Defining, monitoring and enforcing Windows system configuration has become the collective oil that helps keep installation, maintenance and support processes running smoothly. Not to mention what it does to ease your Sarbanes-Oxley compliance headache.
With its intuitive interface, great flexibility and automatic compliance functionality, Configuresoft's Enterprise Configuration Manager (ECM) Version 4.5.2 is one of the best Windows-centric programs we've tested. It earns our Clear Choice designation.
How we did it
While its roots are in traditional desktop configuration, ECM now hones in on policy management and compliance by collecting and correlating information from servers and workstations and taking action when they are out of compliance with the defined policy.
ECM uses an agent-based collection mechanism. The agents are pushed out to the Windows machines via a process the management console facilitates.
The three-tier ECM server architecture consists of the collector, a database and console. The collector manages gathering and analyzing data the systems collect.
The console is a four-module, Web-based management program that provides access to all of ECM's features. The console module provides access to the raw data the managed systems collect. The compliance module shows the rules and reports supported for setting policy. The reports module provides templates to view system information, driven by a Crystal Reports engine. The administration module provides all the ECM configuration settings, such as agent installation and user management.
The ECM engine installation had minimal issues.
Installing the agent software out to the managed systems is a simple process that takes only a few mouse clicks. Once the agents are installed and data collected, ECM is ready for use. By default, ECM uses Distributed Component Object Model for agent communications. HTTP communication is a second option. We would like to see Configuresoft upgrade these communications to support more secure protocols such as Secure-HTTP (HTTPS).
Using the console module, administrators can directly change configuration settings for individuals or groups. A few of the settings ECM manages include Windows users and groups, Windows NT File System audit settings, NTFS directory permissions, installed Microsoft hot fixes and registry key permissions.
One of the best features of ECM is its auto compliance functionality. Administrators can set a baseline configuration that all systems must follow. If a system comes online out of compliance or if someone makes a manual change while it's online, ECM enforces the required settings, which leaves a full audit trail. ECM is detailed in its ability to look at registry key permissions, file permissions, password settings and patch levels, and then take corrective action if the administrator has set it to do that.
While ECM offers an automatic compliance feature that makes configuration changes, if you want to tie in patch deployment, you need to use Configuresoft's Security Update Manager add-on.
We set required policy settings on our Windows 2000 Server, including password policy and NTFS directory permissions. We changed the settings on the server to be out of compliance and ECM changed the settings back to the compliance configuration immediately after its next scheduled check. We also received an e-mail alert we set up to receive if a system was out of compliance. We also could have configured ECM to send an SNMP trap or write to the event log.
ECM's components, including policy templates and individual rule settings, are flexible and customizable. Out-of-the box, ECM includes pre-defined best practices for operating systems and key infrastructure applications such as SQL Server, Exchange and IIS. It also includes a compliance template for the SANS Securing Windows Guide. Every rule and template can be modified. We applied the SANS template to our default Windows installations to configure the systems
ECM's polish lies in its Web console. The layout, color scheme, icons and workflow work together to make the user experience an excellent one. With the level of detail available in ECM, you might think that the console could get overloaded quickly, but the user interface designers have done an excellent job preventing the user from feeling overwhelmed by information. We'd like Configuresoft to bump up the security a notch by having the Web console use HTTPS communications by default between it and the administrator's machine.
ECM's reporting is flexible, customizable and detailed. Reports can be generated that show which systems are not in compliance with a single setting, a pre-defined template or custom policy. Reports can be generated on what actions have been taken to enforce policy settings.
For managing Windows systems configuration and automating policy enforcement, we haven't found a better product. The ease-of-use and flexibility of ECM provides the means to deploy a secure, self-sustaining Windows infrastructure.
Learn more about this topic
Andress is president of ArcSec Technologies, a security company focusing on product reviews and analysis. She can be reached at firstname.lastname@example.org.
Andress is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.