Intrusion detection and audit trail security software

Blue Lance, a long-time security software developer, has released Version 7.0 of LT Auditor + intrusion detection software for Windows 2000, Windows NT, and NetWare. LT Auditor + provides reporting of system events utilizing Event Log data to help identify possible security intrusions. LT Auditor + is not a vulnerability scanner or security auditing tool, but it works with an already secure system by adding to its security.

Features and Benefits
LT Auditor + features cross-platform integration between NT and NetWare allowing centralized administration of auditing and reports. By eliminating multiple points of administration, the software gives systems administrators more time for completing other duties.

Generating reports based on the event logs of your NT systems is the backbone of LT Auditor +. Typical NT event logs are cryptic, providing only basic information. LT Auditor + collects information based on your settings and passes the data to the reporting module, which provides easy-to-understand, detailed reports.

The Alert Console adds system security by working with the data that NT and LT Auditor + collect to provide real-time alerts that notify administrators of possible system security and data integrity compromises. LT Auditor + works seamlessly in the background and provides a remote installation utility to push the software out to your NT network so that you don't have to touch every workstation and server.

Although the software works best for monitoring servers containing highly-sensitive data, LT Auditor + is also a troubleshooting tool you can use to track activity by errant users or system administrators. Large institutions, government agencies, and banks can use LT Auditor + to record actions that must comply with specific industry standards or to track intruders.

Installation and Use
Blue Lance recommends that you install LT Auditor + on at least a 166MHz Pentium system with 64MB of RAM and approximately 400MB for the reporting server and 166MHz with 64MB of RAM and 80MB for the clients. LT Auditor + for NT runs on any NT4.0 system with at least Service Pack 4 (SP4) installed. LT Auditor + also works with Win2K Pro and Win2K Server. To test LT Auditor +, I used a 450MHz AMD K62 system with 128MB of RAM running Win2K Server, and I had no performance issues running the software. I experienced no system slowdowns even when LT Auditor + performed a background consolidation for the reporting module, which can take a few minutes for information-packed logs. Because LT Auditor uses a standard Windows installer interface, installation completed quickly. I had no problems loading the software onto my server. I did need to configure the NT audit features for the items I wanted monitored in User Manager and Windows File Explorer. If you haven't performed this simple task yet, read the tips and directions in the LT Auditor + manuals on how to configure these functions.

LT Auditor + consists of three components: Scheduler Console, Alert Console, and Report Generator. Using Scheduler Console, which schedules scans of your local or remote systems to gather information, is fairly easy. On opening Scheduler Console, you have four choices: Archive, Consolidation, Deletion, and Transfer. Archive scans the event logs to gather the raw information for LT Auditor +. After you complete the archive scan, you run Consolidation to format the information for the Report Generator. You run Deletion to clean up files on your server and on any remote clients you've installed. Transfer sends the consolidated information from the remote clients to the reporting server. The software's interface is simple; the four different jobs are listed at the left, and the scheduled jobs are listed at the right, as Figure 1 shows. You can schedule jobs for any time of day, and you can modify or delete the jobs at any time. However, using Scheduler Console to set up multiple jobs can be tedious because you must set up each job item every time, duplicating the work. Blue Lance should streamline this task by incorporating some of the functions into one wizard to simplify repetitive jobs. Otherwise, you'll find Scheduler Console easy to use.

Alert Console lets you determine which events will cause the software to alert the systems administrators. Alert Console uses SNMP or the NT Messaging Service. You can configure Alert Console for almost any occurrence LT Auditor + encounters when scanning either the local system or data gathered from remote systems. Setup couldn't be easier. Simply click the New Filter icon and choose which system or administrative items you'd like the software to monitor for a particular system, as Figure 2 shows. You can complete customization when you apply audit trail policies on various systems that might require more or less tracking.

Report Generator is possibly the most important component of LT Auditor +. You can install this component separately on any system, but choosing the main data collection server to be the point of installation is best. In addition to using Report Generator to create reports for such categories as file activities, logging in and logging out, and NT administrative events, you can also choose from the numerous sub-items under each category. Containing a host of NetWare reporting functions, Report Generator provides easier report consolidation for administrators who have both NT and NetWare networks. However, NetWare options are always available regardless of whether you want them, and I found this approach a bit annoying when working with NT because of the many functions, reports, and options for both OSs, as Figure 3 shows. Also, the NT report doesn't have file, user, or server activity graphs, as does the Netware report; this feature would be useful for NT administrators preparing reports for executives who have limited time available.

Other than these minor issues, LT Auditor + gives a reporting module that can prepare reports about what's happening for any aspect of system activity that you want to monitor. LT Auditor + can even use its reporting function to provide IT departments with basic software troubleshooting abilities. Simply assign auditing to a particular program folder, and if the program you are using stops working, run a report to see if someone might have deleted a critical software component. Once you select what items you want in your report, run Report Generator for a professional-looking document containing detailed but easy-to-read information, as Figure 4 shows. The document is displayed in it’s own reporting window and you can print or save the document to view later. Depending on what items you want to include, even if you have a lengthy report, Report Generator completes it quickly. The longest report I generated was six pages, and it took about 10 seconds; single-page reports finished in a couple of seconds.

A word on the ability to remotely install LT Auditor +: I was able to test this function, but I had to do some fiddling to get it to work. I doubt now that the software was the source of this problem, but rather it was because I had my network set up as a workgroup and not a domain. Even though LT Auditor + states that it works on both, a domain would make a smoother deployment. One nice feature of the remote deployment is that it isn’t domain or workgroup specific—it can install to any system in your network in any workgroup or domain that you have the rights to access.

The Bottom Line
As I tested LT Auditor + initially, I wasn't sure what to expect. At first, the software looked like a glorified event log analyzer, but when I came to the Report Generator, I found the real value in this product. The sheer volumes of information that users can glean from the reports make LT Auditor + a valuable purchase for any system where monitoring is critical. On the downside, I did find it annoying to have all the Novell options available in the Report Generator but not available for NT; some of those missing options could be useful. Also, having to process each of the three steps manually to get the final report is time consuming; there should be a way to consolidate or automate this process.

I recommend that you combine LT Auditor + with a security-scanning utility for optimum computer detection security. When LT Auditor + isn’t generating alerts about possible computer intrusions, you can use the software for system troubleshooting and for monitoring users. For its price, LT Auditor + is a worthwhile purchase.

Blue Lance LT Auditor +, 7.0
Contact: Blue Lance, Inc., 1-800-856-2583
Web: http://www.bluelance.com
Price: Prices vary based on the number of server licenses required; prices start at $1695 for a single server and go up to $1,695,000 for 1000 server licenses; client licenses cost $15 each; annual maintenance and support costs are extra and are required for enterprise licenses; discounts are available for volume purchases.
Decision Summary:
Pros: Simple setup; strong reporting module; supports Win2K, NT 4.0, and NetWare; remote installation eases large deployment burdens; works seamlessly in the background.
Cons: NetWare reporting functions are not optional; all reporting functions are not available for NT; too many steps required for generating reports.