AppManager 2.0 from NetIQ displays passwords in clear text! AppManager is a product which enables an enterprise to monitor the performance and availability of Windows NT server services such as Exchange, SQL, etc. It does this via an agent on the target machine which reports back to a console. The agents monitor for things like low disk space, misbehaving services, and so on. Like most products that follow a manager/agent architecture, the agents must use an account with Administrator privileges in order to do their job. The problem is that when the authentication occurs, the userid and password are passed in clear text, meaning that anyone with a sniffer can read it as it goes across the wire. The other problem is that when someone with access to the AppManager console goes to look at a job, all he or she must do is right-click on the job, select Properties, select the View tab, and voila! The userid and password that the job is using is right there for all to see. With version 3.0 they have replaced the password with asterisks, but the company conceded that if someone were to copy the asterisks and paste them into a text file then the password would be displayed instead of the asterisks! More security through obscurity. The only fix so far is for an AppManager administrator to go into the Properties and manually backspace over the password to remove it. Once this is done it will not appear again on any of the consoles. However, if an "agent installation" job is run, the password WILL be displayed in Properties, but only for the duration on the install, which is usually between ten and fifteen minutes. There is currently no way to prevent this. According to the company this is a "known issue." After some more discussion I found that they have known about this for two years, yet apparently have not done anything to rectify it. They said that encrypting the authentication sequence traffic is difficult to do which is one of the reasons why they haven't fixed it yet. If their programmers can't figure out in two years how to encrypt traffic then I think a another product should be chosen. -- Anonymous