WORKSHOPS

The Hard & Soft Of Server Auditing

by Jay Milne

For many LAN administrators and network managers, the very thought of an audit brings about severe stomach pains and a cold sweat. With the sudden popularity of the Internet and the "I gotta be on the Net" attitude, the importance of auditing your server becomes even more critical. No longer is the network contained within the borders of the company; now these same networks are being accessed globally. Auditing is a critical piece of the puzzle that can expose the weaknesses in your configuration and make your server more secure.

When most people think of auditing they think of the IRS, paying more money and feeling miserable. Auditin g in a IT environment is multi-faceted. In many organizations, separate groups--usually in the security group, under corporate--visit annually and perform a systems audit. They look at everything from the physical security of a system, to security auditing, to auditing the processes of a particular application, such as an accounting system, to make sure every dollar is going where it is supposed to.

This article will cover server auditing and take a look at how Microsoft NT Server and Novell NetWare each support auditing--and where each falls short. We'll also examine the areas where third parties have been able to capitalize on these shortcomings. The subject of auditing is a large one. We will focus on some of the issues by no means do we pr etend to provide an exhaustive coverage of auditing.

Resource Auditing When talking to someone who has managed a mainframe environment, the topic of resource auditing is old hat. In the LAN arena, resource auditing is relatively new and im mature.

For starters, one resource that could easily require the most tracking is hard disk usage. By applying a limit to the amount of disk space used, a LAN administrator can reduce the tendency for users to place a copy of their entire hard disks on the server as a quick way to backup their workstation. On some systems, this tactic can cause a server to become unstable. A large data space can take away from a system's available space, precluding that system from being able to perform such things as print queuing and writing error logs. NetWare administrators have had the ability to limit disk usage by user, but unfortunately, Microsoft's NT still lacks this basic feature.

Several disk space managing applications are on the market for NT, such as Northern Technologies' Quota Server and New Technology Partners' Quota Manager. Both allow the LAN Administrator to set disk space restrictions by NT share or directory, but neither currently allow disk restrictions by user--a major shortcomi ng in both products. There are ways around this by assigning restrictions per directory or share, which correspond to the user's home directory, but this does not take into account shared user directories. In addition, the Quota Server is quite expensive--around $2,000 per server. At that cost, you could afford to purchase another 8 GB of disk space!

Another important asset many administrators would love to audit and track is print usage. Neither NT nor NetWare have the ability to communicate with a network printer to retrieve basic information such as the amount of printed pages--regardless of PDL, be it PostScript, PCL or ASCII text. There are solutions, however.

One such solution is to purchase a printer that keeps track of this information i nternally. Printers such as those from DataProducts store usage on the printer, which can be downloaded to a workstation for processing. A nice feature, but the majority of printers on the market do not support this type of functionality. Other m ethods exist to audit this information, but they process the printing data stream prior to its arrival at the printer, slowing down the printing process.

Software metering and licensing is an effective method of sharing a limited number of applications' licenses across a large number of users. Most software metering tools allow you to track who used which applications, but some go further and track how long users are connected. Horizon Technologies' LANauditor provides the ability to set costs for each application by connection time. When a user launches an application, LANauditor will bill a one-time connection fee as well as charge an hourly rate. Neither NetWare nor NT provide this type of functionality. Keep an eye out for the use of NetWare 4.1's NDS to provide additional information for application software metering, such as what department the user belongs to, their internal charge codes and so on.

Understanding and documenting which users have access to what resources on the serv er is a fundamental part of auditing your server. Many times a server is passed from one LAN administrator to another and documentation, if any, is usually incomplete and out of date. Neither NetWare nor NT provide good utilities for auditing the server, but they do provide the underlying architectures that allow third-party products to fit the bill. For NetWare 4.1 and NDS, products such as AuditWare from Preferred Systems allow sophisticated report generation on which objects have access to other NDS objects such as printers, profiles and so on.

Server Hardware Auditing Today's server hardware is very complex, often consisting of a single or multiple CPU server, a disk array or two, several CD-ROM players and some type of backup device such as a tape or even an optical jukebox. Server hardware auditing is not only keeping track of the actual hardware being used but also the various BIOS and firmware versions used by the hardware. Most often, the server BIOS and firmware are only updated when the server is being installed or if there has been a problem.

The most basic solution is to document the server at installation time and update it whenever a patch is applied. There is some relief though: server hardware vendors like Compaq are addressing the need with their own applications.

Compaq's Insight Manager (CIM) now supports a feature called Version Control that will query every Compaq server on the network (the list of servers is configurable) and compare the results with a table that contains the versions and dates of all Compaq BIOS and firmware. This table can be downloaded from Compaq's Web server each month.

If a Tree Falls The concept of auditing your server can be taken one step further--periodically checking the status of a server to make sure it's running and to make sure it's running efficiently. Often, servers are locked in a wiring closet or in an unattended room. When a drive fails, often the server console will display a visual warnin g, but with no one around, it does no good.

Network management applications, such as Novell's Managewise, can monitor the server and the operating system, but unfortunately, ManageWise tends to be better at managing the operating system than the server hardware itself. Additionally, a number of software applications are available that monitor NetWare or NT error logs, but they do not have an intimate knowledge of the underlying hardware.

Currently, the best route is to use whatever server management utility ships with your server. Vendors such as Compaq have invested a great deal of effort into making effective tools. CIM uses software agents that run on the server--currently Compaq supports NetWare, NT, OS/2, SCO Unix and other operating systems. With it, a server administrator can view statistics such as EISA bus utilization, internal temperature, hard and soft disk errors, SCSI bus errors and the server's critical error log.

While much of the information that can be obta ined from CIM is very detailed and would not be used often, it can prove invaluable when troubleshooting an unstable or poorly performing server. The only caveat is that CIM and other like solutions are vendor hardware specific. If you have a variety of servers employed, then you could have to deal with multiple applications. To assist in that dilemma, Compaq and other vendors such as HP support SNMP and provide MIBs that can be compiled with popular network management applications such as HP OpenView and IBM's NetView.

It's Not All Hard Besides analyzing what firmware and BIOS your server is runnig, a LAN administrator needs to know what is being run on the server and how it's configured. In a NetWare environment, that means looking at the STARTUP.NCF and AUTOEXEC.NCF files, checking the server error log and verifying various server SET commands.

Without the use of third-party tools, an administrator would need to visit each server individually and begin the process of copying and checking the various logs and settings for each. What a hassle! Products such as BindView Development's NCS allow multiserver reporting with an easy-to-use graphical interface--no more DOS-based C Worthy interface with which to deal. Also, products such as BindView's NCS report on the various NLMs that are loaded along with their version, which is very important when troubleshooting a problem with NLM applications.

Jay Milne can be reached on the Internet at jmilne@nwc.com.

May 1, 1996