This article can also be found in the Premium Editorial Download "Information Security magazine: Balancing act: Security resource planning helps manage IT risk."
Download it now to read this article plus other related content.
What's a bigger security problem than any hacker, rogue insiders, vulnerability or virus? System misconfigurations caused by admin error. Encompassing everything from open shares to leaky services to missing hotfixes, misconfigurations leave the virtual door open to critical systems.
The latest version of Configuresoft's Enterprise Configuration Manager (ECM) counters admin error by providing enterprises with a solution that centralizes the monitoring, analyzing and correcting of configuration errors that cause security problems.
Our testing of version 4.5 beta code shows ECM is an effective tool for automating configuration management. The updated software can baseline Windows configurations, enforce policy compliance, and show how configurations change over time. The latest version boasts some new tricks, like encrypting agent communications, improved performance and better Active Directory (AD) support.
But there's a few catches. ECM only supports Windows servers and workstations. Its initial deployment can bog down networks with agent traffic. And its reports are generated by Crystal Reports, which currently conflicts with Windows Server 2003 (a fix is in the works).
Reining In Data
ECM uses agents to pull configuration information--registry data, events, settings--from monitored devices.
The centralized repository, the Collector, allows for tracking, modifying and restoring server configurations. The Collector runs as a service on an NT/2000 box.
Agents can be physically installed from the CD or via Distributed Common Object Model (DCOM)/NetBIOS over a TCP/IP (NBT) connection. DCOM enables ECM agents to communicate reliably and securely with the Collector over a network.
Once the agents are deployed, the admin only needs to tell the Collector which machines are being monitored and how often it should collect data for analysis.
While the previous version of ECM could only report baseline configuration changes, version 4.5 can restore machines to a trusted state. ECM's agent will report unauthorized changes to the Collector the next time the agent is scheduled to run. Admins can manually approve or schedule an automatic registry rollback to the correct settings. They can also test "what-if" scenarios without pushing the actual changes. Comprehensive auditing allows easy tracking of change histories in the ECM logs.
Enterprise Configuration Manager 4.5's new browser-based dashboard provides better status-at-a-glance views, allowing admins to check machines individually or by group for configuration compliance.
ECM provides an automated Compliance Enforcement wizard, which makes short work of comparing monitored servers to a "known good" reference machine. The wizard is a must-have for managing large infrastructures, such as server farms that require standard configurations across multiple boxes.
Configuresoft enhanced ECM's ability to check multiple types of machines through master templates. The templates use "if-then" rules for implementing common configuration settings across multiple machines assigned to specific groups. For instance, if MS SQL Server is found on a machine, ECM should do "X" and not "Y," and then leave the "Z" settings in place.
The new browser-based interface improves the look and provides better status-at-a-glance views. The updated dashboard allows users to easily create SQL queries for quickly isolating a machine group.
Another enhancement is ECM's ability to test machines against various security guidelines and force policy compliance, in particular the included Microsoft and SANS configuration guidelines. ECM also allows admins to adopt other guidelines through manually created templates.
ECM tracks what software is loaded on Windows servers or workstations via the database maintained by the integrated Microsoft Installer Utility. This makes it easier to identify unauthorized application installations.
ECM makes it possible to check for missing patches and hotfixes. With the addition of the Security Update Manager (SUM) module, ECM can push hotfixes, validate them and roll them back if something goes wrong.
Auditing of NTFS access control permissions is a new feature in version 4.5. This should be used cautiously, since indiscriminate use can dramatically increase the amount of data storage required. Enterprises should only audit specific machines, and even then just watch for critical WinNT and System/32 directory changes.
For enterprises that use AD, ECM supports LDAP for improved handling of AD discovery. Information queries have improved response times over previous versions of ECM.
Global and Local Reporting
Historical reporting can filter for specific details, such as changed share permissions or a disabled account. The Collector provides a single screen for filtering enterprise-wide changes.
ECM ships with more than 250 prepackaged reports that automatically filter queries. ECM goes beyond the policy enforcement tools that come with Win2K. It draws in the whole registry and Windows event log, keeping a running history of all changes. For example, it's easy to view all accounts that haven't been logged on in a certain number of days.
Crystal Reports is ECM's reporting engine. While a functional application, Crystal Reports conflicts with Windows Server 2003 and IIS 6.0. Currently, Win2003 isn't suitable for hosting the Collector. Configuresoft says Win2003 prohibits the use of unprintable characters in the query string mechanism used between Crystal Reports and IIS. This conflict breaks some of the Crystal Reports code. Configuresoft and Crystal Reports are working on this issue, but a fix isn't expected until after ECM 4.5's official release this month.
ECM offers effective configuration monitoring and management, but take note of potential bandwidth and security issues.
On average, agents collect 40,000 configuration elements from monitored systems, which requires about 25 MB of disk space per machine. During installation, ECM will likely degrade network performance while it collects huge volumes of data. Fortunately, only information deltas are exchanged after the initial installation, which significantly reduces traffic.
ECM's agents communicate via native DCOM technology, which puts data in a binary format and sends it in the clear. To secure communications, Configuresoft added HTTP wrappers, which transparently encrypt agent traffic with AES. A HTTP listener handshake confirms the agent's identity and allows communication through a firewall. Unauthorized IPs receive no response and are black-holed for a minute. This adds security, but requires opening a firewall port above 1,024 to use the HTTP listener.
Each agent requires an authority account with administrator privileges for inspecting the registry, enforcing security policies, running processes, etc. This opens the possibility of an attacker cracking an agent and gaining administrative access to monitored machines. ECM agents also use native Windows authentication, which has known security weaknesses, but the latest enhancements mitigate much of that risk.
Improvements Bring Maturity
Configuresoft has made a number of improvements to ECM over previous versions, such as encrypted agent communication and the ability to collect information through a firewall. We would still like to see more focus on the security features, such as expanded security compliance templates. And while you can run agents more frequently on critical boxes, proactive agents would be a plus.
ECM is a powerful management and remediation tool, but its applicability is limited by its Windows-centric focus. Nevertheless, ECM 4.5 is a good tool because of the leverage it gives administrators to do more configuration tasks, faster and with accuracy.
Enterprise Configuration Manager 4.5
Price: $995/server; $30/agent. Security Update Manager (SUM) is an additional $25/server and $5/agent.
Enterprise Configuration Manager tracks, modifies and restores configuration settings to Windows servers and workstations.
Hardware: Minimum of 512 MB of RAM on the Collector Server, 2 GB of disk space is recommended. Software: The Collector service and the MS SQL database (not included) require Windows NT/Windows 2000.
- Centrally maintain important Windows registry data.
- Centrally monitor and apply Windows patches and hotfixes.
- Make enterprise-wide changes to Windows machines from a single console.
- Enforce machine compliance with configuration policies.
- New options for secure communication through firewalls.
- Compliance Enforcement wizards and security compliance templates keep machines properly configured.
- Improved role-based policy checking using "if-then" logic.
- Improved Active Directory support via LDAP.
- Conflicts with Win2003 and IIS 6.0 (a fix is in the works).
- Windows centric support only for Windows servers and workstations.
ECM 4.5 is a mature tool for managing and controlling the configurations of Windows servers and workstations. By centralizing Windows registry data, MSI information and NTFS file permissions, ECM provides tremendous control over individual and grouped machines configurations. An updated browser-based interface makes finding anomalies easier, and enforcement wizards help keep Windows machines in compliance with security policies.
Scott Sidel, CISSP, is a technical editor for Information Security and senior security engineer at Computer Sciences Corp.
This was first published in July 2003