Security Manager enforces the rules
- By Mandy Andress
- Feb 18, 2001
Maintaining system configurations and enforcing security policies are two
of the most critical issues faced by administrators and security managers. Security Manager from NetIQ Corp. helps you enforce security policies by
monitoring configurations and alerting you when something has been modified
and differs from the defined policy.
Microsoft Corp.'s Security Configuration Manager (SCM), a snap-in tool
for Microsoft Management Console, does part of the job, enabling you to
define configuration settings and apply them in a single stroke to multiple
computers. You can also periodically run SCM to check for any changes in
configuration settings on local computers. NetIQ's Security Manager extends
the SCM snap-in by providing centralized management and a knowledge base
of best practices.
Although SCM requires administrators to manually check each machine,
the NetIQ Security Manager console enables administrators to monitor all
computers from a centralized location. Agents run in the background, invisible
to users, with real-time monitoring of the settings and configuration on
each system.
Also important, the agents can be installed remotely from the Security
Manager console so administrators don't have to go chasing around the department
making sure each machine is covered. By default, Security Manager is set
to probe your network daily at 2:05 a.m. looking for any new systems. If
a new system is found, it is listed as a pending agent until an administrator
approves the installation.
The Security Manager console communicates with the agents using a proprietary
protocol over encrypted TCP. The encryption level is the same level as the
operating system, either 40 bit or 128 bit.
Security Manager also offers a Web console, which means that if you
have Internet access to your network, you can access its tools from anywhere.
The only potential snag in this system is that some agent installations
require physically rebooting the system not an easy process if you are
in the office and the system is sitting in a facility somewhere else.
As noted, NetIQ also delivers a knowledge base of security best practices
and pre-defined rules called Active Knowledge Modules to help you properly
configure your systems. This component allows you to secure your systems
effectively even if you are not a security expert.
Finally, NetIQ provides stronger reporting capabilities than you'll
find in SCM. Out of the box, Security Manager provides 60 reports detailing
events and views helpful for security and policy management. Security Manager
also allows you to create custom reports and views.
The installation process for Security Manager is fairly straightforward.
If you set up the program for 10 or fewer systems, you can employ a Microsoft
Access database for data collection. For larger environments, you need to
install Microsoft's SQL Server. Security Manager provides support for multiple
installations of SQL Server, allowing you to build a redundant solution
with failover capability. If one database server goes down, your data will
not be lost. It will be sent to one of the other database servers in less
than 60 seconds.
Before starting the installation process, I had to create two Windows
NT domain accounts for Security Manager to use. It would be helpful to administrators
if the installation program created these accounts automatically. Next, security Manager runs a program that checks to make sure your system conforms
to the installation requirements.
Once Security Manager was up and running, I installed a couple of agents
on servers and tested the alerts. Currently, Security Manager only provides
agents for Windows NT and Windows 2000, although NetIQ says agents for Solaris
and Linux are expected in the third quarter. In the meantime, you can use, security Manager as a collection point for Unix System Logs.
Security Manager can monitor and enforce thousands of policies, and
each is detailed in the application. Looking at all those options is a bit
overwhelming, and most administrators will find that the most time- consuming
aspect of this product will be configuring it for their environment. Once
this process is complete, though, ongoing management of Security Manager
should be a breeze.
Security Manager enables you to monitor activities such as attempts
to log on from different machines using the same user ID, attempts to log
on interactively with a services account, repeated failed log-on attempts
from a single computer or across multiple computers with the same user ID,
and additions to special groups, such as domain administrators.
Security Manager can respond automatically to some events. Responses
include start, stop and restart services; detecting and killing rogue services
or processes; configuring the Internet Information Server to deny a specific
IP address; disabling, enabling or unlocking a user account; and forcing
a user log-off. You can also write custom scripts to execute when a specific
event is triggered.
What's more, Security Manager also allows you to monitor anti-virus
products from Symantec Corp., Network Associates Inc.'s McAfee line and
TrendMicro Inc. With this ability, you can easily see when a user disables
anti-virus software.
Bear in mind, however, that although NetIQ markets Security Manager
as an intrusion-prevention and vulnerability-assessment solution, it is
not a complete solution, and you should not rely solely on it for that purpose.
Although Security Manager can help protect you against some vulnerabilities,
in most cases you are alerted after the breach has occurred and it can be
difficult to determine how much damage has been done. Additionally, NetIQ
only updates the vulnerability database once a quarter, which means you
may not be protected against the most recent hacking techniques.
That said, Security Manager is a great product for centralized management
and policy enforcement in Windows-centric environments. Once initial setup
and configuration are complete, Security Manager will greatly decrease
administrative enforcement efforts and help ensure that all users comply
with the agency security policy.
Andress is president and chief executive officer of ArcSec Technologies
Inc., a security consulting and product review firm. She can be reached
at [email protected]sec.com.