Check enterprise applications for static passwords

Passwords work, users accept them, IT has to deal with them. We all know that authenticating users and controlling access to application data is the logical starting point for corporate security programs. However, a persistent problem which may potentially be the bigger risk to the business are the credentials hard-coded into custom applications. 

Most of the corporate authentication effort is on identifying interactive users, especially those connecting remotely. Password management, including password change policies and mandatory password strength testing, help to keep this process rationally secure. Unattended enterprise applications, however, are another story.

Applications usually have login credentials bolted right into the code. I have even seen related applications within a group sharing account credentials. Many people know these passwords, and the risk of data loss if the password becomes known to an outsider has to be huge. Implementing a password change policy becomes impractical, and the key management problem is just one of a number of issues that turns a wholesale PKI deployment into a beast of a project.

Examine your applications, and size the problem for your business. If you have static passwords all over the place it is time to re-think your strategy. Microsoft's Kerberos and least privilege features in Vista/Longhorn may meet your requirements. If not, or if you need to act now, then check out Cloakware or CyberArk for application password management. I'd also suggest looking into people like BeyondTrust (Windows) and Symark (Unix) for catching unauthorized privilege escalations.