KSA NT

Intrusion software now detects NT security holes (5/6/96)
by David Strom

There is no worse nightmare for an enterprise manager than the thought that one of his servers is running with unsuspected security loopholes. And given the rate of growth of NT servers on corporate networks, the NT version of Kane Security Analyst (KSA) is one way for these managers to get some needed sleep.
KSA has long been available for the NetWare world, and the NT version is a good effort (although there is no interoperability between the two versions). I examined a pre-release version that had some small bugs in the report manager, but otherwise was useful.

Indeed, I was chagrined to see that my first audit was a complete failure: actually, not the audit but my "report card." My NT server received a lousy 55% grade when its security practices were compared to an industry standard. Why did I get such a grade? I had neglected to make use of password expirations, account lockouts and user auditing, for example: three common practices that help go a long way towards improving security. Without auditing turned on, for example, there is no way to know if unauthorized users are getting access to your server. My server was an accident waiting to happen.

The software has a simple graphical interface that will lead you through performing a security analysis: first, you set your security practice guidelines -- or you can just use the default settings that come with the product (which I found to be close to what I'd desire on my network). Next you run the audit on your domain controller and or workstations -- which is an automatic data gathering process that examines your registry and accounts, along with other data. Finally, you prepare a series of reports that can be printed to paper or viewed on screen.

KSA's reports are clear and something you can give to your manager to motivate action. They tell you what trusted domains are setup and which domains can't be administered but should be. Within minutes you can determine the top ten risks of your machine and zero in on security problems. Like the NetWare version, it shows you how many of your users have administrator equivalency rights, what resources users with Guest accounts have access to, what services are currently running on your server, and login violations. All of this is grist for the security mill, and should bear careful study.

I learned a great deal about NT security, given my initial failing grade. For example, NT can automatically log a user onto a network, storing the password in its registry in clear text. And that Windows for Workgroups machines have logins that can be replayed by network analyzers. It shows you the practices that you'll need if you want to obtain C2 security (a government standard) and whether your machine follows these. Indeed, you can change its pre-set "best practices" configuration if you so desire.

There are a few improvements I'd like to see with the product: first, it just lists whether the machine is running Remote Access Server or FTP services. Ideally, it should identify how these services are setup and what their weaknesses are. Getting a report exported from one machine and imported into another is a bit cumbersome. And KSA just takes a snapshot of your security: you'll have to rerun the analysis frequently, as there is no real-time monitoring of changes. It would be nice to have a report that just shows the changes implemented since the last report. (You can make comparisons for different security practices standards, but that's not the same thing.) Finally, while I understand the need for copy protected software, I don't agree with its use here.