Session Manager Control Offerings and Potential Exposures
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
As the number of applications and system software used by installations increases there is a need to switch among these various products without having to constantly log on and off specific products. The solution is the use of a session manager which also provides other benefits that can increase the productivity of the user.
The focus of this article is to provide a background of session managers and how they are used in the market place and to describe its control capabilities as a network security product and potential exposures based on its use. In addition, a control survey is provided in order to identify the functions, potential exposures and controls within the session manager, regardless of the operating system platform used. The concept of using session managers is discussed from a VTAM session manager perspective operating under MVS. However, the control features and potential weaknesses discussed in this article can be applied to all operating environments.
The Evolution of the Session Manager
The session manager has been developed in the last 20 years. In the 1970’s when companies moved to on-line development tools, programmers required access to editors (e.g., TSO, Roscoe) and to other on-line products. Terminals were directly connected to specific applications so that programmers required access to a number of terminals to perform their work. In order to increase productivity in the work place, eliminating the need to log on and off applications and use different terminals to access the wide range of products used, many companies installed a wiring system and switch boxes to allow one terminal to be connected to more than one controller port.
By the early 80’s, the session switchers entered the marketplace which enabled users to switch between applications without being required to log off. However, at this stage, users were still required to log onto each application they used within their session.
Functionality Provided by Session Managers
Session managers evolved from being session switchers to providing many capabilities that go beyond the ability to switch between multiple active sessions.
Session managers provide a single point of entry into multiple applications reducing the need to log onto to each application individually. The ability to automatically logon to multiple application through logon process is based on a logon script provided by the session manager. The session manager is started as a VTAM application that takes control once VTAM senses that a terminal has been turned on. The session manager replaces the VTAM logon APPL (i.e., indicate specific application to access) and USSTAB entry (i.e., select application to access from a VTAM provided list) and prompts the user for their ID and password. The ID and password is stored in memory and is provided to each application that the user selected to access. The session manager is able to automatically logon the terminal to the application since it knows the logon sequence for all VTAM applications.
The main advantage of a session manager is its use for enhancing the productivity of a user. For instance, when a user is running a long batch job, they can switch to another session to perform other work. Session managers also provide a help desk support function by allowing specified users to display all of the screens that were processed by a user, and it can even take over a user’s session to investigate a problem. Broadcast messages can be sent to specific groups of active session or when users initially logs onto the system.
The other functions that may be found in session managers are listed in the Session Manager Product Function Survey.
Control Capabilities of Session Managers
Session managers are not intended to replace security systems but can be used to provide additional security at the network level.
Many of the system software products that are used to control Job Scheduling, Tape Management, and System Performance provide an external security interface to have their logon process passed to the external security system for validation. However, many system software products do not provide an interface or the security interface is not used by many installations. Most system software products have inadequate security for their logon process (e.g., passwords stored in the clear, inadequate password construction controls, unsecured process for establishing ID/passwords, and no terminal timeouts after a period of inactivity) which would enable an unauthorized user to gain access to the product.
Without a session manager, a user who has access to a terminal can connect to any application that is defined to VTAM. When utilizing a session manager, users can be restricted from connecting to an application to perform a logon which is critical when the application (i.e., product) is not interfaced to the external security system.
Session manager provide other controls that duplicate controls provided by the external security system, which include terminal timeout after a period of inactivity and user initiated terminal locks.
Potential Exposures of Session Managers
The function of session managers allows it to have complete control of a user’s terminal and active sessions. This capability also increases potential exposure if not properly controlled.
Session managers perform an initial logon when a user turns on their terminal in order to ensure that the user is only granted access to the appropriate VTAM applications. Since the session manager must provide a user’s ID password to each application that the user wishes to connect to, the password must be maintained by the session manager. Many session managers store the ID and password in memory and in many cases it is not encrypted. Therefore, users passwords can be disclosed by taking storage dumps of memory. In addition, many session managers do not erase the password from memory after the user terminates their session.
Many session managers provide the ability for specified individuals to acquire another user’s session which would enable changes to be made under the authority of the user logged on. This exposure can be mitigated if the session manager requires the user’s permission prior to another user taking over their session.
In order to verify the controls and potential exposures of the session manager, refer to the control survey for Session Managers.
Session Manager Product Function Survey
- copy data from session to another session?
- keystroke save
- send broadcast messages to active users?
- send broadcast messages to users as they logon to the system?
- print screen function?
- replay terminal screen processed?
- takeover another user’s active session?
- single key session switching?
- terminal freezing after installation specified logon attempts?
- terminal timeout after a period of inactivity?
- user initiated terminal lock?
- alias names provided for APPLIDs?
- identify which application a user is logged into?
- restrict the applications that a user can access?
- restrict the applications that specific terminals can access?
Control Survey for Session Managers
Access control to the system
1) Does the session manager provide front-end security validation when a terminal is turned on?
2) Does the session manager provide an option to have a network signon which is independent from the ID/password that is passes to the VTAM application to perform the signon on the user’s behalf?
a) Is the file encrypted?
b) Are adequate password controls available which include:
- minimum number of character required
- required password change frequency
- restrict use of previous passwords
- restrict use of common names for passwords
- restrict use of repetitive characters
3) When an ID/password is passed to external security system or VTAM application for validation, how is the ID/password passed to the external security system? Is it an exit that must be coded by the installation or a direct security interface?
4) Does the session manager encrypt the password that is uses to signon the user to each VTAM application?
5) Does the session manager clear the memory location which stores the password when a user terminates their session?
Access Controls to APPLIDs
1) Does the session manager provide the ability to automatically logon authenticated users to specific APPLIDs?
2) Are the APPLIDs that users are allowed to access administered by the external security system or is it controlled through the session manager?
3) If APPLIDs controlled by session manager, are changes made to a table or through an administrator panels?
4) Does the session manager restrict the user from breaking out of the session manager controlled process to logon onto any APPLID?
Terminal Access Controls
1) Does the session manager provide the ability to restrict the terminals that can access specific APPLIDs?
2) Are the terminals that are allowed to access specific APPLIDs administered via the external security system or is it controlled through the session manager?
3) Does the session manager have provide a terminal timeout or a terminal lock after a period of inactivity?
4) If a terminal is not defined to the session manager, is there a control to prevent the terminal from accessing VTAM APPLIDs?
5) Does the session manager allow for users to have concurrent sessions on multiple terminals?
6) Does the session manager provide allow specified users to acquire another user’s session which would enable changes to be made under the authority of the user logged on?
If Yes, is there an installation setting which would require the user’s permission prior to another user taking over their session?
7) Does the session manager allow a user to display another user’s screen?
1) Does the session manager provide an audit trail of logon, logoffs, access to specific applications, and changes to access entitlements established within the session manager (i.e., if not controlled by the external security system).
If Yes, is the audit trail contained within a session manager created file or SMF. If SMF used, is a specific SMF record used or is it installation defined?
Note: Based on the answers to the control survey, a compliance test should be performed to ensure that the appropriate individuals have access to the specific functions and update access files/tables are secured from unauthorized updates. In addition, session manager functions may need to be enabled by the installation which should be verified.
This article was written more than one year ago. Events may have changed since this article was written.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.