This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."
Download it now to read this article plus other related content.
St. Bernard Software
Price: $1,680 for a one-year, 50-devices license
St. Bernard's SecurityEXPERT automates deployment and enforcement of strong security configurations, based on industry best practices.
St. Bernard Software's security configuration management tool, SecurityEXPERT, is a logical complement to its flagship automated patching tool, Update-EXPERT. This solid first release enables organizations to implement secure configurations across Windows and Unix devices based on policy and/or best practice tem/plates.
SecurityEXPERT is an agent-based OS-hardening tool that automates configurations; for example, it can restrict Windows services and rights to users and files via registry settings. Enterprises can enforce custom policies or draw on templates built on best practices from Microsoft, SANS, NIST, CERT and NSA.
Installing SecurityEXPERT's server--which includes the management console, IIS, Microsoft Data Engine, and setting and scanning Snap-ins--and applying Windows patches was a long process, though St. Bernard says even a large enterprise would require only one master and perhaps three or four additional servers. (SecurityEXPERT includes UpdateEXPERT, which is required and has to be installed separately. UpdateEXPERT is available as a stand-alone product.)
Setting up policies was simple. We placed our two workstations in a group with separate policies for each, using default SANS and Microsoft templates, though we could have easily customized them by selecting and enabling or disabling each policy procedure.
SecurityEXPERT can have multiple security policies active at once, combining the strength of each. If there's a conflict between policies, Security-EXPERT allows you to view all the changes to be made by the policies line by line, and shows which ones are in conflict. You can then decide what action to take simply by clicking on the policy. This saves a security manager from having to sort through hundreds of potential conflicts.
SecurityEXPERT can be set to issue alerts if policies have been changed on a server or workstation, and can automatically push out policies on defined schedules. We had no issues when we ran it overnight.
We tested SecurityEXPERT's effectiveness by reassigning the user account rights on our XP workstation. We selected the SANS template and ran reports to see how far they deviated from the policy template. We pushed the correct policy template to each workstation; after the remediation, we ran new reports, which showed the stations in compliance.
Although thorough and easy to read, the reports were somewhat lacking in customization and flexibility. For example, you can't run a report based on specific policy settings or time. Reports can be exported to a word processor or spreadsheet for further review and analysis.
Impressive for a first release, SecurityEXPERT is on a par with similar tools, such as NetIQ's Vulnerability Manager or Symantec's Client Security. It may be a particularly attractive option for existing UpdateEXPERT users, or for shops looking for patch and configuration management in one package.
This was first published in March 2005