Re: [PEN-TEST] ForixNT, the NT Audit Toolkit

[H Carvey <keydet89 () YAHOO COM>]

> I should have elaborated, there seems to be no 
autofix or reports, the
> examples of what is audited seem limited in 
comparison to the likes of STAT
> and securityExpressions.  That been said we had 
a long conversation at work
> I didn't realise that it was open source, a real 
bonus in my opinion
>

ForixNT is a toolkit more so than a static 
product.  The purpose of ForixNT and it's design 
is to provide the NT admin with the flexibility 
and extensibility needed in today's environments.

ForixNT is aimed not only at NT admins, but 
consulting organizations, as well.  The members of 
the ForixNT team all have experience as security 
consultants, and none has ever visited a site that 
did not have NT.  While there are many tools 
available that perform network-based scans of 
systems (and do a very comprehensive job) of both 
NT and Un*x systems (SAINT, SARA/TARA, Nessus, to 
name a few), none of them performs as 
comprehensive a job in auditing NT as ForixNT.

You're absolutely right...ForixNT has no 
full-blown reporting capability.  ForixNT is 
comprised of modules that collect specific 
information.  It's the modular nature that gives 
the toolkit it's flexibility.

> That being said I have been looking at agentless 
NT scanners for a while
> now, the main contenders seem to be 
SecurityExpressions and STAT, in
> addition ISS Internet Scanner will allegedly 
scan a host if presented with
> an admin account.

While ForixNT's main purpose is that of an 
agentless scanner, it is more of a toolkit.

> STAT and SecurityExpressions will do similar, 
you can group machines of a
> particular type ie you can audit workstations to 
one ruleset servers to
> another.

You can do the same with ForixNT.  In fact, you 
can completely configure scans based on the type 
of system.  This is covered in the HTML 
documentation that comes with ForixNT.

> Without autofix can you ensure compliance? you 
can observe compliance and
> recommend changes.

ForixNT is a toolkit, and is marketted as a 
service.  The ability to perform fixes, based on 
any criteria, is additional...and yet, still less 
expensive than most commercial scanners.

ForixNT is packaged this way for a reason.  The 
base ForixNT, which is used to collect 
information, is inexpensive, and easy to use.  For 
the price, the NT admin can audit any number of 
systems, as many times as he or she wishes...there 
are NO licensing limitations based on numbers of 
machines.  Including the update capability would 
have increased the size and cost of the base 
package, and we made the business decision not to 
do so at this time...it's separate.  

As yet, we have not received feedback from any 
ForixNT user regarding this packaging structure.
 
> STAT and SecurityExpressions will do similar, 
Included with
> SecurityExpressions is the US Navy audits for 
workstations Servers and
> Domain Controllers, and a Sans audit.

By these, I guess you are referring to the 
configuration guides.  If so, we do not provide 
those due to legal issues of providing them in a 
for-pay package...we decided not to pursue 
licensing or consent.
>  Moreover, the autofix feature 
will ensure an exact compliance
> throughout your enterprise.  

With the update capability added to ForixNT, this 
is rather simple.  In fact, you can not only roll 
out updates to the Domain Account Policy and Audit 
Policy (for example), based on Workstation, 
Server, or DC...but an NT admin can configure the 
updates any way she pleases...so that the 
workstations in Finance, for example, get a 
slightly different policy update than those in 
Payroll.

And maybe I'm missing something...but how does an 
autofix feature ensure "exact 
compliance"...perhaps more importantly, what do 
you mean by "ensure an exact compliance"?

>  
STAT also gives a fuller
> analysis of the vulnerability and grades the 
significance of the
> vulnerability.

ForixNT is a policy-based security management 
tool.  One thing we disagreed with is the 
arbitrary designation of what constitutes a 
"vulnerability" and it's "severity".  Most, if not 
all, commercial tools have no place to enter 
firewall locations and rulesets, addressing 
schemes, location and number of DNS server, 
etc...all security concerns.  So rather than 
arbitrarily deciding what a "vulnerability" is, we 
made the decision to pursue policy-based security 
management (which is explained in a paper...that 
was presented at Usenix...at the ForixNT web 
site).  

This is why we feel that ForixNT is such a 
powerful toolkit.  Yes, the main script that 
drives the ForixNT toolkit is command line, but 
it's a place for admins to start.  We are 
currently compiling feedback from ForixNT users in 
developing a GUI...a GUI can be very limiting if 
designed in correctly.  Our entire goal from the 
beginning has been to NOT pigeon-hole NT admins 
into just one way of doing things. 

H. Carvey
Lead Developer, ForixNT