Lj Removing the input for authentication field is a great step forward for user friendliness. We replace the BMC login page to provide a polished entry to Mid Tier with options for LDAP, Windows credentials, and AR System login (because it removes the AREA LDAP hassle).
But removing a field doesn't stop one using Fiddler or other tools to post the authentication field value. Obtaining it can be achieved from viewing a Windows User Tool DLL in a hex editor, or more easily, enumerating it (a classic pen-test fail). Saying that, WUT is slowly being killed off by BMC. We keep tweaking our solution to ensure it carries on working as AR System evolves. But there is a secondary debate to sensitivity of data: some organisations are happy to have almost no security because the data is just help desk tickets etc. Saying that, CMDB data is more valuable - access to network data is valuable for attacking other services. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
