Intact Enterprise 3.0
Check out this software tool for automatic detection and correction of changes that intruders make to your system.
December 14, 2000
Change-detection software for your Windows environment
Pedestal Software's Intact Enterprise 3.0 change-detection software helps systems administrators catch unauthorized changes to their critical servers and workstations by providing real-time system integrity checking and reporting. Intact is not a typical security scanner and fixer, but is more a tool you can use to maintain system security.
Features and Benefits
Intact Enterprise is the top-level product in the Intact lineup. The software provides real-time integrity, checks for standalone systems, and monitors services (such as Active Directory—AD). In addition, Intact Enterprise includes the ability to use database software to provide remote scanning functions to your other network workstations and servers.
Although you don't need a compliant database program to use Intact Enterprise, Intact does turn a database into a powerful network management tool. Intact can scan almost every element of your systems and includes support for Windows 2000, Windows NT, and Windows 9x; Linux; and Solaris—a big plus! Intact’s scanning features include monitoring system objects and files, registry keys, network shares, and user permissions. However, because of differences in handling various security and user implementations, Intact does not support all features for every OS.
To monitor your system, Intact features its Real Time Integrity checking engine, letting you schedule scans for any time of the day or week. Intact also provides a learning mode that you can set up to monitor the usage of a particular system. This learning mode helps you learn the kind of changes that are typical for your systems, and establishes a specific plan for each system.
Installation and Use
Pedestal recommends installing Intact Enterprise on at least a Pentium-class system with 32MB of RAM and 40MB of hard disk space. For testing Intact, I used a Celeron 550MHz system with 96MB of RAM running Windows 2000 Server. However, I recommend a minimum of a PII-266 and 128MB of RAM to get the most out of Intact. You want the most RAM you can get for this program—Intact's reports are lengthy. Also, if you set up the software to scan all or some of the registry, processing can take some time.
Installation was quick, similar to installing a standard Windows-based application—a few clicks and I was ready to configure Intact. The software let me choose between autoconfiguring what the software should monitor or running the wizard to set the configuration myself. I selected the configuration wizard. The next few screens let me choose enabling the Real Time Integrity checking function and the level of notification I required (e.g., email an account, post to the screen or to the event log, any combination of these). I then chose the features I wanted Intact to monitor (e.g., users, groups, file directories, registry keys, entries). I had Intact scan everything down to the last registry key.
If during setup you select autoconfigure (which Pedestal recommends for most users), Intact sets a baseline, gathering information about the changes on your system for the number of days you specify. Intact then monitors your system to ensure that it doesn't start flagging normal activities. After the installation, I ran into problems when I tried to install simple programs needed to change registry keys—proof enough that Intact was working. For example, I was unable to install most programs properly without Intact's intervening. (You can control this intervention according to your configuration needs.) With this type of diligence, Intact provides good protection against installation of back-door programs such as Netbus and Back Orifice. Also, Intact monitors your file directory structure and any changes to the security settings, restoring them based on the original settings.
Intact does not stop the changes from happening but lets them happen. When Intact performs the next scan, it compares the current system to a system snapshot and reports to the administrator what happened and which user performed the changes. The software changes the errant setting back to the original setting—the one shown when Intact performed its snapshot. If you are concerned about changes to the system, you should schedule scans regularly to ensure secure operation.
Once Intact was operational, I was able to run system scans at the click of a button. The initial system scan took 25 minutes, and subsequent scans took an average of 10 to 12 minutes to finish. The reports were well detailed and listed every item scanned, what was changed, and what was done to revert the changed item to its original state. The scan information was complete—more than enough to satisfy most reporting needs.
The Intact Control Panel, as Figure 1 shows, is easy to read and use, featuring everything required for basic functionality. Intact splits the display into three different programs: the Control Panel, the Intact Administrator, and the Intact Viewer. You can use Intact Administrator to connect Intact to an ODBC-compliant database program; this provides the ability for Intact to connect to workstations (with the provided client) and monitor changes. However, if you don't want to use this feature, you can simply set Intact to use a local output file. Intact Viewer lets you read and print scan reports, as Figure 2 shows. It would be far more convenient if Intact provided all the functionality of the different programs into one program or maintained continuity between applications. Each one looks a bit different, and this can be inconvenient.
Intact’s accurate client scanning of local systems and its configuration abilities (included by using a database application such as Oracle or SQL Server) provide a good level of scanning ability. Being familiar with database administration or design comes in handy because some configuration is necessary to fully appreciate the benefits of this component. However, once you configure the software, scanning and setting what items you want Intact to monitor on your clients is as easy as going into Intact Administrator and right-clicking the workstation you want. The client preferences screen gives you options similar to those in your initial server setup.
The product requires that you use the manual and also spend some time on the phone with Intact to work out issues with your particular configuration. The manual covers the product fairly well, providing an index of commands helpful to administrators using the ODBC features and applying a standard scanning model. However, the documentation lacks detail in the individual setup steps.
Customers interested in Intact Enterprise should contact Pedestal to discuss their needs and work out the best plan. Pedestal provides patches and free email support, but if a user calls and requires assistance that isn’t related to a glitch with the product, the company charges a $75 fee for each support incident. After the first hour, Pedestal charges an hourly fee. Users can purchase monthly and yearly support contracts, which may be a good idea for users with many systems that require tweaking, or with an unusual product such as Linux or Solaris.
The Bottom Line
Intact’s scans were of average speed, and the reports were good, providing just enough information to be useful. Intact not only provides comprehensive scanning options to monitor your entire system, the software also covers most major OSs on the market—a real bonus. Using a central ODBC database enables remote workstation scanning; however, it requires extra time and experience to configure workstations competently. Because of this, Intact Enterprise needs to improve its ease of use, and Pedestal will do well to move toward an integrated program that includes all required components in one application. Even given Intact Enterprise's somewhat steep learning curve, systems administrators will find the product's scanning abilities thorough and up to the task of keeping a system safe from unwanted changes. Intact Enterprise does its job well; however, I wouldn't recommend the product for every environment. Whether it will do the job for you depends on your site's needs. To assess your needs for the product, contact Pedestal and tell them your requirements.
Intact Enterprise 3.0 |
Contact: Pedestal Software; 1-888-664-7174; Web: http://www.pedestalsoftware.com/intact/index.htmPrice: 3-license bundle starts at $1495 and goes up to 100 licenses for $6995; support prices vary according to your needs.Decision Summary:Pros: Solid reporting; thorough system-change detection; support for most major OSs; ability to scan and reset changes to workstation clients; helpful manual included.Cons: Initial setup and maintenance might be difficult for new users who require remote workstation monitoring; some database administration experience for optimum software performance; scans can take a while, especially on slower servers. |
About the Author
You May Also Like