1), Sam (3.0), Virex (3.2) and VirusDetective (5.0FC4). 5. Product Advantages: a. Empower II provides a wide selection of controls which an administrator can configure for a particular work environment. b. Installation, configuration and deinstallation of the program is simple. There is an emergency unlock utility available in the event one cannot access a protected volume or in the event deinstallation fails. c. Although the technical representative did not know the answer to the DES implementation mode question, he was knowledgeable on every other point which concerned me. He did indicate that Magna was aware of the access logging issue involving administrator activity. I also thought it was nice public relations for a Magna marketing representative to have called me about 2 weeks after I received the product to inquire if I had any problems or questions. d. Empower II supports the use of an external piece of hardware for user authentication in addition to user name and password. The hardware is the SafeWord MultiSync card provided by Enigma Logic. I was unable to test this configuration, but note that Enigma Logic has a good reputation for security subsystems. In fact, a version of its SafeWord card running under the Xenix operating system appears on the National Computer Security Center's Evaluated Products List in the Sub-system category. 6. Product Disadvantages: a. Empower II is not an inexpensive product. While site licenses are available, an organization should determine its security requirements before making a final acquisition decision. If multiple users do not have to access a single Macintosh, it may be more economical to consider Empower I or some other comparable software and/or hardware product. b. Government users will require a waiver under FIPS 46-1 to protect unclassified sensitive information using the product's software DES implementation. c. If a user forgets an encryption password, the security administrator cannot recover it according to the documentation. Therefore, significant problems could develop if users are not well-trained. d. In a large organization security administration should become a major concern. The User's Guide suggests that there be at least a primary and an alternative administrator with equal privileges. There is also the matter of reviewing access logs and taking action in response to the information collected. This may be a "hidden" or "forgotten" cost in the acquisition phase. e. Setting folder and file access preferences is not an easy task. The 5 User's Guide does provide some exercises to assist administrators and users, but it is no substitute for actual experience. It would probably be appropriate to develop a formal Empower training program rather than to leave administrators and users to just trial-and-error. f. While I may have missed it, I found no dialog box or anything in the documentation which allows the product to limit the number of incorrect logon attempts. Some type of limit in conjunction with temporarily "locking" the system might be a nice enhancement. g. Version 4.0.1 is not System 7 compatible. The marketing representative informed me that registered users of Empower II would receive a free upgrade. [NOTE: This unfortunately was not the case.] 7. Comments: Users may consult these sources for additional comments on Empower II: (1) "MacWEEK", 22 Jan 91; (2) "MACWORLD", January 1990, pages 142-149; (3) "MACWORLD", June 1991, pages 121-129; and (4) "Apple Business", June 1990. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.] 6 ------------------ RFC822 Header Follows ------------------ Received: by internetqm.llnl.gov with SMTP;28 Jan 1993 20:49:19 U Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU2DHSY828ERWZ6P@icdc.llnl.gov>; Thu, 28 Jan 1993 20:48 PST Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #12441) id <01GU2DH1WD80ERWZ1A@icdc.llnl.gov>; Thu, 28 Jan 1993 20:48 PST Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA14440; Thu, 28 Jan 93 20:48:33 PST Received: from WSMR-SIMTEL20.ARMY.MIL by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA14432; Thu, 28 Jan 93 20:48:05 PST Received: from wsmr-emh03.army.mil by WSMR-SIMTEL20.ARMY.MIL with TCP; Thu, 28 Jan 1993 21:47:09 -0700 (MST) Resent-date: Thu, 28 Jan 1993 20:48 PST Date: Thu, 28 Jan 93 21:40:41 MST From: Chris McDonald STEWS-IM-CM-S Subject: Product Test 38 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: orvis%llnl.gov@wsmr-simtel20.army.MIL Resent-message-id: <01GU2DHSY828ERWZ6P@icdc.llnl.gov> Message-id: <9301290448.AA14432@pierce.llnl.gov> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"orvis%llnl.gov@wsmr-simtel20.army.MIL" ======================================================================