NetIQ SCM 5.7
Strengths: Solid feature set, risk-based scoring mechanisms to help prioritise remediation efforts
Weaknesses: May get pricey
Verdict: A good risk-based approach for managing known weaknesses in configurations, patches and other host-level vulnerabilities. Our Best Buy
The Secure Configuration Manager (SCM) is a combination of client server and web-based elements to help organisations manage workstation and server configurations. Its main component is a central administrative console that controls policy dissemination through software agents deployed to hosts running Windows, Unix, Linux and iSeries operating systems. Configuration management is also offered for Oracle, MS SQL, Sybase and other application systems.
The SCM server components are typically installed on Windows 2000 or 2003 and use a MS SQL 2005 database. Agents for individual hosts managed through SCM can be deployed by the console and can also be part of the reporting and monitoring process without an agent installed, they simply won't have policies pushed to them.
Unlike solutions that strictly push configuration files to network devices, there is a bit more overhead associated with managing agents installed on Windows, Unix and other operating systems. Overall, the performance was good, however. SCM works by comparing known vulnerabilities and threats with the configuration of the managed assets in the environment. Baselines are checked against a series of regulation requirements, best practice templates or your own policies. We liked SCM's solid number of features and that it is based on risk out of the box.
NetIQ's offering goes beyond a simple gap analysis of your assets and whether they comply with predetermined policies. The value is enhanced by the ability to weigh the importance of the asset within your environment. Reports are then generated with risk scores based on that criticality in order to aid remediation efforts and prioritisation of tasks when your assets appear non-compliant.
The documentation is adequate, but we would have liked to see a few more screenshots.
Pricing for SCM starts at £559 per server that reports through SCM and includes basic support. Overall we find that this is pretty good value for organisations that really struggle with compliance and configuration management across multiple platforms.