The BigFix Enterprise Console (BEC) 5.1 is a configuration and patch management system for desktops and servers running Windows, Linux, Mac OS X and a variety of proprietary Unix operating systems. A wide range of client and server systems are supported, but they each need to run a BigFix agent in order to be fully managed by the suite.

BEC requires one Windows Server and uses a Microsoft SQL database to store its data. BigFix says one server can handle 150,000 devices, and there is an automatic system of relays that can balance the load and reduce delays for devices connected by slow network links. Relays must run the Windows BigFix agent.

BEC receives a collection of messages from BigFix’s datacentre every few minutes. These messages are called fixlets, and each contains details of a vulnerability affecting a certain type of computer, such as one running Microsoft Windows Server 2000. Once a BigFix agent is installed it goes to the server and downloads all its fixlets, determines which ones are relevant, and reports back to BEC.

Thus, the BEC console displays a list of fixlets and a tally of how many systems each is relevant to. Some fixlets are informational. For example, one checks Windows 2000, 2003 and XP systems to see whether they have antivirus tools installed. Others are more proactive – for example, the Null Session’s fixlet has options to change registry values to disable Null Sessions.

Clicking on a fixlet causes BEC to display its properties, which include details about the vulnerability, a place for comments, a list of relevant computers and an action history.

With BEC, nothing is changed on managed systems until an administrator clicks on a fixlet link. Once actioned, the fixlet could automatically be applied to all relevant computers that are running the BigFix agent, even new ones added after the fixlet was actioned. BEC provides options to action fixlets at a particular time, and to continually broadcast fixlets so their actions are always checked and applied if necessary.

BEC gathers information about most network devices from its agents, but the agents are not available for some types of network kit, including some printers, routers and firewalls. However, BEC can discover most other devices because it integrates with Nessus and Nmap – both open-source security scanning tools. We tested the Nmap integration using a fixlet called “Run Nmap with Custom Scan Options and Scheduling”.

All BEC actions are audited, which means whenever someone takes an action they must authenticate to the system. Thus we needed to give our BEC password to deploy the scanner. We then chose an XP desktop from the fixlet list of relevant computers. BEC then downloaded the Nmap software from a BigFix site, checked its digital signature and installed it on our workstation. A few minutes later and the Nmap results were added to our BigFix console under a new tab called Unmanaged Assets. It discovered our lab firewalls and routers, and for each device reported its MAC address and IP address plus some other IP related parameters.