Enterprise Configuration Manager v4.7
Configuresoft
Price: Starts at $995 per managed server and $30 per managed workstation
In October 2004, we reviewed Configuresoft's Enterprise Configuration Manager (ECM) v4.5 and were impressed with the ability to aggregate Windows system configuration information, remediate deficiencies and provide detailed reports across the enterprise.
This very good product has gotten better. In v4.7, Configuresoft has added the ability to scan and report on *nix systems, building on its excellent support for Windows hosts. Our tests showed that the new agents functioned properly and provided valuable reporting. However, the Unix/Linux and Windows management systems are in separate menu trees, giving them the feel of two separate systems. We'd like to see an integrated configuration management solution.
Our sole complaint last year was v4.5's lack of high-level configuration reports. Configuresoft listened to this criticism and revamped its reporting capabilities. Security managers can now start at the highest levels of configuration and narrow searches to minute detail. For example, we were able to create a high-level report that listed all of the changes made on our systems over an extended period of time. We then drilled down through a series of reports to a level that provided us with the specific changes made to our systems, identified by the administrator who performed the change.
ECM v4.7 uses a two-tiered architecture of agents running on monitored systems that report configuration data back to centralized configuration management servers. (This is the configuration used in our test. For larger enterprises, it's possible to use an external database server to build a three-tiered architecture.)
Configuresoft has kept up with the complex configuration and reporting requirements imposed by regulatory requirements, extending its base library of compliance templates to include GLBA, FISMA, SOX and HIPAA. It's significant to note that compliance reports may be generated from cross-platform data by specifying different compliance templates for each software platform in the enterprise. For example, if you wanted a GLBA report, you'd specify which configuration templates to use for Windows, Unix and Linux, and the report would amalgamate the result.
While these are valuable tools for compliance reporting, a word of caution: Regulations are subject to interpretation, and it would be a mistake to rely upon these (or any other) templates without the advice of legal counsel and qualified technical judgment.
In addition to its powerful ability to report on configuration and changes within the enterprise, ECM 4.7 also offers strong capabilities for modifying the monitored environment. In addition to highly granular options for configuration changes, ECM can manage software packages deployed in the enterprise and execute custom configuration scripts. For example, you may wish to execute a custom script on all Unix systems in your enterprise to alter their NTP settings.
Configuresoft continues to improve ECM in response to changing environments and user feedback. And, we continue to recommend this product as a great time-saver for administrators in medium to large enterprises.
About the Author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of About.com Guide to Databases.
This review originally appeared in the December 2005 edition of Information Security magazine.
