Keeping Systems in Check

By eweek  |  Posted 2006-05-01

Keeping Systems in Check

Configuresofts Enterprise Configuration Manager 4.8 is a well-conceived, very usable configuration management tool that tracks myriad data points from hundreds or even thousands of servers, workstations, desktops and laptop systems. With its roots in the Windows world, however, ECM 4.8 is most appropriate for use in Microsoft shops.

Click here to read the full review of Configuresofts Enterprise Configuration Manager 4.8.


Configuresofts Enterprise Configuration Manager 4.8 is a well-conceived, very usable configuration management tool that tracks myriad data points from hundreds or even thousands of servers, workstations, desktops and laptop systems. With its roots in the Windows world, however, ECM 4.8 is most appropriate for use in Microsoft shops.

Since the last time we looked at ECM, in 2003, the product has gained crucial support for Unix and Linux operating systems. Version 4.8 also offers report templates that will make it easier to track infrastructure compliance with several key regulations, including Graham-Leach-Bliley, Sarbanes-Oxley and HIPAA (Health Insurance Portability and Accountability Act).

The product also offers reports for industry best-practice and audit guidelines, including FISMA (Federal Information Security Management Act).

Configuresoft aims to ease compliance. Click here to read more.

Given the broad reporting capabilities and clear insight ECM provides to both IT and business managers via these reports, eWEEK Labs has awarded the product an Analysts Choice designation.

Operations Tool

ECM 4.8 is definitely a network operations tool. It excels at tracking server, workstation and laptop configurations, along with basic information about network infrastructure. ECM 4.8 does not track application performance, nor does it provide real-time change reports. This means that reports are only as good as the most recent data collection.

During tests at eWEEK Labs, we were able to create sophisticated reports that showed exactly what changes were happening in our devices—down to the least significant registry modification. We ran the reports daily, but its possible to run reports as frequently as every hour. (Reports for critical infrastructure can be run as frequently as every 15 minutes.)

ECM 4.8 is an agent-based system, so we could configure our reports to show only the delta between collections. This significantly reduces the load on monitored systems CPUs as well as on network bandwidth. Pinpoint delta changes are one advantage of using an agent-based collection system rather than probing with agentless processes.

Some competitors, including Symantecs Veritas Configuration Manager (formerly Relicores Clarity, which Symantec acquired in February), track real-time application and server changes.

And Managed Objects Business Service Configuration Manager uses agentless service discovery, along with existing data repositories and other discovery tools, to create a configuration management database. Business Service Configuration Manager also accepts real-time data from other IT management tools.

The accuracy of information provided by the Configuresoft ECM agent, as well as the products focus on managed server and workstation configurations, will be worth the price of running daily reports to ensure the most up-to-date collection of change data.

However, we think it would be a worthwhile investment for Configuresoft to endow the ECM agent with the ability to sense configuration changes and push that data to the collection server. This would do a lot to boost ECMs stature as a security-monitoring tool.

Click here to download a podcast about the security aspects of configuration management database tools.

Given ECMs deep roots in Windows management, Version 4.8 would work best for IT managers who have to keep tabs on a variety of mostly Windows systems but also must watch over Unix, Red Hats Red Hat Linux and Sun Microsystems Solaris systems. ECM 4.8 monitors any of those operating systems running on either desktops or laptops.

ECM 4.8s deepest and most advanced reporting, though, is for Windows systems. In fact, every area of ECM 4.8s operation—from agent deployment to data collection to the number and sophistication of monitored configuration parameters—is geared to Windows data center operations.

For example, the ECM Collector, the hub of ECM 4.8, runs only on Windows Server software. ECM also requires Microsofts SQL Server.

To get the most out of the package, database managers will also need to install Microsofts SRS (SQL Server Reporting Services).

It was no big deal to add SRS to our SQL Server 2000 installation, and the SRS module supports the new compliance reports that are available for ECM 4.8.

Next Page: Data drill-down.


Data Drill-Down

With any CMDB (change management database) system, the amount of data collected is prodigious, and ECM 4.8 is certainly no shirker in this regard.

During our weeklong tests with a relatively small number of systems, we were easily able to collect megabytes of data. ECM 4.8 sizing guides indicate that IT managers should provide for at least 1TB of storage for daily collections on 100 systems with data stored for one year.

This is where the ability to gather specific data through the reports becomes a real benefit.

Content-addressed storage can ease compliance burdens, but the technology is too closed off. Click here to read more.

During tests, we added the new compliance reports. The reports cover nearly all major regulatory bodies that business managers need to satisfy during an audit, and they will make it much easier for IT managers to provide the kind of data that makes business-line managers sleep easier.

All told, the compliance packs, which are available at no additional cost to Configuresoft customers with active support contracts, are good basic templates that will ensure that systems are correctly configured. We looked at all the available compliance packs.

After getting our entire data collections fine-tuned—for example, by removing several configuration measures, such as the last time a user account password was changed—we started looking at the compliance reports.

The basic process was the same for each of the tool kits. First, we opened what are called Rule Groups, which define the base-line parameters that should be evaluated and the machines against which the rule sets should be run.

We then used predefined templates to generate reports that showed how our systems measured up to the regulatory requirements.

For example, we found that our RHEL (Red Hat Enterprise Linux) ES 3.0 server was configured quite closely to Defense Information Systems Agency controls for security hardening. (The most recent version of RHEL ES, 4.0, will be supported in a future version of ECM, according to Configuresoft officials.)

In contrast, our Windows Server 2003 system had 487 parameters (70 percent of the 692 conditions evaluated) that needed to be tweaked to bring the system up to snuff with DISA regulations.

We were able to run the compliance tool kit reports against the SQL Sever database for all our systems and generate useful reports. All the compliance tool kits are supplied for Windows and the Unix and Linux operating systems that ECM 4.8 can monitor.

Here, too, we could see how ECM 4.8 will be of most use to Windows shops. For example, the software provides a variety of security posture reports for all the operating systems it supports, but it does the best job of monitoring Windows systems with a report that specifically tracks the stringent requirements of the MSS (Microsoft Security Standards) Baseline and Hardening guidelines.

Next page: Evaluation Shortlist: Related Products.

Page 4

BMC Softwares Atrium Configuration Management Database Focused on IT Infrastructure Library guidelines and covers the entire IT infrastructure (

Managed Objects Business Service Configuration Manager Uses agentless service discovery, which can significantly reduce the load on the managed system between polling periods (

Symantecs Veritas Configuration Manager Formerly Clarity from Relicore, Veritas Configuration Manager focuses on keeping abreast of changes in real time (

Technical Director Cameron Sturdevant can be reached at

Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.

Rocket Fuel