Handling Security the Right Way

Make security administration a breeze with this trio of Small Wonders Software tools.

Anyone who’s done any work with Windows NT or Windows 2000 will quickly realize that while setting security is easy, setting security correctly is not. Enter a trio of utilities from Small Wonders Software: Security Explorer, Secure Copy, and Enterprise Security Reporter. One of the first things that came to mind when I used the first two utilities was: Why didn’t Microsoft think to include tools like these in NT and Win2K? The Small Wonders tools are now part of my NT and Win2K network administration tool kits. Let’s take individual looks at these three utilities:

Security Explorer

Security Explorer is an Access Control List (ACL) editor. It allows you to quickly and easily grant, revoke, clone, search for, back up, restore, and export user and group permissions on the network.

Security Explorer not only allows you to explore and modify permissions on NTFS-formatted partitions, but also on shares and the Registry. And, assuming you have the correct permissions, you can perform all tasks on your network’s remote systems as well.

Security Explorer allows you to quickly and easily analyze your existing ACL permissions. (Click on image to view larger version.)

One of Security Explorer’s best features is its advanced search capability. How many times have we had to find out what permissions a particular user has on the network? With Security Explorer, this is as simple as clicking on the search button, selecting the directory, choosing the user in question, and clicking on the Begin Search button. Finally, Security Explorer extends Windows Explorer’s functionality by adding a “Security Explorer” sub-menu when a file or folder is right-clicked.

All in all, this is a great utility. One of the few complaints I have about Security Explorer is that when I’m using it, I feel like I’m in dialog box hell. It seems that at every click a new dialog pops up and asks for information. But maybe this is the only way Security Explorer can operate, considering the incredible amount of information you can set and request. If you ever need to easily control and modify your ACL permissions—and this applies to all NT/Win2K administrators—then this is the tool for you.

Secure Copy

If you’ve taken any of the NT MCSE exams, you remember having to learn what happens to ACL permissions when an object is moved within the same partition, moved to a different partition, copied within the same partition, or copied to a different partition. You may even remember that the only times ACL permissions are retained are when you move the objects within the same partition. Honestly, how many times did you want the permissions reset to the destination folder’s permissions? Many administrators spend hours configuring their systems with the right ACL permissions—only to be put in a situation where the work needs to be repeated when the files and folders are moved. Secure Copy, though, solves this problem.

Copying folders while maintaining permissions is a snap with Secure Copy.

When using Secure Copy to copy folders, you have the option to copy all files to the destination folder or only the files that have changed between the source and destination folders. A great feature of Secure Copy is that it can be used to back up sensitive folders to another location. Existing shares can be migrated from the destination server to a remote one. If you use the method Microsoft recommends for securing files and folders (users into global groups, global groups into local groups, and local groups are assigned the permissions), then you’ll like Secure Copy’s option for migrating local groups and users to the destination computer.

Because I come out of the DOS world, I like the fact that Secure Copy has a command-line version. This feature proves handy if files need to be copied using logon script batch files while maintaining the security settings.

Secure Copy (along with Security Explorer) will make your network administrative tasks that much easier. These should be given out with your “Welcome Kit” when you become an MCSE—every administrator should have them.

Enterprise Security Reporter

Enterprise Security Reporter differs from Security Explorer and Secure Copy. It’s a security reporting program geared toward larger enterprises as opposed to smaller installations, though it worked fine on my 10-server network, and it can gather all the necessary information to produce needed reports.

Enterprise Security Reporter allows you to perform three main tasks: analyze, query, and report on your network’s security configuration. Built around Seagate’s Crystal Reports tool, Enterprise Security Reporter collects network data by using one of two discovery agents; all data is available in real time. The centralized data-discovery agent is used for smaller installations, while the distributed data-discovery agent is used on the larger ones.

Enterprise Security Reporter offers complete network security reporting capabilities.

Because Enterprise Security Reporter stores its data in a SQL database (SQL Server is not required, however), you can query the database with your own custom requests. If you’ve ever been asked to create reports detailing your network and network security, you know this isn’t a manual task on even the smallest networks. I like this application because it delivers, as promised, reports requiring little tinkering.

About the Author

Barry Shilmover, MCSE+I, MCT, owns Shilmover Consulting Services, a Microsoft Solution Provider specializing in Windows NT/2000 and Exchange 5.5/2000 solutions. He has co-authored books that include Windows 2000 System Administrator’s Black Book and Exchange 5.5 Exam Cram, both from Coriolis Press.

Featured