FOR

SecurityExpressions is designed to automate the deployment, assessment and maintenance of security policies on Windows NT/2000 and UNIX machines. It is ideal as part of a 'lock-down' policy. It works across a network and can check all PCs at the same time. On the Windows machines to be managed it doesn't require an agent to be installed. However, UNIX machines do require an agent and must be managed from a Windows workstation.

Installing SecurityExpressions on a Windows NT/2000 workstation is quick and easy. System requirements are a modest 32Mb RAM and 20Mb disk space. There is on-line help that enables you to get to grips with the product in a matter of minutes rather than hours. The printed documentation is brief, being limited to a 'getting started' tutorial, but nothing more is needed. You can then scan local and remote machines for security vulnerabilities. Of course, for security reasons, a username and password are required before a remote machine can be addressed, where a domain user with domain administrator rights is not recognized.

The scanner depends on a security information file (SIF), which contains details of the rules describing how a system should be patched and configured to eliminate security risks. You can create SIFs yourself, but SecurityExpressions comes with a selection that are useful to get you started. The supplied SIFs include Microsoft's recommended security patches, the U.S. National Security Agency (NSA) guidelines, the System Administration Networking and Security (SANS) Institute recommendations, and the U.S. Navy advisory rules.
[Ed Note: Despite the apparent U.S. emphasis of the product, Pedestal Software claims to have many customers outside the U.S., including, for example, Deutsche Bank.]

SIFs are simply text files, so they are easy to create, and it is also easy to modify the supplied SIFs to suit your particular requirements. Using an Explorer style interface, it is simple to pick the SIFs, rules and machines to scan. Each scan results in a display of all vulnerabilities that have been tested, together with 'OK' or 'NOT OK' icons; these indicate the status of each vulnerability. You can then click on each line of the report and use a pull-down menu to select various options, which include editing the rule and fixing the problem. If you opt to fix the problem, the fix is automatically downloaded and applied.

To save time, you can choose to 'fix all' vulnerabilities with one click. All changes are logged so that the history of changes over time can be examined and changes can be reversed, if necessary. However, while the change history is enabled by default, it should be noted that MS fixes, which are Hotfixes, aren't. This is because a Hotfix may not usually be reversed safely. Reporting is also excellent, with the ability to create graphical reports detailing compliance across many machines, prioritizing compliance failures by level of risk, and hosts with most problems, etc.

You can build your own queries into SIFs so that, for example, you could search for certain usernames with certain privileges, which is the signature of some viruses, worms and trojans. Other SIFs may be downloaded from Pedestal Software's web site to carry out tasks such as discovering unauthorized modems on the network and determining whether they are set to auto-answer, or turning off the SNMP service, which may be used by certain hacks. You can set policies depending on the operating system, to cope with the fact that you may require different security configurations on workstations than on servers, or for different versions of the same operating system. You can also group machines for particular security policies so that, for example, machines in the personnel department may require the enforcement of different security policies than those in the accounting department.

The expression builder provides an intuitive interface for building the expressions representing the questions you want to answer. You can specify search criteria expressions to locate objects that may need security modification. For example, you may want to 'locate all files and directories that user Alice has effective rights of read and write on' or to 'find all users who have a bad password count greater than zero.' The Expressions Organizer allows you to store frequently used expressions and lists in a tree that is easy to browse. You can bring up the Organizer in filtered or unfiltered mode. In filtered mode, the Organizer displays only lists and expressions suitable for the expression that you are manipulating, so that only user expressions are shown in a user search. In unfiltered mode, all items are shown.

Having installed SecurityExpressions to manage your security issues, it can be used for many other tasks. For example, you can write scripts to carry out software inventories and check that all machines are using the same version of a given application. If that application is, for example, anti-virus software, it also has security implications, and the script can even check that the latest virus identity file is being used on every machine.

SecurityExpressions provides the tools to manage and enforce security policies across UNIX and Windows NT/2000 workstations and servers. It helps determine whether systems are compliant with policies. It automates the deployment and verification of security patches and configuration changes. However, it complements rather than replaces penetration testing, vulnerability scanners, etc. It checks whether vulnerabilities exist based on an examination of the system configuration rather than by actually trying to scan or penetrate a system.

Its power lies in its ability to check many systems quickly and to deploy thousands of security patches and configuration changes to thousands of machines with the minimum of human effort. Its reporting functions can be used to remove the possibility of human error from the checking and the deployment of security patches and configuration policies - thus also providing an auditing tool that enables the network manager to be absolutely certain that their security policy is being fully implemented.
 

SC On-Line
SC Magazine
www.scmagazine.com