It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda RMM
formerly Managed Workplace

Assessing Site Security

  • Last updated on

Click on the video below for an introduction to Site Security Assessments:

 PosterSiteSecurityAssessment.png

You can perform a security assessment for any of your managed sites. The security assessment analyzes various aspects of security, such as your password management policy, the status of your endpoint security software, and your patch management.

When you enroll a site in Site Security Assessment, it is assessed against a set of tests, also known as a Security Schema, which will generate a score that represents the security of your site. If you haven't set up a custom Security Schema, your sites are assessed against the Standard Schema.

Site Security Assessments run multiple times per day.

What a Security Score Means

The security assessment runs a series of tests on the site. Each test generates a numbered score. The security assessment shows the details of each test, as well as the numbered score for each test.

In addition, the results of each test contribute to a combined overall score, as well as a score for the following categories of tests:

  • Endpoint Security
  • Patch Security
  • User Security
  • Network Security

The highest possible score for each test, each category of test, and combined overall site score is 100. A score of 100 would represent a site where all tests passed. The lower the number, the more critical the security issue.

How the Security Score is Calculated

A security assessment compares a site against a set of tests, called a Security Schema, which can consist of over 30 tests in the following categories:

  • Endpoint Security—Assesses whether antivirus software is installed, active, and up-to-date. Also assesses whether a firewall is in use and the status of BitLocker encryption on eligible devices.
  • Patch Security—Assesses whether Microsoft and Windows patches are up-to-date.
  • User Security—Assesses password activity and password policies for local users and domains.
  • Network Security—Assesses if the User Account Control setting is on or off, as well as assessing the security of certain Wi-Fi networks that managed devices have connected to in the last seven days. Includes Open Port tests, but those tests do not change the security score.

The Standard Security Schema contains all the suggested tests at all their suggested settings. You can also create custom Security Schemas with higher or lower levels of security.

  • The Network Security category tests run against WLAN profiles that can be found on managed devices. WLAN profiles are saved to devices when users choose to automatically connect to Wi-Fi networks. WLAN profiles that have been deleted from a device will not contribute to the Network Security assessment.
  • You can see details on all the tests that make up the Site Security Assessment once you run an assessment on a site.

Endpoint Security Tests

The workstation antivirus tests check most antivirus programs installed on workstations. The workstation antivirus tests are:

  • Workstation Antivirus software detection
  • Workstation Antivirus software status check
  • Workstation Antivirus software evaluation

The Server antivirus software detection test detects the following antivirus products:

  • Avast Endpoint Protection Suite

  • Avast Antivirus (when integrated through Barracuda RMM)

  • Bitdefender Endpoint Security

  • ESET File Security for Microsoft Windows Server

  • F-Secure Server Security

  • G DATA Business Security

  • Kaspersky Total Security for Business

  • McAfee Endpoint Security Suite

  • SentinelOne

  • Sophos Server Protection

  • Symantec™ Endpoint Protection 14

  • Trend Micro Worry-Free Business Security

Firewall-related Security Tests

Site Security Assessment has tests for both Windows firewall and third party firewall, included in the Endpoint Security category. Both tests are included in the Standard Security Schema. Because devices use either a Windows firewall or a third party firewall, Site Security Assessment uses either the three Windows firewall tests or the third party firewall test, but not both, even if both are included in the Security Schema.

Because installing and enabling a third party firewall on a device disables the Windows firewall, if both the Windows firewall tests and the third party firewall test are in the schema, Site Security Assessment detects whether you are using third party firewall or a Windows firewall, and assesses your device accordingly. The firewall tests that don’t apply aren’t assessed, and won’t apply to your final score.

When you’re creating a custom Security Schema, you can add both the Windows firewall tests and the third party firewall tests. Site Security Assessment automatically detects the correct tests to use. You will not lose points as a result of the third party test if your Windows firewall tests pass or lose points on the Windows firewall tests if your third party test passes.

The three Windows firewall tests are assessed if:

  • No third party firewall is installed or enabled.
  • A third party firewall is installed but not enabled.

The third party firewall tests are assessed if:

  • A third party firewall is both installed and enabled.

You will get full points in the Site Security Assessment if your site passes either:

  • The third party firewall test; or
  • The three Windows firewall tests.

If you have only the Windows firewall tests in your schema and your site has a third party firewall installed and enabled, the Windows firewall tests are not assessed. If you have a third party firewall test, but your site uses Windows firewall, the third party test is not assessed.

Because Site Security Assessment only assesses the firewall test that applies to your site, enabling both Windows firewall tests and the third party firewall test doesn’t lower your score, as long as your site uses a firewall.

BitLocker Tests

The BitLocker tests check if eligible drives are encrypted by BitLocker.

Test results are based on the percentage of drives on eligible devices that are encrypted by BitLocker.

If any of the BitLocker tests finds a device that has no drives encrypted, the test checks to see if the device has a Trusted Platform Module (TPM). If the device does not have TPM, then the test gives a result of Unassessed. But if the device does have TPM, the test results are based on the percentage of drives on the device that are encrypted, as usual.

Domain-related Security Tests

Several domain-related site security assessment tests require a functioning Onsite Manager to be assessed. The requirements for these tests to be assessed are:

  • Onsite Manager with Remote Server Administration tools is installed.
  • The Group Policy Management Console is enabled on the Onsite Manager.
  • The device hosting the Onsite Manager is attached to the domain.
  • The MWService account must be a domain Admin account, and not a local account.
Open Port Data Collection Tests

Open port data collection tests assess the security of computer ports that are open to the network and vulnerable to attack.

Open ports are potential areas of vulnerability on the network. An admin should verify if the ports detected are planned and necessary for the business or if the ports are unnecessary possible points of vulnerability on the network that can be secured.

The tests are:

  • Open Port Data Collection (TCP) — determines if data on Open Ports for Windows can be collected successfully. If technical issues prevent the collection of open port assessment data, the related security tests can't execute for those devices.
  • Open Port Discovery (TCP) - Commonly Abused Ports — determines if any of the ports that attackers use most often are open on your network.
  • Open Port Discovery (TCP) - Other Ports — identifies which ports are open on the network so you can review their availability.

The results of these tests do not affect your security score but they help you protect your customers from security vulnerabilities and identify ports that may need to be protected on the network.

If these tests discover open ports, the following icons display on the Network Security category card in the assessment results:

Open Port Icons.png

Enabling and disabling Open Port Data Collection for sites

Open Port Data Collection can be enabled and disabled by site in addition to the Open Port Data Collection tests being included or excluded by the security schema. If Open Port Data Collection is disabled for a site, the Open Port Data Collection tests are not evaluated, even if they are included in the Security Schema being used. By default, Open Port Data Collection is disabled for each site.

All sites are opted out of Open Port Data Collection by default. 

 

The Open Port Data Collection tests are included in the Security Standard Schema. However, the tests are not evaluated unless the Open Port Data Collection is enabled for each site the Security Standard schema is run on.

To enable and disable Open Port Data Collection for sites
  1. In Service Center, click Configuration > Site Security.
  2. In the Open Port Data Collection (TCP) area, do one of the following for each site:
    • Slide the slider to the right to enable data collection.
    • Slide the slider to the left to disable data collection.
Test Weighting Impact

The tests in the assessment have different weightings depending on the security impact of what is being tested. That means that the tests in the assessment do not all affect the score equally, but have a greater or lesser impact assigned by our proprietary algorithm.

For example, mandating that users create strong passwords is more critical to security than changing the domain policy password every 90 days. So, the test that checks that complexity is required in the local password policy is weighted more heavily than the test that checks if the domain policy password has been changed in the last 90 days. That means that if the Domain password policy - Password complexity requirement status check test fails, finding that the policy doesn't mandate complexity for user passwords, more points will be deducted from the Security Assessment score than if the Domain password policy - Maximum password age status check test finds that the domain policy password hasn't been changed in the last 90 days.

For information on the relation between test weighting and Security Schemas, see Using Security Schemas.

Other Factors

Besides the weighting of tests, another factor that helps determine how much a test changes the Security Assessment score is how many objects (devices, users, accounts, etc.) are affected. For example, if the Software updates evaluation - Feature packs test discovers that 20 devices are missing feature packs, that will lower your security score by a certain amount. If you then install the missing feature packs on ten of the twenty devices, your security score will be higher because fewer devices are affected by the missing security feature.

Open Port Data Collection Tests

The Open port data collection tests do not affect the security score.

Viewing Test Details

The Security Score Dashboards display each test that's in the Site Security Assessment, including:

  • Test description
  • Test details
  • Test impact
  • Objects (devices, users, accounts, etc.) affected, both the number of objects and in many cases, links to the affected objects
  • Test severity
  • Test value
  • What you can do to get a better score for the test
Security Score Impact

All the Security Dashboards (Site, Endpoint, Patch, User, and Network), display the individual scores for each test in the Security Schema. The dashboards also display a visual of the overall impact of the results of the score.

SecurityDashboardLeft.jpgThe left column on each Security Dashboard displays the result of the test as a percentage.

SecurityDashboardRight.jpg

On the right of the Security Dashboard, you can see the relative impact of the test shown as a bar. The color and length of the bar show the severity of the impact. The longer the bar, the greater the relative impact. The test that has the most impact will always have the longest line, no matter what the impact is in absolute terms.

How to Get a Better Security Score

On the Site Security Details page and the Category Details pages, you can click the arrow icon SecurityAssessmentArrow.png next to any of the tests to see additional info on that test.

The description for each test includes a section called Countermeasure, which may include suggestions for how to resolve the issue. Once you have addressed the issue, your score will improve the next time the security assessment runs.

As the security score of a site improves, the trend of improvement reflects in the trend graphs displayed on the Dashboard and overview pages, as well as in the trend arrows in the Score boxes for each category.

To improve scores in the Patch Security category, install missing patches on devices. You can use the Patch Details spreadsheet to identify the patches to install. After the patches are installed, your score will improve. For more information, see To Export the Results of a Patch Security Assessment in Viewing Assessment Details.