Enterprise Security Reporter Screenshots

The "Permission Options" tab of the screen allows you to fine-tune the report that will be produced, and as such is one of the more complicated screens.

The first section, "Select Object Types", allows you to limit the permissions you want to report on to one of the supported data types. If "All Object Types" is selected, then any permission record in the database will be included in the report. If "Specific Object Types" is selected, then only permissions on the selected data types will be included in the report.

The second section, "Permission Deltas", allows you to limit which of the Delta Permissions Reports types will be included in the report. If none of the boxes are checked, then all of the permission entries will be included. If you want to exclude some of the options, then select all of the options except the one you want to see. This option can help reduce the number of pages in the report.

The third section, "Select Permission", allows you to limit which access levels will be reported on. For each data type you can select whether you want to include or exclude the selected permissions. For example, to only report on groups and users that have "Full Control", select the "Include" option on the NTFS tab, and then select the "Full Control" box. To see only users or groups who have change access or greater for shares, select the "Exclude" button on the "Share" tab, then select the "Read" permission.

The fourth section, "Additional Options", contains three different options: Show Effective Permissions, Include Account Names/Descriptions, and Show Group Membership Subreport.

The "Show Effective Permissions" option instructs ESR2 to consider group memberships when figuring out whether or not an account has permissions to an object. For instance, if the "Domain Users" group has "read" access to a file, and the user "MYDOMAIN\Joe" is a member of "Domain Users", then ESR2 will report that "MYDOMAIN\Joe" has permissions to that file because of his membership in the "Domain Users" group.

The "Include Account Names/Descriptions" option instructs ESR2 to lookup the user?

The interface is designed to be very straightforward. All of the reports that are available are listed categorically in the main screen. The buttons on the side of the screen allow you to add, edit, remove, run and export reports.

Version 1 of Enterprise Security Reporter supported reports developed with Crystal Reports. However in version 2 of Enterprise Security Reporter, we have converted all of our reports to a reporting engine named "ActiveReports2", which is published by Data Dynamics, Inc. This reporting engine we believe to be superior to that used in Enterprise Security Reporter 1, as it provides more reliable exporting capabilities, plus the ability for us to offer a reports editor to our end-users.

Previewing Reports After the report finishes executing, you will see a report preview window that resembles the following:

From the report preview window you can print the report, view a table of contents, search for an item in the report and export the report.

Group membership reports form one of the core sets of reports for analyzing and understanding the security on your network. For this reason, we have separated the group membership reports into a separate screen that gives you a greater level of flexibility than was previously available.

To access the group membership reports, click the "Group Memberships" button at the bottom of the ESR2 Reporting Console. When you click that button, you will see a screen like the screen above:

The first section on the screen allows you to select the type of report you want, whether a report that shows all members of given groups or a report that shows all groups that a given account is a member of.

Additionally, you can select whether or not you want the report to show the account names and descriptions. Account names and descriptions are only available if the groups and users for the server on which the account resides has been discovered as well.

The second and third sections of the group membership screen work in conjunction to let you specify the scope of the report. The scope selection screen looks like the following: Figure 3 -- Group Memberships Scope Selection Screen As you can see in the figure above, the scope can either be the entire network, a particular Enterprise Scope, all computers in a specific domain, a specific set of computers you select or specific accounts that you select.

In version 2 of Enterprise Security Reporter, you can now select multiple computers to include in a report. Version 1 limited you to selecting the entire network, an Enterprise Scope, or a specific computer. The ability to pick and choose computers and accounts was one of the most requested features we had for improving the reporting interface.

The first four scope selection options are pretty obvious in the way they work, but the fifth option may not be quite so obvious. As soon as you click on the fifth option, "Specific Accounts", you will immediately be taken to the "Account List" tab, which until now has been disabled.

The "Account List" tab allows you to specify which accounts you wish to include in the report. If no accounts are listed, then the report will show all users and groups that have permissions in the selected scope. However, if you add a group or user, then only permissions for that group and user are included in the report.

The report layout screen lets you enter a title for the report and choose the grouping order of the items in the report.

The group options you have are as follows:

• Grouped By Computer: This will group the data by the name of the computer. This is most useful for permissions reports that show all permissions.
  
• Grouped By Account: This will group the data by the account. This is most useful for permissions reports for specific accounts.