Security tool closes loopholes

Many experienced PC users believe that it's difficult to break into Microsoft Corp.'s Windows NT and 2000. But hackers' publications are filled with tricks devised to crack into these systems.

Fortunately, the loopholes hackers take advantage of can be closed. The problem is that agency information technology workers could face long hours checking for the multitude of loopholes and taking steps to close them. That's where SecurityExpressions from Pedestal Software LLC can help.

SecurityExpressions automates the entire process for you, and it can check all of your PCs simultaneously.

Installing the utility on my Windows 2000 workstation took less than two minutes, and the average user can learn to exercise the major functions in half an hour. No manual came with my copy of SecurityExpressions, but the online help was so thorough that I never missed the printed material.

SecurityExpressions' five Security Information Files (SIFs) contain lists of potential security loopholes along with information on each loophole and the method for fixing the problem. Together, the data for each loophole is called a "rule."

One rule is based on a Microsoft security white paper, and another comes from the System Administration, Networking, and Security (SANS) Institute. Three are from the Navy: one covering domain controllers, one servers and one workstations. You can create your own SIF using your own rules, but for reporting purposes, I stick with established industry standards. To start with, I chose the Microsoft file.

SecurityExpressions' main window has two major sections. The left pane primarily shows a tree structure of hosts to be scanned, and the right pane shows the results. After I highlighted my own workstation in the left pane and clicked the Scan radio button, results were displayed in the right pane within 15 seconds.

The results showed a list of the rules checked, and most were marked with an easily understood "OK" or "Not OK." I was glad to see a large number of loopholes that were found were closed on my PC, but there were still 51 problems to resolve.

Solving the problems involved delicate registry changes, but SecurityExpressions enables you to fix most problems automatically. Right-clicking on each rule gives you the options to edit the rule, add a new rule or fix the problem. Clicking the selection to fix the problem brings up detailed information about the problem, including how to fix it manually, and offers to fix it for you automatically.

I was disappointed when SecurityExpressions reported that I did not have NT Service Pack 5 installed. I was using Windows 2000, which does not yet have a Service Pack 5. When I applied the automatic fix, I was glad to see that my registry was not changed incorrectly. Some other items indicated that the utility does not distinguish between Windows 2000 and Windows NT, but I never found any error that would be a serious problem to the user.

Although all the features of SecurityExpressions can be mastered in an afternoon, I'd recommend that it only be used by staff familiar with Windows NT/2000 and who have more than a passing knowledge of the registry.

The left pane listed all the Windows NT/2000 PCs in my local network neighborhood, sorted by domain and workgroups. This made it easy to select PCs for remote scanning. My license allowed only 10 hosts to be scanned at a time, but my impression was that remote scanning is extremely rapid. The vendor advertises that the utility is multithreaded, which — while using a batch mode — enables it to scan as many as 200 hosts quickly and simultaneously. SecurityExpressions uses the operating systems' native client/server protocols, so you don't have to install any client software on the remote machines.

SecurityExpressions is only a few months old, but it already includes some advanced features. One of the most important of these is a powerful compliance querying language that enables you to report on compliance with specific policies implemented in users and groups, files, and directories. Built-in reports include graphics showing progress in security compliance over time.

Using SecurityExpressions complements using a vulnerability scanner, but it doesn't replace it. For example, it will not tell you whether all necessary security patches have been applied. But it will check security policy compliance, as well as many permissions, user rights, group memberships and other potential security problems not reported by vulnerability scanners.

I would like to have seen a document describing the need for a multi-tiered approach to security, with explanations of the importance of secure backups, physical security of the hard drives and cost-free techniques, such as using BIOS boot-up passwords.

Overall, SecurityExpressions is powerful and user-friendly, has a flexible license and is reasonably priced. It is a must-have utility for organizations with large networks and for all offices requiring tight data security.

Greer is a senior network analyst at a large Texas state agency. He can be reached at Earl.Greer@dhs.state.tx.us.