Altiris SecurityExpressions 3.4
- By Carlos A. Soto
- Jul 27, 2006
Easy to set up, quick, agentless operationCons:
Expensive, doesn't update automaticallyPrice:
$225,000 for 5,000 clients and 250 serversPerformance:
AEase of use:
|GCN Lab Reviewer's Choice|
One problem with many vulnerability management programs is that they overcomplicate their software interface and the steps required to find or fix problems. But Altiris SecurityExpressions breaks down vulnerability management to its simplest parts, with a straightforward interface that makes creating a policy either from a template or from scratch simple and fast.
It took us three minutes to install SecurityExpressions on our network, and in ten minutes we had our network audited to comply with best practices from the National Security Agency. SecurityExpressions is agent-less software, which means it doesn't require client programs to run locally on every device on the network (you could run it with agents, however, if you prefer). We found this ensured maximum automation and didn't compromise bandwidth on our test network. But best of all, the software was easy to use.
Altiris simplifies things by disassembling the program into separate windows. The first window is a portal or wizard-type window that lets the user choose from a list of common templates and executables. For our tests, we chose the NSA standards.
On our test network, we had several Windows 2000 and XP machines we wanted to secure. When we ran the audit, we found an average of 365 issues per machine that kept them from complying with the NSA policy.
With a mouse click, SecurityExpressions 3.4 would have made all the necessary changes automatically, but we felt some of NSA's policies were too stringent for the network in our scenario. We were able to drill down on every issue and fine-tune the fixes. For example, Altiris flagged a problem with password length, explaining via the software, 'Blank passwords and shorter-length passwords are easily guessed by password cracking tools. To lessen the chances of a password being cracked, passwords should be longer in length. Allowable values for this option are 0 (no password required) or between 1 and 14 characters.'
The software provided considerably more detail, such as the fact that Windows 2000 and XP support passwords up to 127 characters long. It also gave good suggestions and warnings about fixes. For example, it reminded us that privileged users, such as administrators, usually have passwords longer than 12 characters, and that an optional method of strengthening administrative passwords is to use characters that are not in the default character sets.
Although we agreed with the password length issue, the NSA policy on changing passwords was too stringent for us. Therefore we simply right-clicked that policy and removed it. We then saved the template under a unique name.
Templates are composed of many granular policies. The SecurityExpressions start-up page gives the user the option of selecting a policy from a file, importing a group policy, viewing the online policy file library or selecting a query. For our tests, we concentrated on selecting a policy from a file Altiris offers including a slew of industry-standard security policies from organization such as Microsoft, NIST, NSA and the Navy. You can customize or extend any of the polices, or if you prefer, you can create new policies to support your unique requirements.
When selecting a policy, Altiris lets the user filter further by categories such as operating systems, security patches, industry-known vulnerabilities, unauthorized software, unauthorized hardware, antivirus and worm status, and more. The user can also choose to view policies from a platform perspective, which covers everything from AIX 4 and Mandrake to Windows XP and Solaris 9. We had little trouble customizing policies and applying them to our network.
Altiris SecurityExpressions is expensive compared to the other suites we tested. (Enterprise-class vulnerability management suites that we didn't test require similar investments.) But SecurityExpressions is worth its weight in gold. For 5,000 clients and 250 servers, Altiris' solution goes for $225,000. For 50,000 clients and 2,500 servers, that price tag increases to $1,585,000. The bigger your network, the more SecurityExpressions will pay dividends and increase your return on investment.
Altiris Inc., Lindon, Utah, (801) 226-8500, www.altiris.com