1. Technical Field
The present invention relates in general to security access mechanisms and in particular to security access to electronic units including computer systems. Still more particularly, the present invention relates to a method and system for efficiently checking the level of security on electronic units including data processing systems, utilizing xe2x80x9cAsset IDxe2x80x9d technology.
2. Description of the Related Art
Security of personal computer (PC) platforms in large enterprises is an important aspect of network/PC management. One problem that occurs frequently in large businesses is that security policy for accessing PC platforms is not enforced. Today, the principal means of authorization for accessing a PC are a set of system passwords: the Power-on-Password (POP), the Privileged Access Password (PAP) or supervisor Password, and the hard drive (HD) password. Organizations may not consistently administer and enforce the use of these passwords to protect access to PC resources. This problem arises because the policy is difficult to enforce. In addition, because some people regard security policies as onerous, they are often not used or ignored.
Password protection is commonly utilized to control access to individual computer systems, computer networks, and other data processing resources. A password is a special sequence of characters that uniquely xe2x80x9cauthenticatesxe2x80x9d, i.e., confirms a user""s identity, to a computer system and that is used for security purposes to control access to information and operations of the computer. Each time a user desires to obtain access to a password-protected resource, the user must enter a password. If the password entered by the user is valid, the user is permitted to access the password-protected resource; if the entered password is invalid, access is denied.
It is known that the security of protected data processing resources can be enhanced by increasing password complexity, which may entail, for example, enforcing a minimum password length, requiring the user to enter multiple passwords (e.g., a pass phrase), or requiring case-sensitive passwords or passwords containing both letters and numbers. Security is even further enhanced by limiting the duration of password validity. Thus, in very secure systems, passwords may be valid for only a single day or even a single access.
However, when users are allowed to select their own passwords, they tend to choose passwords that are easily remembered; unfortunately, these passwords may also be easily guessed or decrypted. One common threat to a password-based authentication system is an impostor capable of guessing the password of an authorized user. With the use of an automated system configured to generate character sequences at a high rate, the impostor can quickly xe2x80x9cguessxe2x80x9d large numbers of common names and words, typically by replaying every word in a dictionary. This guessing method is called a xe2x80x9cdictionary attackxe2x80x9d.
In a stand-alone computer, the operating system has the responsibility for authenticating users. That is, upon presentation of a valid user""s password during a login procedure, the operating system verifies the identity of the user by checking the presented password against a list of valid passwords. This type of authentication procedure may prevent a dictionary attack because, after a certain number, of wrong guesses, the operating system disables the account being attacked.
Presently, access via physical xe2x80x9ckeys,xe2x80x9d such as smart cards, and biometrics devices, such as fingerprint and other physical tokens, are beginning to be used in conjunction with or in place of passwords for accessing PCs. With distributed computing, as the data stored on PCs becomes more valuable, a means to quickly detect whether a particular PC has the correct system support (i.e. use of passwords and associated access control devices) is needed for the organization""s security policy. This need also applies equally to a portable PC, such as a laptop, leaving the building or a collection of desktops requiring a higher level security policy as in a finance department.
Another important aspect of ensuring security of PCs and other electronic units (hereinafter also referred to assets) is the ability of the owner to distribute/deploy them within their organization with a minimum amount of effort and to continue to track each one throughout its life. The system manager has to keep up with specific information about the equipment and its user, preferably without applying power to it. Asset Identification (ID), developed by International Business Machines Corporation (IBM), is utilized in management of personal computers, computer peripherals, and other electronic assets. Means exist to electronically interrogate a PC across a network via the Desktop Management Interface to determine the state of its access controls. This idea using Radio Frequency Identification (RFID) does not require the system to be attached to a network, nor powered on.
One of the problems encountered with existing security checks is the necessity to turn the asset on and actually enter the password in order to gain knowledge of the level of security which exists on the asset. Presently, system managers and users are only able to determine the adequacy of the security access by being aware of the access mechanism/password and then manually or otherwise comparing it for sufficiency. This method often leaves a traceable record of the password which may eventually lead to a breach in security access on the asset. A corporation, for example, may want to be able to ensure that none of its systems have weak passwords, without being willing to have a means of obtaining the password themselves.
In light of the foregoing, the present invention recognizes that it would be desirable to have a method and system for efficiently checking the level of security protection available on a data processing system and/or other electronic asset. It would be further desirable if such a method and system was completed without actually having to power-on the asset and entering the security password, thus reducing the risk of a security breach during implementation.
It is therefore one objective of the present invention to provide better security on accessible secured electronic systems.
It is another objective of the present invention to provide a method and system for efficiently checking the level of security on an electronic unit such as a data processing system utilizing Asset ID technology.
The foregoing objectives are achieved as is now described. A system for checking the level of system security on a PC platform is disclosed. The system comprises of a Radio Frequency Identification (RFID) Unit operated by a system manager. The RFID unit scans a PC platform and extracts relevant security information from its Basic Input/Output System (BIOS). The extracted information is analyzed by a data processing system connected to the RFID unit to determine if the security available in the PC platform is adequate. A threshold adequacy level is established by the system manager. When the security on the PC is inadequate, a signal is generated to alert the network manager and/or the user of the PC to upgrade the PC""s security. In one embodiment, the invention utilizes Asset ID technology to determine the security information while the asset is turned off and thereby reduce the possibility of a breach of security during implementation.
All objectives, features, and advantages of the present invention will become apparent in the following detailed written description.