This article can also be found in the Premium Editorial Download "Information Security magazine: Buying spree: 2003 product survey results."
Download it now to read this article plus other related content.
The reality of today's enterprise environment is that systems change as soon as they're deployed. That's especially true in Microsoft shops, where systems may have their policies, configurations or installed applications changed by domain servers or System Management Server hits. So what seemed to be locked down in a lab may be vulnerable once it's in a production network.
Discovering these vulnerabilities--often deep within the operating system or core services--can be a daunting task. Most security professionals who have dealt with this problem on Microsoft systems have crossed paths with the Microsoft Baseline Security Analyzer (MBSA). This host-based freeware helps track down missing patches and poor security configurations.
What most people don't know is that Shavlik Technologies created MBSA for Microsoft, and offers an enhanced commercial version--Enterprise Inspector. Its client/server architecture makes it scalable for large networks. It also has more automated functions and produces more detailed reports than MBSA.
Click to enlarge
Starting Quick and Easy
Enterprise Inspector is more complicated to install than MBSA. It runs on top of SQL Server 2000 (not included), which must be installed first. A few other small tools--such as MDAC, JET and MSXML parser--are also required.
Enterprise Inspector's installation is straightforward, but not foolproof. Users must read the documentation and follow the installation notes. And users must have local administrator rights on each machine that it scans to obtain system configuration and patch information.
By following the installation notes, users can be up and running in as little as five minutes. Not bad.
All About Scanning
Enterprise Inspector is all about scanning Microsoft systems. The application will scan either by domain or IP range. Admins can elect to perform all or selected scans, including checks for vulnerabilities, missing patches and weak passwords.
Prior to each scan, Enterprise Inspector connects to an XML database at Microsoft and downloads up-to-the-minute patch information. When not connected to the Internet, Enterprise Inspector will reference a cached copy of the database.
Scan status is displayed by a simple progress bar and error count. Scans can take a while, depending on the size of the scan set. Despite being multithreaded, Enterprise Inspector scans in a mostly sequential fashion. Domains containing hundreds of systems should probably be scanned overnight.
That said, scanning a system doesn't bring performance to a total halt. While scanning elevates disk activity and CPU usage, some users may not notice any unusual activity. Enterprise Inspector's ability to perform selective scans is also useful; for example, opting out of password checks will make a scan much faster. However, this will also skew the results.
Beyond simply scanning for missing patches, Enterprise Inspector does several other checks, such as verifying the configuration of Internet Explorer, Windows Media Player and Office XP. Servers running IIS, SQL or Exchange can be checked for configuration and hotfix problems.
In our tests, systems that appeared to be up to date through Windows Update were shown to still have missing patches and dubious configurations. Enterprise Inspector's ability to gather information about a system's installed applications and services gives it an edge over the standard update mechanism. Detailed configuration checking allows it to provide insight on how to further harden the system--something that simply isn't possible with many other scanners.
Enterprise Inspector's reporting capability is hands down its biggest selling point. All scan results and analyses are stored in a SQL database, making it possible to run predefined reports or create customized summaries.
Enterprise Inspector's reports include a "score" based on a 100-point scale that reflects a system's overall health. The higher the score, the better that system's security posture. A score below 50 is considered a significant risk. Many reports also include trend information, showing a system's security status over time--improving, neutral or decreasing.
Enterprise Inspector's stand-alone reporting tool provides 10 predefined, but highly customizable reports. They are:
Executive summary: As with any good executive summary, this begins with a colorful graph that depicts the associated risk level for each major category. Another simple chart provides the numerical breakdown of the risk levels for each category, and a system's overall grade.
Administrators by machine: Shows the administrators who have performed scans on each system.
Machines by administrator: Shows all systems scanned by a particular admin. This and the "administrator by machine" report are useful for tracking workflow and productivity.
Scan list: Displays a list of all scans that have been conducted. The report can be limited to displaying specific IP ranges, scan types, admins, date ranges, domains or worst offenders--systems with the lowest score.
Scan detail: Displays the details of each scan performed, providing an inventory of what needs to be addressed on each system.
Machines with only partial scans: Displays systems that had some portion of the scan disabled. Partially scanned machines may have artificially high scores due to the missing results. This report identifies such systems for further analysis.
Trend summary: This shows the machines scanned in each domain and the average grade of all systems for a given period. This report is handy for quick long-term trend analysis.
Trend detail: This shows each machine, and lists each of the scans performed, including date, overall score and trend. This report is useful for a more fine-tuned trend analysis.
Patches by machine: Shows each machine and the patches that are required to bring it up to date.
Machines by patch: Shows new and uninstalled patches and the machines that are missing them.
All of these reports can be fine-tuned to show all available data, just the most recent scans for each system or a specific date range. Reports also frequently include a "view details" link that leads to additional information about a security problem. The stackable filters provide additional granularity, reporting by fields such as patch ID, host name, scan date, grade, trend and more. The filters are created with a drop list system, which avoids the need to learn yet another filter syntax.
Depending on the report being generated, a variety of sorting options are available.
It also includes a command-line interface, which can be used to perform scans or review scan reports. Enterprise Inspector provides sample reports, detailed instructions and even an explanation of how a system's "grade" is calculated.
Included in the reporting tool are database statistics, which indicate the number of scans, admins, machines and dates of the oldest/newest scans on file. Through the same menu, stored scans can be deleted, based on the same array of selection criteria available to most reports.
Enterprise Inspector has two drawbacks. First and most obvious, it's only useful in Microsoft shops. Second, large scan sets take a while to complete. Some enterprises can mitigate the slow speed by using multiple installations of the solution. Unfortunately, Enterprise Inspector doesn't have mechanisms for consolidating scanning and reporting data from clustered or distributed installations.
Still, Enterprise Inspector is reasonably priced and would be a valuable tool for medium-sized patch rollout and vulnerability assessment programs. With access to an up-to-the-minute Microsoft patch database, and a clean, flexible reporting component, Enterprise Inspector is great for keeping tabs on an organization's overall security posture.
This was first published in May 2003