Scott Sidel and Andrew Briney
Published: 01 Feb 2002
It's hard enough to track security configuration changes on one box, much less a local server farm of identical boxes. Managing configuration changes and uploading hotfixes in a distributed environment -- well, it's enough to drive you to distraction.
Despair not: You can choose from several free and commercial tools to help with this important task. Configuration and patch management tools range from simple Windows scripts to modified policy management and vulnerability scanning tools to fully featured centralized management suites.
"These products take what the vulnerability assessment vendors have already done and spin it to the preventive configuration side," says Pete Lindstrom, director of security strategies at analyst firm Hurwitz Group. "They're pushing vulnerability management into a more active role."
Microsoft, the source of dozens of OS and application patches each year, recently released two tools for patch management. The first is HFNetChk, a free command-line tool that uses an XML database to check for patches for Windows NT/2000, IIS 4.0/5.0, SQL Server 7.0/2000 and IE 5.01 and later. The other is called Personal Security Advisor, a Web application that tests systems for missing security patches, weak passwords, IE and Outlook Express security settings, and Office macro protection settings.
HFNetChk was developed for Microsoft by Shavlik Technologies, which sells an enhanced GUI version of the tool called Network Security HotFix Checker Pro.
Patchlink's Update tool periodically scans and inventories a network to find out what kind of hardware and software resides on it. Its subscription service provides admins with e-mail notifications about the latest patches, fixes and drivers required for specific systems. Fixes can be rolled out using a Web-based distribution system.
BindView last fall released Security Advisor, an add-on to its bv-Control vulnerability assessment product that checks if Windows NT/2000 workstations or servers are running the latest Microsoft security patches. In addition, Security Advisor will identify exactly why a computer isn't compliant, allowing administrators to take appropriate corrective action.
SecurityProfiling's SysUpdate is designed specifically for workstation management. The application automatically searches for, downloads and installs relevant security patches, hotfixes and OS upgrades. Updates are automatically sent to subscribers along with an e-mail describing exactly what was done.
Ecora offers several configuration management solutions, including configuration auditors for cross-platform workstations and servers (Windows NT/2000, Exchange, Novell NetWare, Oracle) in addition to configuration reporters for Cisco, Domino, NetWare, Oracle, Solaris and Windows NT/2000, Exchange and MS workstations.
Closing Open Windows
One of the emerging leaders in the nascent security configuration/ patch management market is Configuresoft. The Woodland Park, Colo.-based startup has released two Windows-only administration tools: Enterprise Configuration Manager (ECM), a utility for centrally managing registry data and settings; and Security Update Manager (SUM), an ECM add-on module that automates the distribution and management of Windows security patches.
Currently in version 3.6, ECM is used to track, modify or restore configuration settings to Windows servers and workstations so that they can be managed centrally and consistently. Think of ECM as taking all the registry data and settings for each machine in your enterprise and sucking them into a single repository -- in this case an MS SQL database -- for centralized administration.
Configuresoft brings order to chaos by utilizing a Collector and agents (see Figure 1). The Collector is an NT service running on a central NT/2000 box. Agents are pushed out using Distributed Common Object Model (DCOM). After installing Collector and pointing it to SQL box to use, you simply tell the Collector how often to check machines, along with which information you want collected.
ECM goes beyond the policy enforcement tools that come with Windows 2000. It draws in the whole registry and the Windows event log, keeps a running history and looks for any changes. ECM ships with 250 prepackaged reports that serve as filters and queries. You can show, for example, all accounts that haven't been logged on in X number of days.
Additional report modules are downloadable from Configuresoft, or you can create your own. Combined with new reports, historical functions reports let you look for specific details, such as a changed share permission or a disabled account. Collector provides a single screen for finding any changes that occur across the enterprise.
SUM is an ECM agent that monitors Microsoft patch releases and alerts you when new bulletins are issued. The module can check servers for update status and, with a simple mouse click, deploy the required patches. SUM also includes a mechanism that ensures patches are installed correctly.
While the ECM communications infrastructure is an effective way to monitor and update configuration changes and patches, agents may present a set of traffic management and security issues. For one, agent communication creates additional network traffic on the WAN or LAN. With an average of 40,000 configuration elements collected per machine -- that's about 25 MB per machine -- an initial ECM run may temporarily bog down the network. Fortunately, after the initial run, only information deltas are exchanged, which significantly reduces traffic.
The security of agent communications may also be a concern. Since ECM agents communicate using native DCOM technology, data is in a binary format, which means that it's essentially sent in the clear. In a LAN environment, this should not be a problem. Over a wide-area link, however, some admins may be leery of sending plaintext registry information.
Worse, it should be noted that agents run as a role, not as a service. So, for each machine, the agent needs to have administrator privileges. And worse yet, the ECM agents use native NT authentication, which has widely known security weaknesses. (However, NT authentication can be augmented with Kerberos, which is quite secure.)
Finally, Configuresoft ECM is targeted to Windows environments only. A good number of enterprises have migrated to IIS, Exchange and SQL Server for all but the most mission-critical server functions. However, there is a nontrivial number of important *nix servers that ECM overlooks.
Despite these concerns, ECM can significantly aid Windows administrators in supporting account polices, security policies, share permissions and trusts, and even keep up with hotfixes-all of which is a good thing.
Pricing for ECM is $775 per server and $25 per workstation. SUM is an additional $25 per server and $5 per workstation.