****************************************************************************** PT-50 January 1992 ****************************************************************************** 1. Product Description: Menu Works (MW) Total Security is an integrated menuing and access control product for IBM-compatible personal computers. 2. Product Acquisition: Menu Works Total Security is available from PC Dynamics, Inc. 31332 Via Colinas, Suite 102, Westlake Village, CA 91362. The Corporate Sales Manager is Mr. Gary Kinnsch whom one may contact at telephone number 800-888-1741 or 818-889-1741. The cost for a single copy is $149.95. Discounts are available under site licensing agreements. It is also possible to obtain an evaluation copy. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of the program in November 1991. The version shipped was 2.00. The shipment contained a detailed System Administrator's Guide, version 2. b. I tested the product on a Unisys PC, Model 3137, MS-DOS 3.10, 512Kb with a 33 Mb hard drive. The documentation identifies the following minimum requirements: an IBM PC, XT, AT, PS/2 or true compatible equipped with at least one hard drive; 512 Kb; PC-DOS or MS-DOS version 3.1 or higher. The test period extended from 26 December 1991 through 15 January 1992. c. MW is the sixth IBM-compatible access control package which I have tested over the last three years. It provides a comprehensive approach to access control. Features include, but are not limited to, unique user password identification and authentication, floppy boot protection, keyboard lockout during boot, temporary keyboard lockout for an unattended system, automatic user logoff after a specified period of inactivity, an audit record of relevant events, checksumming for user specified files to detect unexpected changes, password-protected access to DOS commands, directory access privilege controls for systems with more than one user, Data Encryption Standard (DES) software implementations, and overwriting of unused or deleted disk sectors. d. Installation of MW is completely menu-driven using two 5 1/4" disks or one 3 1/2" disk. One inserts the MW disk into drive A:, selects the drive, and types "install " to initiate the installation. From this point the user only has to follow prompting from the displayed screens to proceed. The MW Administrator's Guide has a Table of actions and responses to assist in the process. I observed two items when I performed installation: (1) There were some additional decisions to make based upon screen promptings which were not identified in the Administrator's Guide Table. While this was not a serious problem, anything unexpected during a test can cause concern. (2) One of the undocumented decisions was a choice for the installation program to search through the hard drive of the test system, identify significant utility programs, and then display those utilities in the Main Menu which MW displays upon the completion of installation and the subsequent re- booting of the system. The program correctly determined that Norton Utilities, version 6.0.0, was on the hard drive; and it created a Menu item for the utility. Unfortunately the submenu which opened when I selected the Main Menu could only accommodate 12 items. So significant portions of the utility were unavailable. In order to reach those Norton utilities not displayed, it became necessary to exit from MW to the DOS shell, or to manually rebuild the Main Menu. This similarly did not present a serious problem, but was unexpected in my reading of the Administrator's Guide. e. MW provides the capability to establish a hierarchy of users with varying degrees of permissions. These could include: a system administrator, an accounts maintenance manager, and a user with privileges dependent upon the actions of the accounts maintenance manager. The system administrator has the ability to establish broad security settings on the system, to include boot protection, keyboard lock, DES implementations, etc. The accounts maintenance manager has the ability to establish user accounts and project IDs, to activate and to review audit trail records, to define individual user access control rights and privileges, to initiate integrity checking for up to 99 specified files, and to configure a large assortment of other menu options. One could appoint two different individuals to serve in these roles in those instances where a separation of responsibilities or some type of two-person integrity scheme might be in order. In most environments, however, it seems simpler to have one person as the system administrator/accounts maintenance manager. f. The identification and authentication of the system administrator, the accounts maintenance manager, and any other user relies on a user ID and a password. The maintenance manager assigns initial passwords, but can allow users to automatically change their passwords at any time. The only restriction is that MW mandates that any password must be a minimum of 5 characters. The program will support up to 16 characters with password suppression as the default. g. I created a system administrator, an accounts maintenance manager, and several other user accounts with unique passwords. The authentication scheme appeared to function properly. Attempts to retrieve clear-text passwords from the hard drive with Norton Utilities and another disk recovery utility were unsuccessful. I observed four items which may be of significance in certain environments. (1) If a user changes a password, he or she may simply reuse the identical password. There is no mechanism to force a real change. (2) There appears to be no mechanism for password aging. Since the audit trail record does capture all password change activity, the accounts maintenance manager might use that data as proof of a change, and rely on administrative notices to inform users when they must choose a new password. 2 There is still the matter of verifying that an actual change has occurred. (3) The default is for the MW main menu to appear with the logon names of authorized users displayed. One has the option to type in one's name, or to simplify highlight your name in the list of authorized users. An attacker has one-half of the identification/authentication mechanism by booting the system. (4) The default is for MW to give an alarm message upon the third consecutive incorrect logon. A user in this situation is told: "Too many Logon Attempts, Please Start Over". If a user then presses any key, the process begins again. The default mechanism does not disable or delay additional attempts. h. The initial installation does not result in boot protection or in keyboard locking. While the system administrator must consciously activate these features for any semblance of meaningful access control to the system, this approach is extremely intelligent given the diversity of users and the myriad computer configurations which exist in any organization. It would be embarrassing to lock oneself out of one's own system. i. One might attempt to bypass the password protection scheme by using a system disk to boot from the system's floppy drive. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive with Norton Utilities and with Professional Master Key were unsuccessful. I did discover that booting with a system disk allowed me to change the date and time on the system which had an impact on the audit records. This may be a function of the Unisys BIOS on my test system. j. Unlike other access control programs that I have tested, MW modifies the autoexec.bat file, not the config.sys. Therefore, without keyboard locking engaged one might escape from the autoexec.bat boot sequence. I activated the feature which appeared to function as documented. The standard assortment of control and escape sequences were unsuccessful in aborting the autoexec.bat file. k. MW has an option to perform a file integrity check at system boot. The accounts manager enters the names of "critical files to be validated". Validation includes a data checksum calculation each time MW starts. If there is a change in the file date, time, size, or checksum, an integrity warning message should appear before the main MW menu. I changed and deleted several validated files. In every case an alarm occurred. My tests did not attempt to intentionally defeat the checksum procedure since that is beyond my limited capabilities. While the documentation states that the integrity component can only protect 99 files, that would not appear to present a difficulty for most users. If anything, one would really have to identify "critical" files. I observed two items on the integrity option. (1) If there is an integrity warning, and if one has enabled password protection for the accounts maintenance manager, one receives a prompt for the accounts maintenance password. A non-privileged user cannot logon. This can 3 ensure that someone actually checks out the warning before processing occurs. (2) The documentation and the accounts maintenance menu refer to this component as "virus detection management". MW does not check for known computer viruses, and cannot specifically detect malicious code. It can identify changes to files which may or may not be viral related, and which may or may not be malicious or undesirable. l. MW provides default tracking log maintenance facilities available to the accounts maintenance manager. The default is for the log to record the date, time, user logon name, project ID, and specific activity. The accounts manager can generate cumulative reports on system activity under any of these variables, can export the records for additional processing, and can purge (clear) the log. I tested all of these functions which performed as described in the documentation. These items were interesting. (1) If a user attempts to access a file or to perform an operation for which he or she has no authorization, MW refuses to perform that operation but does not tag that attempt as a "violation" in the tracking log. For example, if a non-privileged user, Mary, attempts to guess the system administrator's password and is unsuccessful, the log shows the date/time that user Mary performed the activity "Menu Works Security Manag". There is no specific notation that this operation is illegal or a violation of access control permissions. Similarly, if a user attempts to access a file or a directory for which the accounts manager has not authorized read or write privileges, the log does not highlight its entry as outside the norm, or that MW has actually denied access. (2) As mentioned earlier, if one boots from a floppy disk, MW does protect against accessing the hard drive when the system administrator has enabled boot protection. My experience, however, was that I could set a fictitious date and time during the boot sequence from the floppy. If I then did a soft reboot of the system, MW would record the fictitious date and time in the tracking log. I selected a variety of available options in the accounts maintenance menu to prevent this from happening, but was unsuccessful. I could not find anything in the Administrator's Guide which helped. A telephone call to PC Dynamics representatives on 14 January 1992 determined that no other user had previously reported such an occurrence. The representatives suggested that perhaps this was a specific function of the Unisys BIOS on the test machine. I did some additional tests on a WYSE system, model 1100, with MS-DOS 3.30 which appeared to support this position. A PC Dynamics representative called later that same day to suggest that conceivably a similar event might occur with certain higher versions of DOS. I made no attempt to explore this possibility. I confirmed only that for the test system the integrity of the audit log as to date and time was a problem. m. I tested three other security-related components which all functioned as advertised: DES encryption; directory access permissions; and overwriting of unused or released disk sectors. In the interest of space these are some brief observations. 4 (1) One can activate the DES encryption/decryption feature from the MW Disk Manager Menu, or from the security administrator's menu. The former is the preferable alternative because a user has the option to specify specific files and directories for encryption, and can utilize different password keys for the operation. The security administrator's menu performs a total encryption/decryption of the selected disk. (2) The documentation does not describe the particular mode of operation for the two available DES implementations. The default is for the original file to be overwritten with zeros and deleted after an encryption operation. MW does add a so-called "safety stub" to the beginning of the encrypted file so that a user, who attempts to run an encrypted file, will receive an error message rather than crashing the system. Decrypted files have their original file dates, times and attributes restored. Passwords keys may be from 1-16 characters. (3) I encrypted a dozen files using various menu options and defaults. The normal DES implementation appeared to function. While I am not qualified to evaluate the effectiveness or the strength of the encryption algorithm and the MW implementation, I was unable to read any plaintext information, or password keys in any encrypted file. Attempts to retrieve such information or to restore the unencrypted original files were unsuccessful with Norton Utilities. Since the encrypted file retains the same name as the original, and since the second line of the encrypted file contains the file name, a user would want to rename a file before encryption for those cases where the file name itself has some type of sensitivity. (4) The accounts maintenance manager has the option to establish directory access permissions for individual users, to include limitations on the use of DOS commands. I established two different non-privileged user accounts with various restrictions. In the limited tests conducted MW correctly enforced those controls. The audit tracking log, as discussed in an earlier paragraph, does not flag attempts to exceed one's access permissions as a security violation or relevant event. The accounts manager can printout the actual permissions of each user to facilitate the review of the log. (5) The overwriting of unused and released disk space performed as documented. The default is for a single overwrite. n. I observed that MW blocked the operation of several anti-viral programs to perform detection operations on the hard drive partition table. Those programs included McAfee's Viruscan and Vshield, Microcom's VirX, and Skulason's F-PROT. In the case of F-PROT the program aborted because of the inability to scan the partition table. It would be advantageous to first scan a system with your anti-viral program of choice and then install MW. It would then be appropriate to determine if any conflicts occur, and inform your users. 5. Product Advantages: a. MW provides a spectrum of software security controls which one can 5 adjust for specific operating environments. b. The product performs as advertised, with sufficient documentation to assist one in installation and maintenance. c. MW has a full range of disk management tools and utilities which this test report has not even addressed. 6. Product Disadvantages: a. In a typical organization MW would in my opinion require the necessary support staff to assist in the installation and maintenance. Management would have to approve an overall program implementation plan which would identify system administrators and accounts maintenance managers. The plan would have to address the components and acess control features to be enabled. Certain managers may have a reluctance to make such a commitment. b. The tracking log mechanism causes me some concern. One would want to ensure the integrity of dates and times. It would be extremely helpful if there were "violation" or "relevant event" tags attached to those activities which are illegal or not authorized for a particular user. The accounts maintenance manager would then have an easier time in analyzing information. c. Any use of software encryption techniques by government agencies must observe the policies and procedures of FIPS 46-1 and FIPS 140-1. It is indeterminate that the MW implementation can meet these standards. d. Although a PC Dynamics representative indicated that the product had been entered into the National Computer Security Center's evaluation process for subsystem criteria testing, those results are not yet available. Certain government agencies direct their users to acquire only evaluated systems and subsystems. 7. Comments: The use of MW or any other access control product must arise from a realist assessment of one's particular operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment and without the user community's commitment to the installation. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). It turns out that MW can be configured with a hardware DES implementation. Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a Department of 6 Energy training workshop. While the product defeated was one other than MW, the description of the attack methodology appears independent of a specific vendor. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]