By Kristin Marks
Network World, 12/16/96

To prevent burglaries, you put a good lock on your door. To feel even safer, you find a well-policed neighborhood.

Protecting your network starts much the same way with a healthy dose of policing. The door locks - both actual locks, which keep your servers secure, and logical locks such as password protection - are just the tip of the security iceberg. The more complex your environment, the greater potential for security weaknesses. To find them requires use of auditing packages, which act as network police, helping you assess your weaknesses and maintain security standards.

We looked at four products that provide security auditing for NetWare or Windows NT operating systems. All provide some security auditing functions, but in very different ways.

LT Auditor+ from Blue Lance, Inc. and AuditTrack from e.g. Software, Inc. are essentially event viewers for the NetWare environment. They keep track of events, let you filter them to show the most serious ones, and generate reports from the event log. Kane Security Analyst (KSA) from Intrusion Detection, Inc. compares events and security-related parameters to a set of best practices and creates a report card of how your network is doing. BindView Development Corp.'s BindView Enterprise Management System (EMS) provides the most comprehensive set of security reports and analysis of the four products, and it does so with the best management interface, managing NetWare 3.X, 4.X and Windows NT servers from a single console. BindView EMS does much more than security auditing, but for this review we focused only on operating system auditing.

AuditTrack and LT Auditor+ provide only intruder tracking. Any analysis to be done is performed by you. They just provide the data you need for figuring out what happened so blame can be assigned. This is a bit like closing the barn door after the animals have fled. BindView and KSA analyze your network and make recommendations, which gives you a better chance of keeping the horses in their stalls.

AuditTrack

When you first load the NLM, you must configure it, including setting the Master auditor password. This is supposed to keep unauthorized people from unloading the NLM, even if they gain access to the console. Of course, you can still use the server console to down the server and bring it back up without running AUTOEXEC.NCF, where the tracking NLM is loaded. The management console is also password protected.

Running the product is easy. Both AuditTrack and LT Auditor+ report on server events such as file open, file run, file delete, user creation and trustee modification. They provide an interface for filtering and sorting events. Both let you define audit sets - groups of events you want to watch. For example, you can report on just the user ''Kristin,'' or just on file attribute changes.

More difficult is deciphering the vast amount of data available in the reports. Remember how DOS searches for a program in the current directory first, then searches through the path until it has been found? Every time a user runs a program, AuditTrack reports ''invalid path or file name'' for each directory searched and then reports the run of the executable file when found. This produces an average of three extraneous error messages (current directory, local root, possibly local Windows and network search path) for every ''file run'' message.

There is a positive side to this. You can determine if your applications are being accessed in the most efficient manner and adjust your user menus and search paths accordingly. If you receive eight or nine ''file not found'' errors before every program execution, you should redesign the way your users are launching the applications.

Both AuditTrack and LT Auditor+ keep track of every time you access or change screens inside of NetWare management utilities such as NWAdmin. For example, we used NWAdmin to verify that users could change their own passwords and AuditTrack reported the access, even though nothing changed. The plus side to this is that if someone is just sniffing around in advance of actually hacking, you'll notice, but we wish there were an option to report only changes.

Any tracked event can be turned into a report or a graph with a click of a button. AuditTrack lets you set up groups of tracked events as audit sets. An audit set can have one tracked event, such as file open, or several, such as all tracked directory services events.

AuditTrack can be configured to send broadcast alerts to a list of users, but more sophisticated alerts are unavailable without additional products.

This product is not an enterprise solution because management is on a server-by-server basis.

LT Auditor+

LT Auditor+, while licensed on a per-server basis, is not limited to reporting on a single-server basis. From a single administrator console, you can consolidate data from several servers and build a single report covering them all. LT Auditor+ also includes options for exporting data to other programs such as Microsoft Excel for analysis.

Security at the console is controlled by switches. Loading LTAUDIT.NLM with the /U switch means you can't unload it without downing the server. Another switch makes the LT Auditor+ NLM server console screen invisible, but we're not sure how valuable that is. The product uses two NLMs - the second one is the LTMERGE.NLM, for merging data from multiple servers, and there's no switch to hide it - so an intruder with console access would still be tipped off that auditing was loaded. Likewise, any serious intruder would use MONITOR.NLM to check loaded processes, and LTAUDIT would be sitting there in memory. But that's okay - visible security auditing should be a deterrent.

An additional security issue in some environments is the lack of password protection on the management console, meaning the server should be physically secure.

There are two modes for analyzing LT Auditor+ data - connected to the LAN and portable, which means you download data and can analyze it offline.

LT Auditor+ uses the Crystal Reports engine, so report formats are pretty, but they are difficult to read on-screen, where they first appear. You can view reports at three increasing levels of magnification. Even at the highest magnification on a VGA 640x480 pixel display, the font was too small to read, forcing us to print the report to paper - an awkward and time-consuming process when you're trying to catch a culprit in action. If you use cc:Mail, Crystal Reports can automatically send any report via E-mail.

Despite the ability to analyze reports offline, we liked this product less than AuditTrack. It swallowed approximately 5M bytes of server RAM, compared to AuditTrack's approximately 2M bytes. There is no browse button for adding users, or searching directories when filtering the default report; you have to type the value into a text box, requiring you to remember long context or directory paths.

We also experienced some errors running the application, including increasing memory usage and the NLMs abending our NetWare 4.1 server. Unfortunately, the manual has no index, so it was difficult to look things up during troubleshooting.

KSA

We tested the KSA for Windows NT. The vendor is working on a revision of the NetWare product, due out by the time you read this, that includes support for 32-bit desktops, but the software wasn't ready for us to test.

The KSA for NT installation went smoothly, except that the auditor must have the advanced NT right ''act as part of operating system,'' which you have to set up yourself. If you don't, the product runs but could give you incomplete or erroneous data, as it did in our lab.

Intrusion Detection recommends running the NT version on a 150-MHz or faster Pentium or symmetric multiprocessing workstation. We can see why - on our 486/66 with 32M bytes of RAM, it was quite slow. The management console is not password protected, but it is easy to use.

The product performs network security assessments based on a set of best practices determined by Kane's consultants' experience with clients. While the default set is based on the manufacturer's experience, you can develop your own set of secure values and save them as personal best practices. The documentation is a three-ring binder mostly concerned with explaining all the parameters included in best practices.

The first step in using KSA is to run an assessment. Assessments are NT domain-oriented rather than server-oriented. The results of an initial assessment include a Top 10 List of value judgements and a quick overview of how secure your network is. For example, the default practices believe logon station restrictions are a good thing. Without them in effect, you receive a lower security score on the Top 10 List. If you don't feel this is an appropriate restriction for your user community, you'll want to remove it from your personal best practices.

The Top 10 List is followed by the Report Card, which scores what percentage of network objects fail in specific categories. These two are the only screen reports available. They can be scheduled for every day or every X amount of days, and can be E-mailed or printed. There is no alerting mechanism.

KSA is the only product we tested that includes baselining functions, which let you assess your network's ongoing security weaknesses against a previous snapshot, although BindView told us baselining functions were in development.

KSA gives you one full management report, written in the hard-to-read passive voice, complete with cover page, table of contents and executive summary. The Report Card is one of the report components. The full report on a small network prints about 30 pages. Unlike the other three products, the only other reporting capability is printing specific sections of the one management report. AuditTrack, LTAuditor+ and BindView EMS all let you create your own reports for any set of information and save them for repeated use.

We also have to question the accuracy of the KSA audit. The compliance summary for our NT domain said we passed the ''password strength, password exists'' and ''password strength, password not easily guessed'' categories even though our users had no passwords. This erroneous data was partially attributed to the fact that the user ID we logged on with did not have the required rights. We would prefer that the product return an error message stating that password tests could not be accomplished due to insufficient rights, or better yet, that complete rights be established during the installation.

While there is a wide array of analysis done, it is difficult to get much detail. For example, the Security Events report can tell you which user account created the new admin-equivalent user on your NT server, but not which node this user account was logged on from at the time - a key piece of information and a slightly incongruous feature as node ID restrictions are considered a security issue on the Report Card.

KSA provides less auditing history than the other three products and more comparison against a set of values. As such, it's most appropriate for managers who want to make a case for developing better security practices.

BindView EMS Enterprise Console

We tested the shipping NetWare and beta Windows NT Server components. We installed the management console on our Windows 95 system. The interface follows a folder metaphor. You can create your own folder, store any of the several predefined reports, or create your own reports. You can make your folders available on other users' desktops. Because each administrator has to log on to the workstation console with a password, you can delegate subsets of information to junior administrators on the same system, or you can purchase additional console licenses if you want them to have their own consoles.

You determine what parameters you want to look at, whereby defining a query and limiting it to a scope. Scopes can be limited to a particular resource such as a network operating system, a domain or part of a directory tree. This truly reflects the way enterprise management works.

The default on-screen report format is grid style, which is utilitarian but not pretty. Double-clicking on a record brings up well-organized, detailed information on the current record. For example, clicking on any record in the User Privileges Analysis grid brings up an icon-driven set of detail sheets for things such as user properties, workstation logon parameters, group membership and detailed privileges lists.

Printing any grid generates reports with full control over formatting and data placement. You can quickly produce a comprehensive set of reports on security parameters that include values, judgments and history. The default formatting generates presentation-level reports. But if you want an executive summary or Report Card such as that provided by KSA, you have to write it yourself. Reports can also be displayed as a graph. The predefined reports for NetWare and NT are relevant to each operating system and provide a wide array of analysis on, for example, inappropriate naming standards, invisible objects for Novell Directory Services, domain security, or users that last logged in a month or more in the past. You can create your own query, filter and scope, save it, and schedule it to run automatically.

We didn't run into any erroneous data or program errors on the shipping product, unlike the other three products. The only items we could even slightly complain about were the lack of a baselining feature and that the underlying database structure on the console workstation is Btrieve - we would prefer something more open, so that the database gurus at larger sites could manipulate the data for custom integration with, say, purchasing department data.

To sum up

BindView is the only product even close to what today's networks need. AuditTrack seems stuck in 1991, when all LANs were NetWare and there were seldom more than two servers. Its only modern feature is that it can track directory services events. LT Auditor+ behaves poorly on the server, spewing out a variety of memory-related errors and occasionally abending. Despite that, it's one step closer to today's networks than AuditTrack because it can merge data from multiple servers for viewing with a single console. We would look at KSA only to see what topics should be included in a security report for management.

Choosing the most appropriate tool for your network depends on your requirements. If all you need is NetWare event tracking, AuditTrack or LT Auditor+ fit the bill. If multiple server analysis is important to you, choose LT Auditor+; if you care more about running smoothly without crashing, pick AuditTrack.

If you don't want to worry about accuracy or cross-platform support, then there's no choice but BindView. Its ease of use, range of analysis and detailed reporting with distributed management functionality make this product a clear winner.