SekChek Logo
ABOUT SSL CERTIFICATES  
 
 
            
  Frequently Asked Questions    
     
   

Go to answer Who uses SekChek?
Go to answer How can SekChek help with our compliance efforts, such as SOX and HIPAA?
Go to answer Can I pre-authorise Token Requests?
Go to answer What platforms does SekChek run on?
Go to answer What impact will SekChek have on my system?
Go to answer Where do SekChek’s Industry Averages come from?
Go to answer I heard SekChek can measure security against various standards. Tell me more!
Go to answer Can SekChek compare security over time and system?
Go to answer Can SekChek produce an audit trail of changes since the previous scan?
Go to answer Can we exchange encrypted email (S/MIME, SSL or TLS) with SekChek?
Go to answer How secure are the encrypted SekChek files & reports?
Go to answer Tell me about your subscription service!
Go to answer What payment options are available?
Go to answer Does SekChek support charities?
Go to answer What are your plans for SekChek?
Go to answer What is the difference between the Client software, Extract software & Processing Engine?
Go to answer What are the differences between the SekChek Classic tool and the SekChek Local tool?
Go to answer What are the copyright restrictions on the software?
Go to answer Can SekChek analyse Registry keys and NTFS permissions?
Go to answer What are the minimum hardware and software requirements to run a SekChek Local Scan?
Go to answer What is the largest system analysed by SekChek?
Go to answer Does SekChek provide other security tools and utilities?

  
       
  Common Problems  
   

Go to answer Why can't the Encrypt function 'see' my Extract files?
Go to answer Error: 'SekChek's digital certificate is expired or damaged' when you enable PKI features
Go to answer Error: 'Setup fatal error: Unable to generate installation log file' when installing the SekChek software
Go to answer Error: 'The Page Cannot be Displayed' when I open SekChek's Help file (sekchek.chm)
Go to answer Error: 'NTVDM encountered a hard error.' when executing the Windows Extract software

  
       
   
 		  
   

Go to top Who uses SekChek?

The names of specific clients are confidential. However, users of SekChek include major organizations in banking & insurance, airlines, mining, manufacturing, retailing, shipping, transportation, government, building & construction, import/export, food & beverages, farming, security consultants, IS professionals, internal auditors & general management.

SekChek has been used across all industry types in more than 110 countries around the world.

Go to top How can SekChek help with our compliance efforts, such as SOX and HIPAA?

Many clients use SekChek on a regular basis as part of their statutory compliance and internal audit reviews. SekChek is well placed to help out in these areas because:

  • It provides an independent point-in-time snapshot of security controls;
  • The graphical analyses provide a quick indication of whether security controls have strengthened or weakened since the previous time SekChek was run on a platform;
  • SekChek's consistent reporting from one analysis to the next avoids the risk of inconsistent interpretations between analyses over time;
  • Similar reporting formats across platforms analysed (Windows, UNIX, AS400 and NetWare) ensure a consistent standard in the interpretation of security controls.

Go to top Can I pre-authorise Token Requests?

Yes. Please forward the following information to SekChek:

  • Name of person submitting the Token Request;
  • E-mail address of person submitting the Token Request;
  • SekChek Local platform (SAM (workstation/server) or AD);
  • Number of scans in this Token Request (applicable to SAM only);
  • Charge/DIS/SA/WBS Code if applicable.

Please note that one pre-authorisation is valid for one scan, although up to 15 servers (or 1 Active Directory) can be scanned at a time.

Once we receive this information, we will configure the pre-approval to expire after one week. Should the consultant require a longer time-frame to execute the scan(s), this should be indicated within the request. Alternatively, a new request for pre-approval should be made with us.

Go to top What platforms does SekChek run on?

SekChek will run on all current versions of OS/400 (iSeries), Windows NT/200X/Vista/Windows 7 and UNIX operating systems that are Bourne Shell compatible, such as AIX, HP-UX, Linux, SCO and Solaris systems. It will also run on versions 4, 5 & 6 of Novell/NetWare systems.

Go to top What impact will SekChek have on my system?

From the very outset the SekChek Extract software was designed to be non-intrusive, make ZERO changes to the host/target system, and leave no trace behind after the extract process has completed. With thousands of SekChek's behind us, we are not aware of any reports of SekChek impacting on a host system in any way.

Go to top Where do SekChek’s Industry Averages come from?

Perhaps the most important point is that SekChek’s Industry Averages are not merely based on some static, theoretical average for computer security. Industry Averages used in summary reports are dynamic, real-life averages that are automatically updated after every file we process, using summary data extracted from each file.

SekChek compares security controls on your system against a unique database containing more than 60,000 records and 30 million individual security metrics.

Go to top I heard SekChek can measure security against various standards. Tell me more!

SekChek typically measures security against internationally recognized security standards because that's what most people want.

However, some clients prefer us to substitute their own (internal) security standards and to report against those. This helps them monitor how well their security policy is implemented and complied with and also alerts management to deviations from policy in specific departments or on certain computers.

We have a database of real/actual industry averages for security. This is quite unique. We can currently compare (graph) security over different points in time, over several machines, and calculate security norms and averages by industry type and geographical location. This can produce some interesting results!

Contact us for further details.

Go to top Can SekChek compare security over time and system?

Yes, SekChek provides graphical comparisons of basic security settings and user accounts defined on a Server or Domain at two different points in time. This helps you to quickly determine:

  • Whether security has improved, worsened, or remained about the same since the previous review;
  • The effectiveness of your measures to strengthen controls;
  • Whether risk is increasing or decreasing

Go to top Can SekChek produce an audit trail of changes since the previous scan?

Yes, the SekChek Local tool can generate a list of changes (before and after images) made to security objects since the previous scan of the system or Active Directory domain.

The report can be used to confirm that only valid and authorised changes are being made to security accounts by comparing the list of modifications against the relevant change documents approved by management. You can also use it to detect malicious or damaging changes that may have been made to your system’s security accounts or to confirm that large numbers of security changes made by an automated script were successfully applied.

Go to top Can we exchange encrypted email (S/MIME, SSL or TLS) with SekChek?

Yes, our Mail servers are configured to send and receive email using TLS (Transport Layer Security / SSL). If the TLS protocol is enabled on your Mail server all email traffic between SekChek’s domain and your organisation’s domain will be automatically encrypted.

SekChek also supports S/MIME, which ensures full end-to-end encryption of email. You can download SekChek’s certificate from our web-site.

Let us know if you need more information regarding options for encrypting email.

Go to top How secure are the encrypted SekChek files & reports?

Very!

SekChek employs various industry-standard encryption algorithms and techniques to ensure the security of your data. These include Public Key encryption techniques based on the RSA algorithm, and symmetric encryption techniques using algorithms such as AES and 3DES.

Go to top Tell me about your subscription service!

The most convenient & cost effective way to use SekChek is through a subscription. The pricing structure is very simple - the more SekChek's you subscribe to, the less they cost per copy. Contact us for more details.

Prices are consistent across the entire SekChek range (AS/400, NetWare, Windows & UNIX), so you only need purchase one subscription. You are free to choose and mix different SekChek services in the same subscription.

Once your subscription is confirmed you just send us your security files for processing any time you are ready. From time to time we will send you a statement indicating your usage of SekChek and we will issue a reminder just before your subscription is consumed. Subscriptions have no time limits attached to them.

Go to top What payment options are available?

Direct (Bank-to-Bank) transfer
This is the preferred option. In general, it is the quickest and safest payment method.

Cheque payment
If you prefer to make payment by cheque we recommend that you send your cheque via a courier company, rather than the regular postal system. We have special arrangements in place with UPS, Fedex and DHL, which help to speed up the process.

Credit Card payments
We can also accept payment via a secure Credit Card payment system managed by Kagi.

Contact us for more information on any of these payment methods.

Go to top Does SekChek support charities?

Yes, other than direct donations to specific charities, we offer significant discounts on our published prices to registered charities and other worthy causes. Please contact us for details.

Go to top What are your plans for SekChek?

Our guiding principles are ease-of-use and interpretation; non-intrusiveness on the host machine; low cost; and speed of delivery.

Some of the more specific areas we are focusing on include improved graphical summaries, trend analyses (spanning time, machines, departments etc.), and 'industry average' bench-marks by industry type and geographical location.

The direction the SekChek service takes is largely determined by your requirements and needs. Tell us what you want.

Go to top What is the difference between the Client software, Extract software & Processing Engine?

The Client software contains usage instructions, encryption/decryption software, sample reports and the ability to create additional copies of the Client & Extract software. It typically resides on your PC.

You use the Extract software to extract security data from an AS/400, NetWare, UNIX, Windows NT/200X host/target machine. It will only run on those systems.

The Processing Engine is used by the SekChek team to process your extracted security data, to calculate industry averages & comparisons, and to generate/encrypt your SekChek report.

Go to top What are the differences between the SekChek Classic tool and the SekChek Local tool?

SekChek Local allows you to scan and analyse multiple Servers at a time. The software runs on your workstation and scans target Hosts across the network. Because Scan data is processed locally on your PC, there is no requirement to send data off-site for processing.

SekChek Classic provides you with a comprehensive report in MS-Word and Access / Excel formats, including non-technical summary reports, an Overall Rating of security against real-life industry averages, implications and general recommendations

See Benefits, SekChek Local vs SekChek Classic for a more detailed comparison of SekChek's 'Classic' & 'Local' tools.

Go to top What are the copyright restrictions on the software?

Quite simply, NONE! Although we retain the title and ownership of the SekChek software, you are free to use and to distribute the software in its current form to anyone you wish.

However, you are not allowed to attempt to modify, translate, reverse engineer, disassemble, or to create derivative works based on the software without the prior written consent of SekChek.

Go to top Can SekChek analyse Registry keys and NTFS permissions?

Yes.

SekChek can report on values for System Registry keys and analyse DACLs (Discretionary Access Control Lists) and SACLs (System Access Control Lists) for files and directories.

You do this by defining the list of the Registry keys, and the names of the files and directories you want to analyse in file sekchek.inp. See SekChek for Windows' Extract instructions for details in the SekChek Help File.

Go to top What are the minimum hardware and software requirements to run a SekChek Local Scan?

SekChek Local requires Windows 2000 Professional (or later) with IE 5.5 (or later). The recommended minimum amount of RAM to Scan a large Active Directory domain is 1.5 GB.

SekChek's reporting features require MS-Office 2003 (with MS-Access) or later. If you use MS-Office 2000 please write to inbox@sekchek.com and request a special version of the Report Database.

Go to top What is the largest system analysed by SekChek?

The largest domain analysed by SekChek contained 200,000 user accounts and the security reports and benchmark summary were produced within a few hours of completion of the Scan.

You may be interested to know that to date, SekChek has analysed 60 million user accounts and 20 million security groups on systems belonging to many of the world's largest and best known organisations.

Some other interesting statistics are:

  • 35 million network attached Servers and workstations
  • 6 million Windows services
  • 150,000 locally attached disk drives
  • 150 million DACLs
  • 1 million hot-fixes

In short, there is no limit to the size of system that SekChek can analyse.

Go to top Does SekChek provide other security tools and utilities?

Yes, SekChek offers several free security-related tools, such as:

  • SekCrypt (TM), an industry strength file encryption / decryption utility. SekCrypt is fast and uses robust, state-of-the art encryption algorithms, such as AES and RSA
  • A tool that queries 'hidden' Active Directory properties on security accounts. Examples are the date/time that an account was last used to logon to a system and an account's unique SID or GUID. The tool will query all domain controllers to obtain accurate values for properties that are not replicated across DCs by the Windows OS
  • A utility that resolves SIDs to their friendly names and finds orphaned SIDs defined on files and directories in NTFS
  • A file hashing function that is useful for confirming whether the contents of a file have been changed
  • A 'Ping' utility for testing connectivity to other systems and domains on your network

These utilities are embedded in the SekChek Classic and Local software.

  
   

Go to top Why can’t the Encrypt function ‘see’ my Extract files?

The most likely reason is that your Extract file is incorrectly named. For example:

  • SekChek for AS/400: The files must have ‘.txt’ extensions, such as PROFBAS.TXT, SYSVALS.TXT.
  • SekChek for UNIX: The file must be named sekunf.z or sekunf.tar. In certain cases you may have a collection of ‘.txt’ files, such as hostname.txt etc.
  • SekChek for Windows: The file must be named SEK2KF.ZIP or SEKNTF.ZIP. The Encrypt function will also recognize files with extended names, such as ‘SEK2KF MyDescription.zip’. However, it will not recognize file ‘MyDescription SEK2KF.ZIP’.
  • SekChek for Netware: The file must be named SEKNEF.ZIP. The Encrypt function will also recognize files with extended names, such as ‘SEKNEF MyDescription.ZIP’.
    See Encrypting your extracted security data for more information

See Encrypting your extracted security data in the SekChek Help File for more information.

Go to top Error: 'SekChek's digital certificate is expired or damaged' when you enable PKI features

It is possible that the certificate has expired.

However, the most likely reason is that your system's policies prevent third-party Root CAs from being trusted. This is particularly common on systems that are running MS-Vista.

Try to install SekChek's Root certificate manually, via the Certificate Import Wizard. (double-click on file SekRoot.cer, which is located in SekChek's installation directory)

If your system prevents third-party Root CAs from being trusted, Windows-XP may display one of the following messages:

  • "An error occurred during the addition of a certificate to the Trusted Root Certification Authorities store."
  • "The import failed because the store was read-only, the store was full, or the store did not open correctly."

With MS-Vista your system may not display any error message, but the certificate may be installed in your system's Intermediate CA store, instead of the Trusted Root CA store. This may occur even though you explicitly requested the certificate to be installed in the Trusted Root CA store.

The solution is to amend policy to ensure your system trusts SekChek's Root CA (only) or all third-party Root CAs.

Go to top Error: 'Setup fatal error: Unable to generate installation log file' when installing the SekChek software

This error typically occurs if the account being used to install the SekChek Client software does not have Write permissions on Folder 'C:\Windows\'. The Setup routine uses this Folder to store its bootstrap / temporary installation files.

You can check this by viewing the security permissions on your system's C:\Windows\ directory (right-click on the Folder | Properties | Security Tab).

The solution is to install the SekChek software with an account that has sufficient permissions for the Folder.

Go to top Error: 'The Page Cannot be Displayed' when I open SekChek's Help file (sekchek.chm)

The error is due to security settings on your PC that prevent executable files (e.g. EXE, CHM files etc) located in other domains from being executed. This occurs for example, when you try to open SekChek.chm directly from SekChek's web site. This is normal / good practice for security.

The solution is to download the Help file (SekChek.chm) to a local drive on your PC and open the file from there.

Go to top Error: 'NTVDM encountered a hard error.' when executing the Windows Extract software

When you attempt to execute the SekChek for Windows Extract software (SEKWIEXT.EXE) a warning message box is displayed with the title 'ntvdm.exe - System Error' and text 'NTVDM encountered a hard error.', reply Close or Ignore.

The error occurs because file SEKWIEXT.EXE is corrupt. This is often caused by anti-virus software.

The solution is to obtain a fresh copy of SEKWIEXT.EXE or to create it via the SekChek Client software, which is located on our web site. The size of file SEKWIEXT.EXE is about 1.4 MB.