Security Manager enforces the rules

• By Mandy Andress
• Feb 18, 2001

Maintaining system configurations and enforcing security policies are two of the most critical issues faced by administrators and security managers. Security Manager from NetIQ Corp. helps you enforce security policies by monitoring configurations and alerting you when something has been modified and differs from the defined policy.

Microsoft Corp.'s Security Configuration Manager (SCM), a snap-in tool for Microsoft Management Console, does part of the job, enabling you to define configuration settings and apply them in a single stroke to multiple computers. You can also periodically run SCM to check for any changes in configuration settings on local computers. NetIQ's Security Manager extends the SCM snap-in by providing centralized management and a knowledge base of best practices.

Although SCM requires administrators to manually check each machine, the NetIQ Security Manager console enables administrators to monitor all computers from a centralized location. Agents run in the background, invisible to users, with real-time monitoring of the settings and configuration on each system.

Also important, the agents can be installed remotely from the Security Manager console so administrators don't have to go chasing around the department making sure each machine is covered. By default, Security Manager is set to probe your network daily at 2:05 a.m. looking for any new systems. If a new system is found, it is listed as a pending agent until an administrator approves the installation.

The Security Manager console communicates with the agents using a proprietary protocol over encrypted TCP. The encryption level is the same level as the operating system, either 40 bit or 128 bit.

Security Manager also offers a Web console, which means that if you have Internet access to your network, you can access its tools from anywhere.

The only potential snag in this system is that some agent installations require physically rebooting the system — not an easy process if you are in the office and the system is sitting in a facility somewhere else.

As noted, NetIQ also delivers a knowledge base of security best practices and pre-defined rules — called Active Knowledge Modules — to help you properly configure your systems. This component allows you to secure your systems effectively even if you are not a security expert.

Finally, NetIQ provides stronger reporting capabilities than you'll find in SCM. Out of the box, Security Manager provides 60 reports detailing events and views helpful for security and policy management. Security Manager also allows you to create custom reports and views.

The installation process for Security Manager is fairly straightforward. If you set up the program for 10 or fewer systems, you can employ a Microsoft Access database for data collection. For larger environments, you need to install Microsoft's SQL Server. Security Manager provides support for multiple installations of SQL Server, allowing you to build a redundant solution with failover capability. If one database server goes down, your data will not be lost. It will be sent to one of the other database servers in less than 60 seconds.

Before starting the installation process, I had to create two Windows NT domain accounts for Security Manager to use. It would be helpful to administrators if the installation program created these accounts automatically. Next, security Manager runs a program that checks to make sure your system conforms to the installation requirements.

Once Security Manager was up and running, I installed a couple of agents on servers and tested the alerts. Currently, Security Manager only provides agents for Windows NT and Windows 2000, although NetIQ says agents for Solaris and Linux are expected in the third quarter. In the meantime, you can use, security Manager as a collection point for Unix System Logs.

Security Manager can monitor and enforce thousands of policies, and each is detailed in the application. Looking at all those options is a bit overwhelming, and most administrators will find that the most time- consuming aspect of this product will be configuring it for their environment. Once this process is complete, though, ongoing management of Security Manager should be a breeze.

Security Manager enables you to monitor activities such as attempts to log on from different machines using the same user ID, attempts to log on interactively with a services account, repeated failed log-on attempts from a single computer or across multiple computers with the same user ID, and additions to special groups, such as domain administrators.

Security Manager can respond automatically to some events. Responses include start, stop and restart services; detecting and killing rogue services or processes; configuring the Internet Information Server to deny a specific IP address; disabling, enabling or unlocking a user account; and forcing a user log-off. You can also write custom scripts to execute when a specific event is triggered.

What's more, Security Manager also allows you to monitor anti-virus products from Symantec Corp., Network Associates Inc.'s McAfee line and TrendMicro Inc. With this ability, you can easily see when a user disables anti-virus software.

Bear in mind, however, that although NetIQ markets Security Manager as an intrusion-prevention and vulnerability-assessment solution, it is not a complete solution, and you should not rely solely on it for that purpose. Although Security Manager can help protect you against some vulnerabilities, in most cases you are alerted after the breach has occurred and it can be difficult to determine how much damage has been done. Additionally, NetIQ only updates the vulnerability database once a quarter, which means you may not be protected against the most recent hacking techniques.

That said, Security Manager is a great product for centralized management and policy enforcement in Windows-centric environments. Once initial setup and configuration are complete, Security Manager will greatly decrease administrative enforcement efforts and help ensure that all users comply with the agency security policy.

Andress is president and chief executive officer of ArcSec Technologies Inc., a security consulting and product review firm. She can be reached at mandy@arcsec.com.