AppManager 2.0 from NetIQ displays passwords in clear text!

AppManager is a product which enables an enterprise to monitor the performance and 
availability of Windows NT server services such as Exchange, SQL, etc.  It does this 
via an agent on the target machine which reports back to a console.  The agents monitor 
for things like low disk space, misbehaving services, and so on.  Like most products that 
follow a manager/agent architecture, the agents must use an account with Administrator 
privileges in order to do their job.  The problem is that when the authentication occurs, 
the userid and password are passed in clear text, meaning that anyone with a sniffer can 
read it as it goes across the wire.

The other problem is that when someone with access to the AppManager console goes to look
at a job, all he or she must do is right-click on the job, select Properties, select the 
View tab, and voila! The userid and password that the job is using is right there for all 
to see.  With version 3.0 they have replaced the password with asterisks, but the company 
conceded that if someone were to copy the asterisks and paste them into a text file then the 
password would be displayed instead of the asterisks!  More security through obscurity.

The only fix so far is for an AppManager administrator to go into the Properties and 
manually backspace over the password to remove it.  Once this is done it will not appear 
again on any of the consoles.  However, if an "agent installation" job is run, the password
WILL be displayed in Properties, but only for the duration on the install, which is usually
between ten and fifteen minutes.  There is currently no way to prevent this.

According to the company this is a "known issue."  After some more discussion I found that
they have known about this for two years, yet apparently have not done anything to rectify 
it.  They said that encrypting the authentication sequence traffic is difficult to do 
which is one of the reasons why they haven't fixed it yet.  If their programmers can't 
figure out in two years how to encrypt traffic then I think a another product should be
chosen.

-- Anonymous