This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
The recommended baseline scans for almost 270 separate checks, including checking account settings (password policy, lockout) and service settings. We scanned an XP machine using Shavlik's recommended baseline configuration, as well as SOX/ISO and NIST/FISMA guideline standards.
Starting the scan for the local machine was as simple as choosing a few drop-down menus. The checks took about a minute, and NetChk presented a summary report; it was obvious our default Windows XP install did not fare well against the recommended baseline checks. The report displays the type of information available, machine name, checks and results (when you dig into it), and a scan summary.
Clicking on Compliance Summary in the information frame allows you to see results for each check--whether your machine passed or failed. It's also possible to view account information, with privileges and password age displayed. And clicking on your machine name brings up a more detailed version of the compliance summary--our test machine was not in compliance with many of the account settings, password length, lockout threshold, and the administrator account
| had not been renamed.
Based on results, you can allow NetChk to change the settings on your system for many of the checks. We had NetChk remediate our settings and rescan. Upon rescanning, the machine passed almost all of the checks. Most of those that still failed require manual correction. Not a huge issue, but we'd like to see complete automated remediation in future releases.
Shavlik NetChk is not limited to scanning the local host, of course. You can scan remote hosts without an agent, grouping them by domain, organizational units, or by IP addresses/range. After setting up a group and giving them credentials, select policies and scan them much like the local host.
Policies aren't limited to Shavlik's baselines. Using NetChk's wizard, you can create custom compliance checks using a wizard to scan registry entries, service rights, user rights assignments, etc.
Shavlik NetChk Compliance can generate 14 different reports covering machine, settings and policy results. Reports can be exported to HTML, PDF, TIF, CSV, text and Excel format. Reports are brief--basically a summary with a pass-fail list of selected compliance checks. The policy dashboard provides an easy to read graphical display, which we found effective in conveying the overall compliance status of the network.
Reasonably priced, NetChk could make a good fit for any organization looking to ease regulation compliance.
Testing methodology: We tested NetChk Compliance in our lab environment with a variety of Windows versions, including Windows XP, 2003 and 2000.
This was first published in November 2008