I guess I don't know why someone *wouldn't* be using AREA for the bulk of their users in Remedy to begin with. It's a waste of money for an organization to have dedicated Remedy people (which we all know aren't cheap) sitting around resetting passwords and dealing with credentials. It also closes major security holes by allowing you to have a unified security policy including password strength, bad password attempts, etc. From my perspective, having dedicated passwords in Remedy is not a best practice and not something that should get beyond the proof of concept phase of a Remedy implementation. I'm sure someone has a good reason why they would need to not create an account in AD for each Remedy user, but I haven't heard it yet and I could probably come up with some good arguments against their reasoning. Of course, I exclude accounts used by the Remedy team or integrations and such but those are exceptions rather than the standard.
So for me, any enhancements made to enforcing password rules in Remedy or anything like that would serve no value. I don't know if BMC has any statistics on how many of their customers use AREA to authenticate for their Remedy systems but I'd think it's the majority. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of John Baker Sent: Thursday, January 30, 2014 3:16 PM To: [email protected] Subject: Target Attack and BMC Software ITSM? Fred: Sadly, setting a predictable password isn't going to stop a slow 'drip drip' process enumerating passwords. John: The core problem, as is the case with much of AR System, is an unwillingness to tackle design changes in the correct place. You are correct that security should happen in the server, hence it should check the disabled user radio. How much effort is that - about ten minutes with an if statement? I firmly believe in getting the core product right. I think I'm in a minority. :) _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
