******************************************************************************* PT-54 July 1992 ******************************************************************************* 1. Product Description: Trusted Access is a commercial software program to provide access control for IBM PC or MS-DOS compatible systems. 2. Product Acquisition: The product is available from Lassen Software, Inc. The Lassen Sales Manager is Mr. Gary Blackman, 1-800-338-2126. The firm's address is 5923 Clark Road, Suite F, P.O. Box 2319, Paradise, CA 95967-2319. The price of a single copy as of January 1992 is $119.95. Site licenses and product packages are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I received an evaluation copy of Trusted Access, version 2.0, in June 1992. The program arrived on two 3 1/2" disks with a 78 page Installation Guide. b. I tested the product on a Zenith 248 PC, MS-DOS 3.30 and on an Everex 386 PC, MS-DOS 5.0. The minimum system requirement, according to the documentation, is PC or MS-DOS, version 3.0 or greater with 512K of free memory. The test period extended from July 3 to July 13, 1992. c. Trusted Access provides these capabilities: (1) User identification and authentication. (2) Boot or hard disk protection (3) Password screen blanker (4) Levels of user access rights (5) Audit trail record of logons, both successful and unsuccessful d. The installation of the program requires that a user insert the Trusted Access program disk into the system's floppy drive and type INSTALL . One then receives a series of prompts either to accept an installation option, or to modify an option where appropriate, or to cancel or suspend installation. When all actions have been completed on the program disk, the user receives a notification to insert the second disk, labelled HDLOCK. This second disk provides boot protection. The user receives a notification of successful installation after all operations have executed. e. My experience was that installation was quick and painless. The program does modify the config.sys file to provide boot protection through a device driver. The device driver suppresses standard interrupts which one might use during the boot of a system such as Ctrl-Break or Ctrl-C. The program also modifies the autoexec.bat file to ensure Trusted Access executes. The documentation adequately describes both modifications. Since I took the time to read the documentation prior to installation, and since I have tested other access control programs, these modifications came as no surprise. It is conceivable, however, that a novice user or one unfamiliar with access control programs might appreciate some additional screen samples in the Installation Guide. While the documentation instructs a user to "respond to each of the prompts" during the installation, there are no pictures to reinforce what "prompts" to expect. f. One might attempt to bypass the boot protection scheme by using a system disk to boot from the floppy drive and then attempt to change drives. I tested boot protection and found that it worked to deny me access to the hard drive. Attempts to view the hard drive from the floppy drive with Norton Utilities and with Professional Master Key were similarly unsuccessful. With both programs attempts to change to drive C resulted in the system hanging. There was one "historical" item which appeared when I booted the system with a system disk, MS-DOS version 2.11. When I ran the tests with versions 3.0 or greater, I received the following message when I attempted to change to drive C: "Invalid drive specification". The is the message which appears in the Installation Guide. Tests with version 2.11 did not result in this message. I could issue an instruction to move to drive C, and the cursor would then show the C:\> prompt. However, any attempt to issue an MS-DOS command or to execute any command would result in the message: "Divide Overflow". g. Upon successful installation Trusted Access has one user ID and password entry established automatically. The Installation Guide identifies the user as "SuperUser" and the password as "password". There is an "Important" note to recommend that a user changes these parameters. The SuperUser has "level 3" permissions. Trusted Access allows for three permission categories. (1) Level 3 A user has full access to all program features. This includes the ability to view/print the user list and activity log; to add, edit or delete users; to establish password generation, aging and reuse policy; to set maximum logon attempts; and to view, print, sort, delete, and size the activity log. (2) Level 2 A user has the ability to view/print the user list and activity log; to add, edit or delete users; and to view, print or sort the activity log. A level 2 user can only "see" Level 2 and Level 1 user information; cannot establish or promote anyone to a Level 3 user; and cannot delete or size the activity log. (3) Level 1 A user can only change her or his password, and if permitted by a Level 3 user, change the time for automatic screen blanking and the hot-key to intentionally blank the screen. h. I established as a Level 3 user accounts for Level 2 and Level 1 users. I then tested to determine if Trusted Access permission levels performed as documented. The tests confirmed that the program restricted permissions at the Level designation. Even if Level 2 and Level 1 users have 2 access to disk utilities such as Norton Utilities, it would require an experienced user to edit the password.dbf or userpass.dbf files for the purpose of gaining additional privileges. All passwords and activity log activity are encrypted, so plain test scavenging is not an option. If a user at any Level deletes these or other files, the program provides feedback at the next logon session that something is wrong. i. The SuperUser or any Level 3 user has a host of options for password generation and management. These include: (1) Password composition (i.e., length and use of alphabetic and number characters) (2) Case sensitivity for passwords (3) Control on password reuse (4) Automatic password aging (5) Limits on incorrect logon attempts I tested all of these features which functioned as documented. If one exceeds the authorized limit of incorrect logon attempts, the system forces a reboot. The activity log records all successful and unsuccessful logons in the format: User ID, Date and Time of each attempt, and an indication of success. j. Trusted Access provides for an automatic screen blanking and locking feature. A Level 3 user can establish the timeframe for activation, but may also allow lower level users to change the time so long as it conforms to the minimum/maximum period established by the Level 3 user. Any user may engage the blanking and locking control manually by invoking a hot-key combination. The screen blanker prompts a user for a password to unlock the system. The blanker was also tested in a Windows environment and performed satisfactorily. The vendor stresses the capability of the product to allow users to move back and forth between Windows and DOS with the screen blanker. k. The activity log displays the following: (1) User ID as entered (2) Date and time of each attempt (3) Indication by a "" or "" as to the success of the logon attempt (4) Indication by a "" of a system lock upon a user failing the logon limit Tests determined that, although this information was collected, it was possible to "spoof" the date and time. This had the practical effect of impugning the integrity of the information collected. Discussions with the vendor's representative confirmed that this was feasible, but that perhaps there were 3 mitigating factors to address the matter if one analyzed the complete activity log in some detail. As was documented in the Installation Guide, the activity log does not record correct or incorrect logons from the screen blanker. l. Removal of the program from the test systems was easy and conformed with the documentation. 5. Product Advantages: a. Trusted Access offers common sense access protection features for personal computers at a reasonable cost. The installation and configuration of the program is easy and painless. b. The product appears to function as documented for its intended purpose. 6. Product Disadvantages: a. Trusted Access provides access control only, not restrictions on users once they have gained access. This is not a criticism of the product, but rather a statement for those involved in the specification process who determine that they require further controls on the actions of individual users. b. There may be user resistance to any type of control on personal computers. It may be difficult, in the absence of written policy which mandates the installation of an access control package, to find an audience for the product. Trusted Access joins a list of products which present a minimum of inconvenience for reluctant users. c. The ability to "spoof" the date and time in the activity log is a vulnerability, which may or may not be that critical for every site or user. It would clearly be desirable to have an accounting of logons from the screen blanker. While this might require the memory resident program to utilize additional resources, it would be worth the penalty in my opinion. 7. Comments: The use of Trusted Access must be a function of a realistic assessment of one's particular operating environment. It would be a mistake to impose the mandatory implementation of an access control package without such an assessment and without the user community's commitment to the installation. It should be noted as well that there are other approaches to access control on a personal computer which employ hardware and/or a combination of hardware and software techniques. Various authors have commented on the increased protection in those products which have a hardware foundation (i.e., DES hardware versus software implementation). Trusted Access, as presently configured, will probably never be submitted to the National Computer Security Center for evaluation under its subsystem criteria because it does not provide the four functional requirements 4 associated with the subsystem interpretation. This does not in my opinion present a significant problem for most environments where access control is the central issue. It should also be noted that many users confuse evaluation of products under the subsystem interpretation with certification under the Orange Book. The subsystem evaluation process is distinct from the rating schema established under the Orange Book. Readers may also consult a product review of Trusted Access written by Jonathan Finch which appeared in the April 1992 edition of CHIPS Magazine, a Navy publication. Copies of CHIPS are available on many Internet hosts, to include simtel20 (192.88.110.20). Finally, no software access control package is 100% secure. I have witnessed the defeat of software-controlled boot protection at a Department of Energy training workshop. While the product defeated was one other than Trusted Access, the description of the attack methodology appears independent of a specific vendor. The good news is that the methodology appears to require a sophisticated skill level. [The opinions expressed in this evaluation are those of the author, and should not be taken as representing official Department of Army positions or a commercial endorsement.]