Framework Too Much Work?
Large security management suites aren't for everyone. For a fraction of the cost of implementing a management framework, cross-platform security assessment tools can give you a snapshot of how corporate policy compares to actual installations. Unlike the framework tools we tested, these alternatives don't enforce policies in real time; rather, they verify compliance after the fact.

Many other products focus on a specific platform's security, whether native to the operating system, in the public domain or on the open market. Some, like Bindview Development Corp.'s NOSAdmin and Security Dynamics' Kane Security Analyst, may be available for a couple of platforms (both of these handle Windows NT and Novell NetWare, for example). But few can baseline your organization's policy across multiple platforms, consolidate reporting and fix violations.

To view the Report card on
Multiplatform Security Policy Assesment Tools
The assessment tools in AXENT Technologies' Enterprise Security Manager 4.4 (ESM) and PLATINUM technology's AutoSecure Policy Compliance Manager (PCM) have similar architectures, and both place agents on the target platforms and report results to a client console. Both can schedule regular policy runs, and help establish a baseline defining the target compliance model and reports exceptions.

AXENT's ESM gets our Editor's Choice award for its wide platform support, its detailed audit control from within the user interface, graphical reports, and depth of checks and corrections on all platforms. PLATINUM's AutoSecure PCM offers good control from the command line and a handful of system checks not found in the AXENT product, but generally lacks the depth and breadth of ESM.

AXENT Enterprise Security Manager 4.4
AXENT's ESM has a three-tier architecture, in which agent executables are placed on the network hosts that will be audited. The agents run checks and correction scripts directly on the target platforms, under the control of a manager that schedules job requests and gathers results. Agents and managers may reside on separate systems, and multiple managers may control an agent. The client component contains the user interface for the administrator, which may reside separately from agents or managers.

In our tests across multiple Unix and NT hosts, ESM quickly uncovered a variety of security holes in the standard installations. For example, it detected idle accounts, overprivileged users and many file-attribute problems. It found users violating our password policy (minimum of eight characters, to be changed every 90 days). It even corrected problems with Windows NT file attributes that came directly from the ESM client. It also provided extensive detail on currently installed services, flagging those services using the System Account for execution.

Agent software may be installed and upgraded automatically on the target system, as long as the agent and manager are on the same platform. Access to ESM is controlled by passwords, with two classes of administrator: those who can define policies and those who may only schedule and execute policy verification runs. A Super Manager option is planned for an upcoming release that will provide hierarchical control over all managers--for example, to summarize policy runs for a central security officer. This menu option could not execute in this version, however.

By default, ESM comes with five defined policy levels, ranging from those that nearly every system needs to those that require the strictest security. Refining these definitions and creating entirely new security policies is a straightforward process within the client interface. To share definitions among separate managers, we established partner connections and copied policies between two peers with no trouble. A command-line interface on NT, Unix and Digital Equipment Corp.'s OpenVMS provides command scripting as well as batch file execution.

Individual systems are grouped into domains, and should all have the same security policy, so they may be grouped any way you desire--by organization, system or geography, for example. PLATINUM's PCM offers a similar grouping option.

The ability to correct problems with AXENT's ESM is strongest when auditing Unix hosts, with Windows NT correction limited mainly to file-system controls. Still, AXENT outdoes PLATINUM in this regard, as the latter offers no corrective action in NT. ESM's wide range of reports lets you drill down through successive levels to reveal greater detail behind a run summary, another feature not found in PCM.

PLATINUM technology AutoSecure Policy Compliance Manager
PLATINUM AutoSecure PCM was previously offered as SecureMax (originally from OpenVision, then from Veritas, and now fully owned by PLATINUM). It is architecturally similar to AXENT's ESM, but it doesn't offer the same graphical reporting options. It provides excellent support for Unix, but is limited in other platforms, and does not support NetWare at all. Correction scripts run only with Unix and OpenVMS. It does, however, check Oracle and Sybase database security; AXENT currently offers only Unix-hosted Oracle support.

PCM offers graphical control as well as a more full-featured command line interface. We uncovered minor instability in the GUI under Windows NT 4.0 SP3 that consistently produced Dr. Watson errors when we attempted to view the details of an audit definition. According to PLATINUM, these flaws were limited to early releases of version 7.0 and have been fixed.

Unlike the AXENT product, PCM can run user-defined system checks if these are defined on the target Unix system. Although these cannot be defined from the console, once defined they may be run from the GUI. This might be useful for executing Unix COPS or crack utilities, for example. Baseline security modeling is available for Unix and OpenVMS, but not for Windows NT in this release.

For strong protection of communications between PCM modules, PLATINUM offers Kerberos V5-based AutoSecure Authenticate as part of its optional "crypto-enhanced" mode. This option, which is sold separately, authenticates users and encrypts transmissions between modules. In standard mode, PCM uses a proprietary algorithm for scrambling communications between modules in its default mode. This is in contrast to AXENT's standard use of DES encryption with Diffie-Hellman key exchange.