The names of specific clients are confidential. However, users of SekChek include major organizations in banking & insurance, airlines, mining, manufacturing, retailing, shipping, transportation, government, building & construction, import/export, food & beverages, farming, security consultants, IS professionals, internal auditors & general management.

SekChek has been used across all industry types in more than 110 countries around the world.

Many clients use SekChek on a regular basis as part of their statutory compliance and internal audit reviews. SekChek is well placed to help out in these areas because:

• It provides an independent point-in-time snapshot of security controls;
• The graphical analyses provide a quick indication of whether security controls have strengthened or weakened since the previous time SekChek was run on a platform;
• SekChek's consistent reporting from one analysis to the next avoids the risk of inconsistent interpretations between analyses over time;
• Similar reporting formats across platforms analysed (Windows, UNIX, AS400 and NetWare) ensure a consistent standard in the interpretation of security controls.

Yes. Please forward the following information to SekChek:

• Name of person submitting the Token Request;
• E-mail address of person submitting the Token Request;
• SekChek Local platform (SAM (workstation/server) or AD);
• Number of scans in this Token Request (applicable to SAM only);
• Charge/DIS/SA/WBS Code if applicable.

Please note that one pre-authorisation is valid for one scan, although up to 15 servers (or 1 Active Directory) can be scanned at a time.

Once we receive this information, we will configure the pre-approval to expire after one week. Should the consultant require a longer time-frame to execute the scan(s), this should be indicated within the request. Alternatively, a new request for pre-approval should be made with us.

SekChek supports the most common Operating Systems and software, including:

• All versions of OS/400 (iSeries)

• Windows NT / 200X / Vista / Windows 7

• Domains running Microsoft Active Directory

• MS-Exchange

• All UNIX operating systems that support the Bourne Shell, such as AIX, BSD, HP-UX, Linux, OSF, SCO and Solaris

• Versions 4, 5 & 6 of Novell / NetWare

You can view or download sample reports for all SekChek products from our web site:

• A quick tour of a SekChek report

• SekChek Classic report samples

• SekChek Local report samples

• Output from a free utility that performs a basic audit of a client PC

The cost of using SekChek depends on the tool type (Classic or Local), the audit scope (an entire domain or a member Server) and the number of SekChek units purchased.

For example, the cost of analysing a member Server with the SekChek Local tool starts at around US$80, while the cost of analysing an entire domain starts at around $240.

Please write to us for details of pricing and SekChek’s discounting policy.

From the very outset the SekChek Extract software was designed to be non-intrusive, make ZERO changes to the host/target system, and leave no trace behind after the extract process has completed.

With tens of thousands of SekChek's behind us, we are not aware of any cases where SekChek has negatively impacted a host system.

Perhaps the most important point is that SekChek’s Industry Averages are not merely based on some static, theoretical average for computer security. Industry Averages used in summary reports are dynamic, real-life averages that are automatically updated after every file we process, using anonymous summary data extracted from each scan file.

SekChek compares security controls on your system against a unique database containing more than 60,000 records and 30 million individual security metrics.

SekChek typically compares security against internationally recognized security standards because that's what most people want. This includes benchmarks against industry-specific averages as well as leading security practices employed by the top 10-15% of organisations.

However, some clients prefer us to substitute their own (internal) security standards and to report against those. This helps them monitor how well their security policy is implemented and complied with and also alerts management to deviations from policy in specific departments or on certain computers.

We have a database of real/actual industry averages for security. This is quite unique. We can currently compare (graph) security over different points in time, over several machines, and calculate security norms and averages by industry type and geographical location. This can produce some interesting results!

Contact us for further details.

Yes, SekChek provides graphical comparisons of basic security settings and user accounts defined on a Server or Domain at two different points in time. This helps you to quickly determine:

• Whether security has improved, worsened, or remained about the same since the previous review;
• The effectiveness of your measures to strengthen controls;
• Whether risk is increasing or decreasing

Yes, the SekChek Local tool can generate a list of changes (before and after images) made to security objects since the previous scan of the system or Active Directory domain.

The report can be used to confirm that only valid and authorised changes are being made to security accounts by comparing the list of modifications against the relevant change documents approved by management. You can also use it to detect malicious or damaging changes that may have been made to your system’s security accounts or to confirm that large numbers of security changes made by an automated script were successfully applied.

Yes, our Mail servers are configured to send and receive email using TLS (Transport Layer Security / SSL). If the TLS protocol is enabled on your Mail server all email traffic between SekChek’s domain and your organisation’s domain will be automatically encrypted.

SekChek also supports S/MIME, which ensures full end-to-end encryption of email. You can download SekChek’s certificate from our web-site.

Very!

SekChek employs various industry-standard encryption algorithms and techniques to ensure the security of your data. These include Public Key encryption techniques based on the RSA algorithm, and symmetric encryption techniques using algorithms such as AES and 3DES.

The most convenient & cost effective way to use SekChek is through a subscription. The pricing structure is very simple - the more SekChek's you subscribe to, the less they cost per copy. Contact us for more details.

Prices are consistent across the entire SekChek range (AS/400, NetWare, Windows & UNIX), so you only need purchase one subscription. You are free to choose and mix different SekChek services in the same subscription.

Once your subscription is confirmed you just send us your security files for processing any time you are ready. From time to time we will send you a statement indicating your usage of SekChek and we will issue a reminder just before your subscription is consumed. Subscriptions have no time limits attached to them.

Direct (Bank-to-Bank) transfer
This is the preferred option. In general, it is the quickest and safest payment method.

Cheque payment
If you prefer to make payment by cheque we recommend that you send your cheque via a courier company, rather than the regular postal system. We have special arrangements in place with UPS, Fedex and DHL, which help to speed up the process.

Credit Card payments
We can also accept payment via a secure Credit Card payment system managed by Kagi.

Contact us for more information on any of these payment methods.

Yes, other than direct donations to specific charities, we offer significant discounts on our published prices to registered charities and other worthy causes. Please contact us for details.

Our guiding principles are ease-of-use and interpretation; non-intrusiveness on the host machine; low cost; and speed of delivery.

Some of the more specific areas we are focusing on include improved graphical summaries, trend analyses (spanning time, machines, departments etc.), and 'industry average' bench-marks by industry type and geographical location.

The direction the SekChek service takes is largely determined by your requirements and needs. Tell us what you want.

The Client software contains usage instructions, encryption/decryption software, sample reports and the ability to create additional copies of the Client & Extract software. It typically resides on your PC.

You use the Extract software to extract security data from an AS/400, NetWare, UNIX, Windows NT/200X host/target machine. It will only run on those systems.

The Processing Engine is used by the SekChek team to process your extracted security data, to calculate industry averages & comparisons, and to generate/encrypt your SekChek report.

SekChek Local allows you to scan and analyse multiple Servers at a time. The software runs on your workstation and scans target Hosts across the network. Because Scan data is processed locally on your PC, there is no requirement to send data off-site for processing.

SekChek Classic provides you with a comprehensive report in MS-Word and Access / Excel formats, including non-technical summary reports, an Overall Rating of security against real-life industry averages, implications and general recommendations

See Benefits, SekChek Local vs SekChek Classic for a more detailed comparison of SekChek's 'Classic' & 'Local' tools.

Quite simply, NONE! Although we retain the title and ownership of the SekChek software, you are free to use and to distribute the software in its current form to anyone you wish.

However, you are not allowed to attempt to modify, translate, reverse engineer, disassemble, or to create derivative works based on the software without the prior written consent of SekChek.

Yes.

SekChek can report on values for System Registry keys and analyse DACLs (Discretionary Access Control Lists) and SACLs (System Access Control Lists) for files and directories.

You do this by defining the list of the Registry keys, and the names of the files and directories you want to analyse in file sekchek.inp. See SekChek for Windows' Extract instructions for details in the SekChek Help File.

SekChek Local requires Windows 2000 Professional (or later) with IE 5.5 (or later). The recommended minimum amount of RAM to Scan a large Active Directory domain is 1.5 GB.

SekChek's reporting features require MS-Office 2003 (with MS-Access) or later. If you use MS-Office 2000 please write to us and request a special version of the Report Database.

The largest domain analysed by SekChek contained 200,000 user accounts and the security reports and benchmark summary were produced within a few hours of completion of the Scan.

You may be interested to know that to date, SekChek has analysed 60 million user accounts and 20 million security groups on systems belonging to many of the world's largest and best known organisations.

Our clients have also used our tools to analyse more than:

• 35 million network attached Servers and workstations
• 6 million Windows services
• 150,000 locally attached disk drives
• 150 million DACLs
• 1 million hot-fixes

In short, there is no limit to the size of system that SekChek can analyse.

Yes, SekChek publishes research information and in-depth answers to the most common security-related questions asked by our clients in the form of white papers. Examples include questions regarding new, or poorly understood security controls.

These technical white paper documents are freely available from our web-site

Yes, SekChek offers several free security-related tools and utilities, such as:

• A tool that performs a basic audit / analysis of your system's security and configuration settings and displays the results in your Internet browser.

  The scope of the analysis includes the current user and computer, local policies, Windows Security Centre status, disks, network settings, local security accounts, and your system's Regional and Language Options. View sample report.

• SekCrypt (TM), an industry strength file encryption / decryption utility. SekCrypt is fast and uses robust, state-of-the art encryption algorithms, such as AES and RSA.

• A tool that queries 'hidden' Active Directory properties on security accounts.

  Examples are the date/time that an account was last used to logon to a system and an account's unique SID (Security Identifier) or GUID (Globally Unique Identifier). The tool will query all domain controllers (DCs) to obtain accurate values for properties that are not replicated across DCs by the Windows OS.

• A utility that resolves SIDs to their friendly names. E.g. S-1-5-21-2555888094-1722010140-3448673252-500 to MyDomain\Administrator and S-1-5-32-544 to Builtin\Administrators group.

• A tool that finds orphaned SIDs defined on files and directories in NTFS. Orphaned SIDs typically belong to security accounts that no longer exist on your system.

• A file hashing (sha1) function that is useful for confirming whether the contents of a file have been changed.

• A 'Ping' utility for testing connectivity to other systems and domains on your network.

These utilities are embedded in the SekChek Classic and Local software.

You can obtain prompt technical support on any of our products from our experienced team of security analysts via our technical support Helpdesk.

The most likely reason is that your Extract file is incorrectly named. For example:

• SekChek for AS/400: The files must have ‘.txt’ extensions, such as PROFBAS.TXT, SYSVALS.TXT.
• SekChek for UNIX: The file must be named sekunf.z or sekunf.tar. In certain cases you may have a collection of ‘.txt’ files, such as hostname.txt etc.
• SekChek for Windows: The file must be named SEK2KF.ZIP or SEKNTF.ZIP. The Encrypt function will also recognize files with extended names, such as ‘SEK2KF MyDescription.zip’. However, it will not recognize file ‘MyDescription SEK2KF.ZIP’.
• SekChek for Netware: The file must be named SEKNEF.ZIP. The Encrypt function will also recognize files with extended names, such as ‘SEKNEF MyDescription.ZIP’.
  See Encrypting your extracted security data for more information

See Encrypting your extracted security data in the SekChek Help File for more information.

It is possible that the certificate has expired.

However, the most likely reason is that your system's policies prevent third-party Root CAs from being trusted. This is particularly common on systems that are running MS-Vista.

Try to install SekChek's Root certificate manually, via the Certificate Import Wizard. (double-click on file SekRoot.cer, which is located in SekChek's installation directory)

If your system prevents third-party Root CAs from being trusted, Windows-XP may display one of the following messages:

• "An error occurred during the addition of a certificate to the Trusted Root Certification Authorities store."
• "The import failed because the store was read-only, the store was full, or the store did not open correctly."

With MS-Vista your system may not display any error message, but the certificate may be installed in your system's Intermediate CA store, instead of the Trusted Root CA store. This may occur even though you explicitly requested the certificate to be installed in the Trusted Root CA store.

The solution is to amend policy to ensure your system trusts SekChek's Root CA (only) or all third-party Root CAs.

This error typically occurs if the account being used to install the SekChek Client software does not have Write permissions on Folder 'C:\Windows\'. The Setup routine uses this Folder to store its bootstrap / temporary installation files.

You can check this by viewing the security permissions on your system's C:\Windows\ directory (right-click on the Folder | Properties | Security Tab).

The solution is to install the SekChek software with an account that has sufficient permissions for the Folder.

The error is due to security settings on your PC that prevent executable files (e.g. EXE, CHM files etc) located in other domains from being executed. This occurs for example, when you try to open SekChek.chm directly from SekChek's web site. This is normal / good practice for security.

The solution is to download the Help file (SekChek.chm) to a local drive on your PC and open the file from there.

When you attempt to execute the SekChek for Windows Extract software (SEKWIEXT.EXE) a warning message box is displayed with the title 'ntvdm.exe - System Error' and text 'NTVDM encountered a hard error.', reply Close or Ignore.

The error occurs because file SEKWIEXT.EXE is corrupt. This is often caused by anti-virus software.

The solution is to obtain a fresh copy of SEKWIEXT.EXE or to create it via the SekChek Client software, which is located on our web site. The size of file SEKWIEXT.EXE is about 1.4 MB.