Home Altiris Home
  SecurityExpressions - Frequently Asked Questions

 

Q.   Why should I use SecurityExpressions instead of vulnerability scanners?
A.   Vulnerability scanners scan systems against a known list of vulnerability signatures. SecurityExpressions audits systems against a system security policy, such as a home grown policy or one published by Microsoft, SANS, NSA, NIST and other industry organizations. Vulnerability scanners serve a different purpose than an audit and compliance solution. Vulnerability scanners find certain specific security problems in your configuration, whereas an audit and compliance solution audits your systems against a complete detailed system security policy. Some items not covered in a typical vulnerability scanner that could be in a system security policy file include:
  • Operating system configuration settings such as users and groups, user rights, user account policies, registry settings and key permissions
  • Application configuration settings
  • Unauthorized hardware/software
  • Advanced settings such as queries, user account activity, login accounts and system utilization
Furthermore, SecurityExpressions allows systems to be brought into compliance with the system security policy through changing system settings, applying patches and other system configuration changes. Bringing a system into compliance is key to passing an audit.

According to analysts, good vulnerability management practices include both a vulnerability scanner and a comprehensive audit and compliance solution.
Q.   How often are Security Policy Files updated?
A.   The MS Fixes file (for Microsoft Hot Fixes/Patches) is usually updated within 3 days of Microsoft's announcement of a new Security Bulletin. Other SPFs are updated as changes are required by customers.
Q.   What if I want to change a Security Policy File?
A.   SecurityExpressions includes many Security Policy Files, such as application inventory, MS hot fixes, Solaris patches, Microsoft Security White Paper, SANS step-by-step guidelines, NSA, NIST and others. All of these policy files are highly customizable. Rules can be edited, deleted or added. Most companies begin with a best practices security policy file and then delete rules, add rules, and/or edit rules to meet their own requirements. Due to flexible expressions, there is no limit to the settings that SecurityExpressions can audit and fix. SecurityExpressions is incredibly comprehensive, flexible and customizable – especially in regard to its Security Policy Files.
Q.   Does SecurityExpressions support auditing via an agent as well as agentless auditing? Can the two solutions be mixed and matched to meet the needs of my environment
A.   SecurityExpressions offers both an agentless and an agent-based solution for the ultimate in customization to meet the needs of your system and network configuration. The agentless and agent-based solutions are available for all SecurityExpressions supported platforms. SecurityExpressions offers the best of both worlds by enabling you to mix and match agent-based and agentless audits across all of your systems.
Q.   How does SecurityExpressions work with agents, and does it require administrative credentials in order to audit a system this way?
A.   SecurityExpressions does not require any administrative credentials in order to audit systems via an agent. Instead, SecurityExpressions can integrate with your corporate directory: NT Domain Groups or Active Directory for Windows, and various local and network based UNIX directory systems, such as NIS, NIS+, or LDAP. Users may be categorized into groups that enable them to perform a limited audit (no scripts or executables), audit only, and audit and remediate. Furthermore, these groups are also used to designate which systems may be audited by which users.
Q.   How does SecurityExpressions work without agents and how are remote site systems handled?
A.   SecurityExpressions utilizes Windows Networking and RPC to perform remote functions on Windows systems such as comparing and changing security settings. All but the most secure computers use these protocols to communicate. Windows Networking also provides the authentication needed to access security functions, so there is no need for additional authentication software. For UNIX systems, SSH is employed. If systems are in a secured zone or on the far side of a firewall that blocks Windows Networking or SSH, SecurityExpressions includes a distributed proxy and a distributed agent. A distributed proxy resides on a single system at a remote site and can audit and remediate all systems at that site agentlessly.
Q.   Can I control the amount of bandwidth used by SecurityExpressions? What about at remote sites via the Distributed Proxy?
A.   Yes, SecurityExpressions provides the ability to throttle the amount of bandwidth used by the host on which it is run, so you can be assured that SecurityExpressions will never use more than the amount of bandwidth that you have set aside. In addition, bandwidth may also be limited at remote sites via the Distributed Proxy. This allows you to control the bandwidth on your LAN as well as the bandwidth on your WAN.
Q.   What if a system is not logged onto the network when an audit occurs?
A.   If an audit occurs and a system is turned off or not logged onto the network at the time of the audit, SecurityExpressions will periodically scan for those systems on a schedule. When those systems next log onto the network, they will be audited and included in the audit results.
Q.   How does SecurityExpressions remotely run programs, such as Hotfixes?
A.   When remotely executing programs, SecurityExpressions supports a variety of mechanisms, such as copying the executable to the remote system then scheduling it to run using the Task Scheduler, or on Windows 2000 machines, running the program via Windows Management Instrumentation (WMI). If desired, SecurityExpressions also includes its own agent, which can be enabled in the program options. The SecurityExpressions agent provides more control than Task Scheduler or WMI remote execution options, such as terminating the program after a specified timeout period, capturing only stdout, stderr or both output streams, and other control features. The SecurityExpressions agent is optional. If used and not already installed, it is automatically installed at the time of use.
Q.   How is my audit compliance measured?
A.   Benchmarking allows a single measurement of audit compliance status. All levels of IT management can work from a single number presented as a percentage of compliance. For example: if compliance was at 82%, and the set benchmark was 80% then 82% is a passing score. A weighting can be assigned to each policy item at a level of high, medium and low and a total composite percentage score can be calculated. Rules can be assigned Low, Medium, High and a weighted % can be added to create a weighted average. This provides for a single weighted average number for easy communications to all management levels.
Q.   How do I manage audit tasks?
A.   SecurityExpressions task scheduler is an efficient and automatic function that allows for the scheduling of numerous audit/comply tasks. The scheduler window allows for changing schedules, adding tasks, deleting tasks, changing tasks, etc. IT staff can be alerted when an audit task is complete or when a report is ready. Each scheduled task can have one or more notification actions upon completion. The types of supported notifications include: email, SNMP, UNIX syslog, Windows event log and custom scripts/programs to integrate with other systems such as ticketing systems.

In addition to simple notification, this automates the process of checking for report completion and sharing reports with others. Reports can be attached to the notification email being sent to the administrator, to management or both in HTML, PDF, .doc, .xls and other popular formats. Alternatively, a notification email could include a link to view a report that has been posted on a web site via a script.

Q.   How do I keep my policy files secure?
A.   Policy Files are encrypted using the latest Advanced Encryption Standard algorithm (AES). This level of encryption ensures that that a policy file is protected against tampering and unauthorized access/viewing and significantly reduces system security compromises. Policy File encryption increases system security by protecting credentials and rules.
Q.   Can SecurityExpressions help me with ad-hoc security searches or queries?
A.   The query wizard is a powerful and easy-to-use front end to the robust SecurityExpressions query engine. The wizard allows queries of all types to be easily and quickly run. Queries can include lists of files, file permissions, registry keys, users and groups and other information on systems that meet the needed criteria. Where expressions based rules are powerful and flexible for system security policy, queries are powerful when requiring lists of specific objects across a wide range of systems.

In addition to the creation of custom queries, there are many built-in queries including:

  • Files or registry keys that are owned by a particular owner
  • Files or registry keys created or modified during the last n days or hours
  • All files or registry keys to which a particular user has access
  • Files or registry keys with unknown or deleted users in the access control list
  • Find a specific value in the registry
  • Users with blank, clear text or expired passwords
  • Users that haven’t changed their password in a number of days or are inactive
  • Users that haven’t logged in over some period of time or never logged in
  • Users who are directly or indirectly members of the Administrator’s group
  • Users with local logon rights to a server
  • Users with dial-in privileges
  • Groups with a specific, administrative, guest or disabled member
  • Groups with identical memberships

 

Download Trial Software

 

SecurityExpressions
  Overview
  Policy Features
  Queries
  Reporting
  Features & Benefits
  Functionality Chart
  FAQ
  White Papers
  Policy File Library
  Regulatory Compliance

 

PDF Resources
  Datasheet
  Product Description
  Slide Presentation