SecurityExpressions:
Centralized Policy Security Management for
Windows NT and Windows 2000

Assessment of a site's security implementation generally involves at least two phases — determining whether the security implementation is consistent with the organization's security policies and determining whether those security policies will actually protect you from the bad guys. But written policies are hard to come by; in cases ranging from small businesses up to Internet service providers, I have found organizations with no security-related user policies or server implementation guidelines.

There are many sources of guidelines for securing Windows and Unix servers and workstations, some commercial and some freely available. These policy documents comprise the set of best industry practices but, even so, have to be tailored for a given organization and/or a given system. But once you develop the set of policies for your organization, how do you ensure that all systems on your network are in compliance? When you change the policy rules, how do you affect those changes throughout your network? As new vulnerabilities become known, how do you test to see if you have a potential compromise? And how do you accomplish this task in environments where the number of computers is growing at a rate much faster than the number of system administrators?

SecurityExpressions (http://www.securityexpressions.com), from Pedestal Software (http://www.pedestalsoftware.com), is a tool for the security administrator that provides centralized policy management for Windows NT/2000 and Unix systems. SecurityExpressions allows a system or security administrator to define a set of organizational policies based on industry best practices and local requirements, and ensure consistent implementation of those policies across the enterprise network.

The SecurityExpressions software runs on a Windows NT or 2000 system. I installed it on a Windows 2000 system without incident and was using the software within minutes with little documentation. The software has a 5-minute tutorial describing major features and very good on-line help.

Policies are implemented as a set of rules in Security Information File (SIF) files. SecurityExpressions is distributed with a set of SIF files, including:

• Internet Explorer
• Microsoft Fixes
• Microsoft Security White Paper for NT
• NSA Guidelines for Windows 2000
• SANS Securing Windows NT Step-by-Step Guide
• U.S. Navy Guide for Securing Windows NT

The Internet Explorer SIF contains rules specific to the configuration of the IE browser, while the Microsoft Fixes SIF has a set of rules to determine the status of hotfix installation. The remaining four SIFs are rulesets based upon Windows NT and Windows 2000 security documents from Microsoft, the National Security Agency, the SANS Institute, and the U.S. Navy. A SIF with sample Unix security rules is also provided. Additional SIFs, such as one for Word 2000 and Excel 2000 macros, and updated SIF are available from the Pedestal Software Web site.

The most basic function of SecurityExpressions is to scan one or more systems to determine their compliance with a set of policies. The software uses native Windows communications protocols so that no client software is required when scanning other Windows systems, although special agent software is required on Unix/Linux systems if you want to scan those systems, as well.

FIGURE 1. A system scan using the SANS Windows NT rule set.

Figure 1 shows the results of scanning a host (ALTAMONT). The listing in the right pane of the window indicates this host's compliance with each rule in the selected ruleset (in this case, the SANS guidelines). The descriptive text (e.g., "3.01.01 Prevent the name of the last user...") is purposely designed to be consistent with the rule as stated in the source policy document.

The scan shown here is a very basic one, applying a standard ruleset to a single host system. In fact, scans can be applied in a very flexible way. First, rules can be defined on a per-operating system basis so that, for example, some rules apply only to a Windows NT Server and others to a Windows NT Workstation. Second, individual systems can be placed in Machine-Lists and rules applied to groups of machines so that, for example, rules for systems in the Production group are different than those in the R&D group. And although the scan of a single system is shown here, SecurityExpressions can operate in a batch mode to scan systems in one or more machine lists with a single command; up to 200 scanning threads can be open simultaneously.

FIGURE 2. A portion of a text report summarizing a host.

Detailed reports can also be obtained in a variety of formats. A text report of this same scan is shown in Figure 2. Looking again at SANS Rule 3.1.1, we see the compliance status, security threat priority, and the current and desired setting of the relevant system parameter.

FIGURE 3. A portion of an HTML report.

Figure 3 shows similar information as Figure 2, but in an HTML format accessible via a plug-in for Internet Explorer. In addition to the ease with which an HTML document can be quickly shared on an intranet, the colors quickly draw the eye to problem areas. Reports can also be exported in Excel tab-delimited, Word .DOC, or PDF formats. Reports can contain comparative information with previous scans so that information can be analyzed and historic trends observed. These reports also contain summary information showing which hosts have the most out-of-compliance rules and which rules are most frequently violated.

While reporting is useful, it does not provide remediation. With the display shown in Figure 1, the security administrator can click on any line on the right pane to obtain more information about that rule; the admin can also change an errant rule interactively to bring it into compliance. Alternatively, SecurityExpressions can be set to automatically change non-compliant parameters to the values specified in the ruleset. History logs are maintained of all actions so that any changes can be reversed, if necessary, as well as to allow comparative reporting over time.

FIGURE 4. SIFs and sample rule.

Figure 4 shows the set of standard SIFs that ship with SecurityExpressions, as well as a sample rule. The dialogue box shown in the figure displays all available SIFs. Highlighting a SIF displays all of the individual rules; in this case, we are displaying Rule 3.1.1 of the SANS guide, shown below:

;3.1.1
[Rule:DontDisplayLastUsername]
Modifiers=MissingNotOK
Value=1
Type=REG_SZ
Check=Value
Config=RegYesNo
Name=DontDisplayLastUsername
Key=hklm\software\microsoft\windows nt\currentversion\winlogon
Description=3.01.01. Prevent the name of the last user from being displayed on the login screen .

SIF files are simple text files with rules expressed in a SecurityExpressions-specific format. Each rule has a mnemonic name, denoted by the "Rule:" tag. The modifier indicates actions that the software can take based upon this rule; MissingNotOK, for example, means that the software should flag the status of this rule as noncompliant if the required parameters are missing at the scanned system. The modifier can also be set to not allow a noncompliant value to be fixed dynamically (NoFixesAllowed).

Rule 3.1.1, in particular, pertains to the Registry key controlling whether the name of the last successfully logged on user is displayed in the Windows logon dialogue box. The SANS guidelines recommend that this information be suppressed by setting the appropriate key value to "1". This rule will be labeled NOTOK if the key value is not "1" or if the key itself is missing.

Rules can applied on a Machine-List and/or user/group basis. According to Pedestal Software, rule sets can be further extended and customized using Javascript, Perl, or VBScript code.

FIGURE 5. Managing rule sets.

Security and system administrators, of course, want to be able to specify which rules they wish to use and when. Figure 5 shows another way in which a rule set can be examined, changed, or even disabled without having to manually edit the SIF file. This capability is quite useful if you want to apply the rule differently to different machine lists; you might want to use a given rule for some systems (e.g., disable last login display), alter the rule for other systems (e.g., enable last logon display), and ignore it completely for another set of systems (e.g., don't care).

The bottom-line is that there is a great deal of flexibility afforded to the security manager in defining rules. Rules can be added to an existing SIF file by editing the file manually or organization-specific rulesets can be created by building SIF files from scratch using existing and/or custom rules.

FIGURE 6. SecurityExpressions query.

Another powerful feature of SecurityExpressions is the ability to build queries about users, groups, and/or files, as shown in Figure 6. In this example, I built a query to search for the Guest user having been added to the Administrator group, a signature of infection by Nimda. Queries about user membership in groups, user or group privileges, and user/group access permissions to files, for example, can also be performed and updates applied, as necessary.

SecurityExpressions is a powerful and useful tool. It is timely, as well. In the wake of Code Red, Code Red II, Nimda, and a plethora of viruses/worms just looking for a Microsoft vulnerability to exploit, tools that help lockdown Microsoft servers and desktops are welcome. From a security perspective, users who rely on Microsoft operating systems and applications should be a little nervous as we see the Gartner Group suggesting that users avoid Microsoft software where possible because of the difficulty securing them, Microsoft stating that they are opposed to full disclosure of security vulnerabilities, and MCSEs under-trained in security. This tool is a breath of fresh air.

But even so, it could be even more useful by extending the rulesets. SIFs for Windows XP, IIS, Outlook, Outlook Express, SQL Server, Exchange, and other common Microsoft software would be great additions to the SIF library. In addition, the software has a plug-in for IE but for no other browser, which I find regrettable; I use a non-IE browser partially for better security. And I did find it a tad disconcerting that the program reported my Windows Me system to be an OS/2 machine.

The people who control the budget also have to realize that no one security tool will do everything. SecurityExpressions complements but does not replace vulnerability scanners, port scanners, and software that tells you what programs are using what TCP/UDP ports; as such, this may be an important part of the Windows NT/2000 systems administrator's security toolkit but it can't be the only tool. SecurityExpressions will only tell you if your systems are in compliance with your policies, it cannot tell you if you are vulnerable to the latest exploit.

SecurityExpressions provides a lot of valuable information to a systems administrator and offers a lot of control over the systems in the network. It is easy to install, simple to use out of the box, straight-forward to modify, and very cost effective. It is certainly worth a look at the 30-day trial version.

ABOUT THE AUTHOR: Gary C. Kessler is an Assistant Professor and program director of the Computer Networking major at Champlain College in Burlington, Vermont, and an independent consultant and writer. His e-mail address is kumquat@sover.net.