Price: $1/endpoint/month, $1,500 administration set-up fee
The FullArmor PolicyPortal enables small- and mid-sized Microsoft shops to manage their Windows security policies and local configurations without expensive infrastructure or complex software installations. The novel approach offers a new slant on managed security service -- or, more accurately, hosted software sold as a service.
FullArmor provides an Internet interface to easily configure, monitor and enforce near real-time Active Directory-based policy compliance through client agents.
The installed agents can enforce multiple policies; for instance, you could create one policy for all publicly facing DMZ systems, another for all remote dial-in laptops, one for guests and one for workstations. Each of these policies is enforced on its own merits and can be individually reported or part of a birds'-eye enterprise view.
The Web-based GUI makes it easy for non-techies to download and become compliant in literally a matter of minutes. The agents have small footprints and are installed with familiar wizards. All clear-text user communication has strong SSL encryption, while all binary traffic is digitally signed with a VeriSign certificate.
The endpoint policies work as advertised, allowing an administrator to create rules that enforce and lock down Windows systems. The policies can include password and audit policy information, specific registry configurations, the ability to install particular software, and user access control; you can even configure an endpoint's network devices to include printers and network drives -- a good way to prevent the introduction of rogue devices on the network. New or modified policies can be immediately pushed to online devices or stored in a queue for those that are offline.
The agents can also control computer services, automatically starting, stopping or prohibiting them from running, even if the system is not logged into the network or connected to the Internet. This type of control is usually enforced via logon scripts when you are in a corporate environment.
You can manage local Microsoft Windows group policy objects for Windows 2000, 2003 and XP operating systems. The next version of PolicyPortal will support Windows Mobile.
PolicyPortal's enterprise reporting capabilities are clean and comprehensive when viewed through the Web GUI. Executive-level graphs are easy to create, as are technical reports that drill down into the exact compliance issues. However, PolicyPortal does not support exportable reports to include XML, CVS or PDF formats. Printable reports are limited to printing the viewed Web page. FullArmor is planning to include enhanced reporting in the next release.
PolicyPortal also has the ability to manage Kiosk-style or ATM Windows-based platforms, making it ideal for large or highly segmented retail organizations. Delegated administrator accounts can also be created to help manage distributed organizations.
While PolicyPortal may not be ready to step up to the plate for a Fortune 500 customer base, it offers an ideal setup for those small- and medium-sized organizations that are intimidated by complex AD implementations and don't have large wallets. FullArmor is a company to keep an eye on over the next year.
This article originally appeared in the June 2006 edition of Information Security magazine.