Defining, monitoring and enforcing Windows system configuration has become the collective oil that helps keep installation, maintenance and support processes running smoothly. Not to mention what it does to ease your Sarbanes-Oxley compliance headache.

With its intuitive interface, great flexibility and automatic compliance functionality, Configuresoft's Enterprise Configuration Manager (ECM) Version 4.5.2 is one of the best Windows-centric programs we've tested (and there's now a Unix/Linux version too, offering much of the same functionality). It earns our Recommended designation.

While its roots are in traditional desktop configuration, ECM now hones in on policy management and compliance by collecting and correlating information from servers and workstations and taking action when they are out of compliance with the defined policy.

ECM uses an agent-based collection mechanism. The agents are pushed out to the Windows machines via a process the management console facilitates.

The three-tier ECM server architecture consists of the collector, a database and console. The collector manages gathering and analysing data the systems collect.

What we did
We installed ECM 4.5.2 on a Windows 2003 Server (2GHz, 2GB RAM) running IIS and SQL Server 2000, all fully patched. We installed ECM agents on five Windows systems, running default installations of Win 2000 Server, Win 2000 Professional, Windows XP Professional and Win 2003 server.

We modified audit settings, password policy and directory settings on the Win 2000 Server. We set them as a mandatory compliance policy and set e-mail alerts on systems not in compliance with our defined policy. We then changed the settings directly on the computer and confirmed ECM alerted us to the non-compliant system and changed the setting to its correct value. For the remaining systems, we enforced the SANS Security Windows template on the default installations.

We installed Office on the Win 2000 Professional system and ran the "Software Installation over Last X days" report to confirm it collected data from the system on new software installations. We also ran the change log report to confirm the changes made to the Win 2003 Server system, which included all the configuration changes required to enforce the SANS template.

The console is a four-module, Web-based management program that provides access to all of ECM's features. The console module provides access to the raw data the managed systems collect. The compliance module shows the rules and reports supported for setting policy. The reports module provides templates to view system information, driven by a Crystal Reports engine. The administration module provides all the ECM configuration settings, such as agent installation and user management.

Simple install process
The ECM engine installation had minimal issues. Installing the agent software out to the managed systems is a simple process that takes only a few mouse clicks. Once the agents are installed and data collected, ECM is ready for use. By default, ECM uses Distributed Component Object Model for agent communications. HTTP communication is a second option. We would like to see Configuresoft upgrade these communications to support more secure protocols such as Secure-HTTP (HTTPS).

Using the console module, administrators can directly change configuration settings for individuals or groups. A few of the settings ECM manages include Windows users and groups, Windows NT File System audit settings, NTFS directory permissions, installed Microsoft hot fixes and registry key permissions.

One of the best features of ECM is its auto-compliance functionality. Administrators can set a baseline configuration that all systems must follow. If a system comes online out of compliance, or if someone makes a manual change while it's online, ECM enforces the required settings and leaves a full audit trail. ECM is detailed in its ability to look at registry key permissions, file permissions, password settings and patch levels, and then take corrective action if the administrator has set it to do so.

While the automatic compliance feature makes configuration changes, if you want to tie in patch deployment, you need to use Configuresoft's Security Update Manager add-on.

We set required policy settings on our Windows 2000 Server, including password policy and NTFS directory permissions. We changed the settings on the server to be out of compliance and ECM changed the settings back to the compliance configuration immediately after its next scheduled check. We also received an e-mail alert we set up to receive if a system was out of compliance. We also could have configured ECM to send an SNMP trap or write to the event log.

Templates and polish
ECM's components, including policy templates and individual rule settings, are flexible and customisable. Out-of-the box, ECM includes pre-defined best practices for operating systems and key infrastructure applications such as SQL Server, Exchange and IIS. It also includes a compliance template for the SANS Securing Windows Guide. Every rule and template can be modified. We applied the SANS template to our default Windows installations to configure the systems

ECM's polish lies in its Web console. The layout, colour scheme, icons and workflow work together to make the user experience an excellent one. With the level of detail available in ECM, you might think that the console could get overloaded quickly, but the user interface designers have done an excellent job preventing the user from feeling overwhelmed by information. We'd like Configuresoft to bump up the security a notch by having the Web console use HTTPS communications by default between it and the administrator's machine.

ECM's reporting is flexible, customisable and detailed. Reports can be generated that show which systems are not in compliance with a single setting, a pre-defined template or custom policy. Reports can be generated on what actions have been taken to enforce policy settings.

For managing Windows systems configuration and automating policy enforcement, we haven't found a better product. The ease-of-use and flexibility of ECM provides the means to deploy a secure, self-sustaining Windows infrastructure.

OUR VERDICT

We haven't found anything better for managing the configuration of Windows systems and automating policy enforcement.