Areas that you can consider auditing include access control (NTFS,
permissions, etc.), data integrity, data security, physical access, and
unprotected default accounts. Two products that perform such auditing are
Intrusion Detection's KSA and Somarsoft's DumpAcl.
KSA produces a thorough set of reports based on a set of industry best
practices. These reports help assess your network's security in six areas:
password strength, access control, user account restrictions, system monitoring,
data integrity, and data confidentiality. (Screen A shows KSA.) The product
doesn't change your system settings but makes recommendations. This approach is
by design: Better that you know about the problems and fix them than have
software changing critical parameters without your involvement.
The software includes password cracking and evaluation of user privilege
levels and can show the permissions assigned on NTFS volumes. You can customize
the program to fit your company's policies, and it can keep a history of your
audits. In addition to the NT version, a version is available for Novell
networks, so administrators working in a mixed environment can secure the entire
network.
DumpAcl audits the permissions on the resources in your network, including the
local and shared permissions on files, printers, and the Registry. The program's
reporting by exception reduces the volume of the report when most files have
consistent permissions. Screen B shows a report by exception from DumpAcl. You
can view the reports by user rather than by directory, as you see in Screen C,
and display the account policies, as in Screen D.
Somarsoft produces a related utility, DumpEvt for NT. It dumps the Event
Log in a format suitable for importing into a database.
DumpReg is another Somarsoft program for NT and Windows 95. It dumps
Registry values into an easy-to-use listbox. DumpReg shows the time of a
Registry entry's last modification and can sort by time, which makes finding
recently modified Registry entries easy.