A bare-bones security scanner

Every administrator wants a security scanner, and rightfully so—this tool saves you time and money and simplifies securing your system. However, all security scanners don't offer the same functionality, so you must choose the right one for your network. If your network contains only Windows NT systems and doesn't include remote subnets that require remote security scanning, then perhaps Harris' STAT 2.0 security scanner is the tool for you.

Using STAT
Installing STAT is easy: I provided the software with a serial number, installation path, and Start menu folder name, and the product was ready to go. The software's user interface (UI), which Screen 1 shows, has three sections: an informational display at the top, a treeview of network objects in the left pane, and a window that displays scan results in the right pane. The UI also provides speed buttons that launch a variety of tools, such as regedt32, User Manager, and Windows Explorer.

Although the UI's treeview is useful, the view's labels are misleading. STAT labels the top level in the tree as NET and labels each Windows workgroup or domain as SUBNET. But workgroups and domains aren't subnets, so the labels are confusing. In addition, although STAT can't scan Windows 9x systems, the left pane lists your network's Win9x systems. Omitting these systems from the treeview would save administrators some confusion.

To perform a scan, I selected in the left pane the machine that I wanted the software to scan, then clicked Host Analysis. (To scan multiple machines, you select in the left pane all the machines that you want the software to scan, then click Host Analysis.) STAT took about 15 minutes to perform a full scan of an NT Workstation 4.0 Service Pack 5 (SP5) system. STAT spent the majority of that time completing one remote procedure call (RPC)-related test.

After STAT finished scanning, I reviewed the list of vulnerabilities that the software discovered. Clicking an item in the right pane displays a dialog box that provides the vulnerability's details, including instructions about how to fix the problem. If you have administrator permissions, you can click Auto Correct in a vulnerability's details dialog box, and STAT will adjust your system's configuration to strengthen system security. However, this action doesn't cause STAT to simultaneously correct all problems. You must view each vulnerability individually and click Auto Correct to fix each problem. On my test workstation, STAT discovered dozens of problems because I intentionally leave that machine in a default configuration for testing purposes. Manually correcting each problem that STAT discovered took a considerable amount of time even with the autocorrect feature at my disposal. Harris could easily incorporate a batch function option that simultaneously corrects all problems for multiple machines.

After testing STAT, I discovered that the product relies on Windows API calls to detect network systems. Although this setup works fine, it limits the product's functionality because API calls detect only machines that listen to NetBIOS traffic. Thus, STAT perceives LAN systems but doesn't detect systems on remote networks unless those systems make themselves known through the domain controller.

To help you get started and guide you through any problems, Harris ships STAT with a document that serves as an adequate quick-start guide. The software's online Help is sufficient and offers enough information that I didn't have any trouble using the product. My tests went smoothly, and I had no reason to call Harris' technical support.

STAT Reporting
STAT lets users run comparisons against two scans of the same machine, which helps bring into view any problems that remain on a particular system. Otherwise, STAT's reporting capabilities are mediocre. The product ships with a basic report writer that provides four report types: Executive Summary, Network Summary, Vulnerability Summary, and Detailed List. These reports offer only a basic overview of STAT's findings. To view specifics about a system that STAT scanned, you must click the system's vulnerability in the right pane of the software's UI. STAT offers a Detailed List report, but this report is basically a processing log for the software. STAT doesn't provide a way to print vulnerability descriptions or their remedies.

STAT reporting needs work, which becomes clear when you compare STAT's reporting capabilities with those of competing products such as WebTrends Security Analyzer. STAT should be able to print details regarding any detected vulnerability as well as instructions to remedy the problem. Harris needs to incorporate the data that STAT provides in its UI into a printable report.

Few Bells and Whistles
STAT is a bare-bones scanner that provides few bells and whistles. The product's vulnerability database contains more than 650 security checks. However, STAT doesn't provide an automated checking system to detect new vulnerability updates. Although you can download these updates from Harris' Web site, the lack of automated updates is a significant shortcoming—especially considering the rapid rate at which users are discovering new security problems. Another shortcoming is STAT's inability to assess Win9x systems' security. Few companies run only NT networks, so this lack of Win9x support is a considerable limitation.

Not Bad, But No Cigar
STAT is a decent product for use on pure NT networks, and at $2995 per user, STAT is fairly cost effective. However, the software needs some polish and additional features. At press time, Harris released STAT 3.0. The new version sports improved reporting, scanning by host name or IP address, and greater flexibility in scan configurations.

STAT 2.0
Contact: Harris * 888-725-7828
Web: http://www.stat-harris.com
Download site: http://www.sunbelt-software.com
Price: $2995 per user
DECISION SUMMARY:
Pros: Easy to learn and use; automatically corrects some security problems
Cons: No automated updates; reports lack depth, scans only local networks