Symark Software, www.symark.com
Price: Starts at $250 per server/application/firewall/router, and $125 per desktop
Administrative passwords are the "keys to the kingdom," but securely and efficiently managing them can be challenging. Organizations are known to keep paper copies of administrative passwords in a safe or an encrypted MS Excel spreadsheets—cumbersome and unreliable practices. Symark Software's PowerKeeper 1.4 addresses this problem with a secure, automated device for managing administrative passwords.
However, we encountered serious problems with the first two appliances we received: We were unable to do basic configuration and administration, despite support help, and had to return both appliances to Symark. The third appliance worked as expected.
PowerKeeper's security is solid. The hardened appliance runs Windows 2003 Web Server, and the hard drive is encrypted with 256-bit AES. The built-in CyberGuard firewall card is configured to only allow inbound HTTPS and SSH traffic. For management of Windows systems, PowerKeeper sends password hashes over RPC; SSH is used for other platforms. Users can be authenticated to PowerKeeper via password, RSA SecurID or Secure Computing's SafeWord.
PowerKeeper can create, store, manage and distribute administrative passwords for a wide variety of devices and OSes, including AS400, Cisco Systems' Pix, Cisco routers, Linux, MS SQL Server, Oracle, Windows and Solaris. PowerKeeper can synchronize passwords via Active Directory but not LDAP or NIS.
User and policy management is highly configurable. Security managers can define user/group roles (e.g. requestor, approver, information security administrator, auditor) and specific tasks based on those roles (e.g., request password, create password, release password) for individual systems or groups of systems. Users can be added via the Web-based console or comma-separated text files for bulk imports of users and systems.
Security managers can set up granular rules (e.g., length, case, required characters, reset intervals) for password creation and apply different rules to different systems. For additional security, multiple users can be required to approve the release of a specific password. One of PowerKeeper's best features is its ability to automatically change passwords on managed systems if they are out of sync with the passwords on the appliance.
PowerKeeper's logging capabilities are very good, recording a wide variety of user actions (systems added, passwords released or updated, etc.) and appliance functions (e.g., operating system, firewall and database events). Security managers can use the logs to create customizable reports, which can be viewed via a Web browser or exported as Microsoft Excel files. However, we were unable to export the firewall events report to Excel—a bug Symark acknowledges.
It's critical to regularly back up PowerKeeper, so we were concerned to find that, when we tried to download backups via its Web administration page, we received an error page—another bug Symark acknowledges. However, backups can be scheduled and sent via FTP or SFTP to another server.
PowerKeeper offers se-cure design, the ability to work with a variety of systems and strong logging capabilities. However, the issues encountered with the first two PowerKeepers and the functional issues such as the firewall log export prevent us from fully recommending it.
Steven Weil wrote this review for the August 2005 issue of Information Security magazine, where this article first appeared.