While most users don't think of Hewlett-Packard (HP) when it comes to security-related software, the company has a large selection of security and server management software to choose from. Praesidium WebEnforcer for Windows NT 1.1 is HP's entry into the burgeoning server security scanning software market. The software provides protection for NT 4.0 servers running Microsoft IIS and BackOffice products. Unfortunately, the product doesn't support Windows 2000. HP touts WebEnforcer as a product for anyone, from the entry-level network administrator to the experienced IT professional with little time to spend working through security issues.

Features and Benefits
Like many security scanners on the market, WebEnforcer includes a substantial database of known security issues and server vulnerabilities that it can scan, correct, or suggest remedies for. Out of the box, the software can fix more than 100 registry and Distributed COM (DCOM) permission issues and provides more than 200 standard Microsoft Internet Explorer (IE), BackOffice, IIS, and NT local and external system security lockdowns.

Although most of the fixes apply to NT, IIS, and BackOffice, you can add more using HP's SecurityUpdate, a subscription-based service that includes the latest security findings and product support at an additional cost. The service requires a 1-year agreement and includes 24x7 technical support. SecurityUpdate acts much like an antivirus update. The service notifies you when an update is available so that you can connect to HP's Web site, download the update, and apply the update to your WebEnforcer install. After you apply the latest update, you can either rescan your system right away or wait until the next scheduled scan. You can schedule security scans for any particular day or time, or set the software to scan every minute if you are really concerned about changes to the system.

Once WebEnforcer detects a problem, you can configure the software to email or page the system administrator, automatically return the errant settings to the predefined security profile, or both. The autocorrecting feature works seamlessly in the background and is an option for almost every security issue included.

You can configure WebEnforcer to either automatically return your server settings to their original state or just scan and report any known errors and tell you how to fix them. HP includes three predefined security profiles to get you started quickly. You can test these profiles or your own profiles before activating them to ensure that they detect, and possibly fix, the items you'd expect.

WebEnforcer provides a couple of reporting options. You can either view reported details within the software or print them out, depending on your reporting needs. Although you can't tailor the reports to suit your particular needs, the reports are well detailed and should suit most people.

HP has gone to great lengths to make the product easy to use and learn and has included a decent array of online documentation. When you purchase the product, you receive a printed and bound manual, which I did not have for this product review. With one mouse click, you can get to anything from setting up individual security alerts to getting pros and cons of any particular fix you might want to apply. WebEnforcer uses the Microsoft Management Console (MMC), which provides a clean interface with everything you need accessible with a few mouse clicks, as Figure 1 shows.

WebEnforcer also scans your systems and lets you know which Microsoft hotfixes you should install. The software doesn’t provide links or information about these hotfixes, but it does provide the ID so you can download the appropriate hotfix. Unfortunately, with so many hotfixes available, you can spend a lot of time locating and applying the appropriate ones. Also, WebEnforcer will notify you only of the hotfixes it knows about. So, if you need WebEnforcer to keep tabs on the newest appropriate hotfixes, you will have to subscribe to HP’s SecurityUpdate service to let WebEnforcer know what the newest hotfix IDs are.

WebEnforcer includes several handy wizards to guide you through the process of performing common tasks. These wizards go a long way in speeding up monotonous jobs such as setting up custom security profiles and scheduling system scans.

Installation and Use
The WebEnforcer minimum configuration requires a system with a Pentium 200 processor, 64MB of RAM (HP recommends 128MB), and 10MB of hard disk space. You must also be running Service Pack 4 (SP4), IE 4, MMC 1.1, and Microsoft Data Access 2.1. All of these software components are readily available and posed no problems when I downloaded and installed them on my server.

For this test, I used a 550MHz Celeron with 96MB of RAM, SP6a, and IE 5.5. I didn't have any problems with performance or stability using this configuration. With 96MB of RAM, WebEnforcer took about 30 seconds to produce a report, but by adding more memory, the reports would finish in approximately half the time.

WebEnforcer installed quickly on my server without any problems. After WebEnforcer installed, the software ran a wizard to ask me which security profile I wanted to use. The wizard briefly described the properties of each security profile. I selected a security profile that provides a good level of all-around protection, without interfering with the general operation of the server. The profile included various registry fixes, IE lockdowns, and basic system security settings. The wizard let me name the security profile and then proceeded to scan the server and show me the vulnerabilities that the selected profile would correct, as Figure 2 shows.

The scan I performed identified more than 100 problems, ranging from simple password lockdowns to complex registry hacks. Using the software, I was able to click each security issue and read descriptions in plain English that explained what WebEnforcer would fix, why the program needed to correct the problem, and what the end benefit would be, as Figure 1 shows. These detailed descriptions were a welcome inclusion because WebEnforcer found a few problems that surprised me and I was able to decide whether I needed to address these issues. The initial security profile scan lets you view what vulnerabilities are present and you can have WebEnforcer fix all the problems or you can apply the fixes manually yourself.

After I completed the initial scan wizard, the software opened a standard MMC window. This approach might be problematic for some new users because the standard Help is just MMC Help and users can click around in areas that have no direct effect on WebEnforcer. One advantage to using the MMC, however, is that you can right-click the active security profile to view a short list of options that let you analyze the profile immediately (or specify when you want to analyze the profile) and configure alerts. You can also access the reports menu to see the time of the scan, what prompted the scan (e.g., console initiated or scheduled scan), and whether the scan succeeded or failed. You can also turn autocorrect on or off on an item-by-item basis. By default, most people will want to leave autocorrect turned on.

When I activated the compatible security profile, the system scanned it again to inform me of the items that it would fix. This scan took less than 30 seconds, and once I had given the OK to apply everything, the system applied the fixes in just a few seconds. Some fixes on the medium and high security profiles require a reboot so the changes can take effect. After I rebooted my system, I adjusted a few of the settings and analyzed the system again. WebEnforcer detected these new errors and automatically restored them to the profile's settings. I then switched from the compatible security profile to the default medium security profile and applied it. Again, I changed several of the settings, and WebEnforcer's security profile restored the settings without hesitation.

After I performed some outside attacks against my server, I realized that the system was prone to a Remote Data Service (RDS) exploit that can let malicious users infiltrate and deface a hosted Web site. You can address this problem with a few Microsoft patches and hotfixes (I had not applied these measures on my server at the time of my scan). You can also enable the included high security profile, although by default it disables too many services to be of any use. However, the server did repel a few Denial of Service (DoS) attacks via Net Bus and prevented any unauthorized accounts or shares from being created, which helped prove WebEnforcer's mettle.

The Bottom Line
WebEnforcer is a good product for the money. The product performs security scans very fast, fixes problems even faster, and is very easy to use. The reporting function is good and provides enough information on problems and fixes. The level of detail and plain English descriptions on the various fixes are great features. To have to pay an extra fee for the security updates and product support is a bit iffy for me, but most companies that purchase this product will likely not flinch at any extra cost to keep the scanner current. Overall, I recommend WebEnforcer for anyone with one or more IIS or BackOffice servers to look after.

Praesidium WebEnforcer for Windows NT 1.1
Contact: Hewlett-Packard * 800-752-0900
Web: http://www.hp.com/security/products/webenforcer/
Price: $2995 for each license; $899 per year for HP's SecurityUpdate subscription service.
Decision Summary
Pros: Easy to install and quick to configure, included wizards made it easy to set up profiles; integrated online Help was solid; security issue descriptions included pros and cons in plain English; security profile scans and fixes were very fast.
Cons: Requires subscription-based update service to keep current (at an extra cost); monitors and fixes only the local server, no alternate OS support; vulnerable to a few known exploits that you can resolve by ensuring that you apply the appropriate hotfixes; standard MMC interface might be problematic for new users.