Network Computingwww.networkcomputing.com

DirectIT's user-management functions performed properly during our tests, but we wish the product supported more directories and platforms. Support for NDS and LDAP is urgently needed here, and CA has acknowledged that NDS support is a priority. DirectIT consolidates management of users, groups and roles within name spaces for NT, Unix and Microsoft Exchange. It also provides shared file-store management controls, such as for NT Shares. Reports are executed via the TNG Report Explorer, which details configurations and activity for users, stations, events and other system resources. Regular report cycles can be maintained through TNG's scheduling facilities.

When we saw the feature lists for ProtectIT and DirectIT we expected to see a hefty price tag, but they're not at all expensive. There are extra expenses--for instance, licenses for SQL Server are required when using ProtectIT under Windows NT--but they are minor. We remain skeptical, however, that users will realize the power of the Unicenter TNG Framework without spending a lot in consulting fees.

PLATINUM technology ProVision AutoSecure Enterprise Security Administration 1.2, AutoSecure Access Control for Unix
By combining a variety of applications, PLATINUM can manage multiple user accounts in Unix, NT and NetWare, and tightly control access to system resources under Unix (and soon NT). At press time, PLATINUM was rebranding and integrating products from MEMCO, which it had recently acquired. As a result, we found the software suite to be promising but not yet fully functional as a single point of user and resource administration for multiple operating systems.

AutoSecure Enterprise Security Administration (ESA) lets a network administrator use PLATINUM's AutoSecure Single Sign-On (SSO) tool to manage accounts across multiple platforms. Components run on each target platform, termed External Security Systems. While the SSO application is not necessary for every user in the organization, the administrator must have it.

AutoSecure ESA requires a Unix-based master SSO installation running at one site at least, though local servers may also run on Microsoft Windows NT. Client and administration tools run on Windows NT or Windows95/98. SSO can build on an external directory, accessing it via LDAPv2, to provide single-point administration. Fortunately, it's not necessary for directory entries to conform to ESA's own schema; ESA simply adds its own classes and objects to the directory. For those without a directory, the ICL i500 X.500 directory is shipped with AutoSecure SSO under a license that restricts its use to the PLATINUM application alone.

PLATINUM defines user roles as equivalent to job functions. ESA doesn't support the same advanced user group controls defined in Tivoli's products, and has little integration with the AutoSecure Access Control products that control systems at the file and directory levels.

Like Tivoli, PLATINUM uses MEMCO's SeOS product, branded as AutoSecure Access Control for Unix (ACX), to enhance Unix security. PLATINUM extends ACX with ACXPert, an administrative console running under Windows95/NT. ACX intercepts operating system events, such as file opens, terminal access and setuid execution, and redirects the requests to the ACX database for authorization.

After logging into our Windows-based SSO client, we saw that the Start menu was dynamically modified to reveal the ESA administration tools. This allowed us to build ESA domains that grouped NT systems, Unix hosts and NDS trees. Next, we successfully applied users into those domains, creating accounts on target systems. However, we could not control account attributes as tightly as we could using the Tivoli and CA products. In addition, Windows NT Events and Unix log-file messages cannot be filtered and forwarded to the PLATINUM Event Management System, a feat accomplished by the other systems we tested.

Despite these integration holes, PLATINUM excels in providing host security for Unix, a quality that makes life easier for limited-function administrators--those who, for example, might be able to reset passwords without controlling the entire system. Although AutoSecure Access Control for Unix is mature, the NT version was not ready in time for us to test it. Nonetheless, AutoSecure Access Control for Windows NT (ACWNT) is worth a hard look, as it is intended to extend NT's native security to FAT, HPFS and CDFS file systems, as well as offer multimachine security controls and a unique approach to eliminating interdomain trust relationships. Another feature pioneered by PLATINUM will be AWCNT's replacement of NT's password filter file (PASSFILT.DLL) to let administrators create more advanced password construction rules without fundamentally altering Windows NT.

AutoSecure pricing is competitive, particularly for midsize organizations; SSO licenses for ESA administrators don't cost extra (excluding host costs, which may be a factor for some prospective customers). For medium-to-large installations, PLATINUM pricing typically is less expensive than Tivoli, but will cost more than CA's products. The SSO master server must reside on a Solaris or HP-UX host, so the total cost of entry for small sites can be somewhat higher. The next generation of ESA is not expected to require SSO, and at that time all components will be available to run under NT, as well as Unix.

Send your comments on this article to David Willis at dwillis@nwc.com.