Enterprise Security Reporter

Enterprise Security Reporter

Enterprise Security Reporter provides you an easy and efficient way to get the data and produce reports that give you the answers you need. Using the tools that come with Microsoft Windows NT, you quickly realise that it is nearly impossible to gather the necessary information to produce the reports you need.


Key Benefits

Use Flexible Permission and Group Membership Report Builders

  • Report on a user's effective permissions - including group memberships.
  • Limit the scope of reports from entire networks to a single path and everywhere in between.
  • Specify specific accounts for a granular approach.
  • Tailor several options to customize reports to exactly what you are looking for.

View Security and Network Data in Real-Time

  • Browse your entire network from a single interface.
  • Monitor share, printer, service, group and user information instantly.
  • Combines data from multiple utilities into one screen.

Gather Security Information from Remote Servers

  • Gather information without the need to install services on remote computers.
  • Discover vital information about user and group membership.
  • Remotely collect NTFS security on folders and files and Share security.

Analyze Security on Mission Critical Systems

  • Examine user and group security to ensure compliance with established models.
  • Create effective group membership reports to find out how users access data indirectly or improperly.
  • Find shares that will not conform to company policy.

Key Features

To protect the security of your network Enterprise Security Reporter offers you a database-driven solution designed to exceed all of your security configuration needs. By using Enterprise Security Reporter, you become aware of the discrepancies concealed in your network.

The end result? Security weaknesses eliminated.

Designed to answer the questions you have about the security of your network, our security evaluation software tool is both powerful and intuitive.

  • To which groups does a user belong?
  • To which folders and files does a user and/or group have access?
  • How can I view all the shares and their permissions on my entire network?

Enterprise Security Reporter - By combing through the vast amount of data on your network and storing it in an open database, you now have the ability to analyse, query and report on the security and configuration of your network.

Inspect. Assess. Audit. Report.

Create unique summarized permissions reports
Enterprise Security Reporter's exclusive Delta Permissions Reporting™ technology targets and reports permission changes on folders and files that differ from those of its parent folder, enterprise wide.

Open Database
Enterprise Security Reporter uses Microsoft's SQL Server 2000 or the scaled-down Microsoft Data Engine 2000 as its back-end database. This allows for faster and more reliable database operations. This also means you can use any tool you want to connect to and query the data. The Enterprise Security Reporter database is even fully documented so you can write your own queries and reports.

Parameterized Queries
When building your own queries, you can define custom parameters that will prompt the user for information as the query is being run. This provides a much greater level of flexibility, and doesn't tie you down to writing queries with hard-coded information.

Enterprise Scopes
What do you do when you have one hundred servers discovered, but you only want to run a query against ten of them? You define an Enterprise Scope including those ten servers, and add the scope to your query. This puts more control back in your hands!

Permissions Report Builder
The Permissions Report Builder allows you to create customized permissions reports that contain the data you need without having to write your own SQL queries. This allows even the most novice of users to get professional and exacting results.

Group Memberships Report Builder
All too often groups contain users that pose a risk to your security. It's all too easy to overlook this without the proper tools. The Group Memberships Report Builder makes it possible for you to see who is in which groups and what groups a user belongs to.

Browse Real-time Data
All of the data in the ESR database is exposed through an easy-to-use data browser. What's more is that you can also browse data in real-time using the exact same screen. Sometimes getting the answer you want is most easily obtained by browsing right to it.

User Extensible
Develop your own queries or reports and add them to the ESR user-interface.

Other Features

For the latest version of Enterprise Security Reporter, several new features have improved the process of gathering and reporting on network security. Among these are:

  • Significant enhancements in the discovery process negate the need for agents to be deployed to remote servers.
  • Enterprise Security Reporter now uses the scalable and extensible MSDE 2000 or SQL Server 2000 as a database engine, making it possible to generate custom queries of discovered data.
  • Delta Permissions Reporting provides for reports in which only changes in permissions are recorded from parent to child objects, greatly simplifying review of reports and reducing the time required to generate them.
  • Full Active Directory support, including Nested Groups, make Enterprise Security Reporter a must have for Windows 2000 and later networks.
  • Added several new reports, such as "All Groups with No Members" report, "Groups with No Permissions Under Folder" report, "Users with No Permissions Under Folder" report and 3 new discovery information reports.
  • An option for limiting the depth of folder discoveries was added. This works great for home directories where you may only be interested in two or three levels deep in audit generation.
  • Creation of an "Expanded Group Membership" report for a complete view of users and their groups.
  • Report export functionality has been improved to include several forms that were not previously available, including .pdf, .rtf, .htm and several others.
  • Support for the Distinguished Name field in Active Directory for group and user accounts.
  • Enterprise Security Reporter now includes the ability to globally exclude folders from discovery by name, such as "Temporary Internet Files."


Select items to be discovered... For every server that you want to gather data from, you can specify exactly what items you want retrieved from the server

Only discover the paths you need... You can specify which paths to include or exclude from the discovery process. This can speed up the discovery process by only getting the data you need, and skipping the paths that are unnecessary

Schedule when the discovery should occur... Each discovery job can be scheduled to run whenever you wish. You can schedule the jobs to run at night when the computers have the least load and when the network would not be bothered by higher traffic

Monitor the jobs that are running... When a job starts running, the Discovery Monitor pops up on the database server showing you the progress of a job, and allowing you to cancel a job if necessary

Browse the data that has been discovered... Whether real-time data or discovered data, Enterprise Security Reporter provides a consistent, easy-to-use interface to view the data

Run built-in queries against the discovered data, or build your own SQL query! Enterprise Security Reporter's open database allows you to write your own SQL queries in addition to using our built-in queries

Execute built-in reports against the discovered data, or build your own reports using Seagate's Crystal Reports or Microsoft Access!


Enterprise Security Reporter Data Sheet
Enterprise Security Reporter Executive Summary
Enterprise Security Reporter Walkthrough
The purpose of this document is to provide a step-by-step walkthrough of the basic features of Enterprise Security Reporter. This will step you through the discovery of two servers and one report.
Enterprise Security Reporter Evaluator's Guide


Licensing for Enterprise Security Reporter is on a per server basis.


Enterprise Security Reporter maintenance and upgrades are available in a 1 and 2 year option


Supported Platforms:
Windows NT 4.0 Workstation
Windows NT 4.0 Server
Windows NT 4.0 Server Enterprise Edition
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows XP Professional
Windows .NET Standard Server
Windows .NET Enterprise Server

Minimum Hardware:
x86 Pentium class or equivalent processor
128 MB RAM

Recommended Hardware:
Intel Pentium III/AMD Athlon or equivalent or higher
256 MB RAM
50 MB Free Hard Disk Space for installation
100 MB Free Hard Disk Space for Database.

Auxiliary Software:
Microsoft Data Engine (MSDE) 2000
Microsoft SQL Server 2000
Microsoft Data Access Components (MDAC) 2.7
(Both MSDE and MDAC are included with the product)


What is Enterprise Security Reporter and why do I need it?
Enterprise Security Reporter is a powerful tool designed to get answers to the questions you have about your network. By combing through the vast amount of data on your network and storing it in an open database, you now have the ability to analyze, query, and report on the security and configuration of your network. Enterprise Security Reporter’s one of a kind functionality - Delta Permissions Reporting™ - takes the manual labor out of viewing security. Using the tools that come with Microsoft Windows NT, you quickly realize that it is nearly impossible to gather the necessary information to produce the reports you need. Enterprise Security Reporter provides you an easy and efficient way to get the data and produce reports that give you the answers you need.

What is Delta Permissions Reporting?
Small Wonders Software developed a new technology we have termed Delta Permissions Reporting. It is an innovative way of viewing NTFS permissions on your network so that you can more easily administer the security. It compares parent and child objects and determines if security has changed from one object to the other. This allows reports that only contain places where permissions have changed to be generated, greatly reducing the time it takes to gather and report on security while creating smaller and more intelligibly reports.

In my permissions reports, I see +’s and –‘s, what do they mean?
Enterprise Security Reporter uses symbols in its report to show changes in permissions as you travel down a directory tree. If a permission is added on a folder, it is denoted with a "+". If a permission is removed from an object down the tree, the removed account is denoted with a "-". If a permission is changed on an object down the tree, the account name is denoted with a "*". This is the basis of the Delta Permissions Reporting technology, which sets Enterprise Security Reporter apart from the competition. Our reports make it very easy to see exactly where permissions start, change, and end while traversing a highly complicated directory structure. This technology can quickly turn a 400 page "All permissions" report into a 4-page "Summarized Permissions" report.

Is Enterprise Security Reporter scalable?
Yes, Enterprise Security Reporter has been designed to handle the largest of organizations. Enterprise Security Reporter requires that you use Microsoft SQL Server 2000, or MSDE 2000 as your database back-end. Both of these solutions are scalable. For very large organizations it is recommended to use the full SQL Server 2000 product. This applies to organizations that will be reporting on thousands of server.

Will Enterprise Security Reporter slow down my network?
No. Enterprise Security Reporter was designed to minimize network traffic. Previous versions of Enterprise Security Reporter had the ability to deploy agents to speed up the process, but optimizations to the discovery process have made this unnecessary.

Can I develop my own reports and queries?
Yes, a fully documented MS SQL Server 2000 database allows you to develop your own queries and reports with any tool you choose. If you have any suggestions for new reports, please email them to as we are always open to good suggestions. In the installation directory for Enterprise Security Reporter there is a file called ESR2DatabaseGuide.pdf that describes the database tables and relationships.

I see the option to Browse data in Real-time. What does that mean?
Network and security data can be viewed in real-time or pulled from the database. Real-time is just that, you can browse that data now, rather than pulling data from the database.

Is Enterprise Security Reporter Windows 2000/XP compliant?
Yes. Enterprise Security Reporter understands and supports the inheritance model supported by Windows 2000/XP.

How does Enterprise Security Reporter handle data in Active Directory?
Enterprise Security Reporter 2 was designed to be able to accurately retrieve information for users and groups in Active Directory. This includes information on Nested Groups and the fully distinguished names of groups and users.

What is the first thing that I need to do when I run Enterprise Security Reporter?
The first step in using this product is to create a database for use by Enterprise Security Reporter. Then set up a list of servers that will be used in the reports and queries. This list tells Enterprise Security Reporter from which servers to get information and what information to get. The process of getting information from a server is referred to as the "discovery" process. A quick "walkthrough" document is included with the packaged product.

How do I add servers to the discovery process?
To add a new server to the server discovery list, click the "Add Servers" button on the bottom of the screen. The next screen that appears is the "Select Server for Discovery" screen.

After I add servers to the discovery list, what do I do next?
The “Select Server for Discovery" screen shows you all the domains and servers on your network. Place a checkmark next to the servers you wish to add to the discovery list, and then click the "OK" button. If you place a checkmark next to a domain name and then all the servers in that domain will be added to the list. Likewise, clearing the checkmark next to a domain name will clear all the checkmarks next to the servers in that domain.

How do I tell Enterprise Security Reporter what I want it to discover?
This is done by Selecting Discovery Items. Once you have added the servers to be discovered, the next step is to select which items you would like to be discovered about each server.

What does each of the choices discover?

  • Groups: For a Primary Domain Controller (PDC) or a Backup Domain Controller (BDC), this will cause both global groups for the domain and local groups on the PDC to be discovered. For a standalone server or workstation, this will cause all the local groups defined on that machine to be discovered.
  • Groups Members: This option retrieves members for groups. This is helpful when generating Group Membership sub reports or using the Group Membership Report Builder.
  • Users: For a Primary Domain Controller (PDC) or a Backup Domain Controller (BDC), this will cause global users for the domain to be discovered. For a standalone server or workstation, this will cause all the local users defined on that machine to be discovered.
  • Extended User Information: This option gathers additional information about users such as logon dates, logon times and account status information.
  • Account Rights: This option discovers what rights are assigned to which accounts.
  • Computer Policies: This option gathers which account and password policies are set on each server.
  • Printers: This option catalogs all the printers that are defined on a computer. If the printer is shared, the share name will also be discovered and recorded.
  • Services: This option catalogs all the services and devices that are defined on a computer. Note that this includes devices, which show up under the "Devices" applet in the control panel.
  • Shares: A share is any folder on a local machine that is shared for access by others. Selecting this option will discover all shares on the machine, both file shares and administrative shares. See the "Printers" option for information on discovering print shares.
  • Registry Keys: This option catalogs all the registry information that is defined on a computer.
  • Volumes: Volumes are defined as the local logical drives on a particular machine. By discovering these items, you will be able to gain access to the folders and files defined on that machine.
  • Folders: The behavior of this option is dependent on the "Summary Mode" option and the "Paths >>>" button (both described later). In general, this option will cause the discovery process to catalog the folders that are defined on a machine. See the options mentioned earlier for a description of their effect on this option.
  • Files: Like the "Folders" option, this option is also dependent on the "Summary Mode" option and the "Paths >>>" button. In general, this option will cause the discovery process to catalog the files that are defined on a machine. See the options mentioned earlier for a description of their effect on this option. Warning: only select this option if you specifically need information about the files and their associated permissions. Discovering files dramatically slows down the discovery process and dramatically increases the amount of space required to store the data.
  • Permissions: Several of the options shown above include a "Permissions" option next to them. These options cause ENTERPRISE SECURITY REPORTER to discover all available permissions about objects as they are being discovered.

What if I only want to select certain paths, and not the entire server? Will Enterprise Security Reporter let me do this?
Yes. This can be accomplished by adding a list of paths that you want included or excluded from the discovery process. When you click the "Paths >>>" button, a screen appears that allows you to make the necessary selections.

Can I exclude certain paths from the discovery process with Enterprise Security Reporter?
Yes. To exclude a path from being discovered, first add the path to the list and then double-click the text in the "Include" column to set the text to "No". If you have added one or more paths that you don't want included in the list, highlight the paths and click the "Remove Path" button.

My servers are always changing, and new information is being added and taken away. Will Enterprise Security Reporter allow me to schedule the discovery process so that I may have the most current information available? If so, how do I do this?
Yes. In order for Enterprise Security Reporter to provide the most benefit, the data must be pulled from the servers on a regular basis. The best way to accomplish this is to schedule the discovery of the servers. Each server can be scheduled and discovered independently of the other servers. Note: The Discovery Service MUST be running in order for scheduled jobs to execute.

Does Enterprise Security Reporter overwrite the information in the database each time?
No. Enterprise Security Reporter has the ability to store discoveries in individual datasets to allow you to view previously discovered data and report on it.

What are my options for scheduling a job? Can I schedule more than one job at a time?
You have several options for scheduling a job. You can schedule it to run one time, every hour, every day, every week, or every month. By using a combination of these options, you can attain virtually any schedule you may need. Notice that this screen supports multiple schedules, each of which can be active at the same time.

NOTE: Be sure that the "Enabled" checkbox in the upper right corner is selected, or the job will not run.

If I don’t want to schedule the discovery process, and I want to run it now, what do I do?
If you opt to perform the discovery immediately, you can click the "Begin Discovery" button. The Discovery Monitor will pop up and show you the progress of the job. You can launch the discovery of more than one server at a time by selecting multiple servers from the list before clicking the "Begin Discovery" button.

What is the difference between a query and a report?
Sometimes a query is more useful than a report because the data can be manipulated more easily. A report often answers a very specific question, whereas a query gets you a set of information that may answer several questions.

What languages do you use to support your queries?
The language supported by Enterprise Security Reported is the Structured Query Language (SQL). More specifically, the "flavor" of the language is Microsoft's Transact-SQL supported by Microsoft SQL Server 2000 and later. Because the query is processed via Microsoft's ActiveX Data Objects (ADO), you may encounter certain parts of the Transact-SQL syntax that are not 100% supported. Please consult Microsoft's web site for information on ADO. Typically any query that can be executed in Microsoft's ISQL/w utility that ships with SQL Server 2000 and later can be executed through the Enterprise Security Reporter interface.

I have downloaded and am trying a copy of Enterprise Security Reporter. I have it installed but I don’t have the option to "add servers" (grayed out).
The most common cause is the failure to create the database. To do this go to your program files and Enterprise Security Reporter 2, then choose ESR2 Database Maintenance Utility(or click “Tools” (from within ESR), then choose “Database Maintenance Utility”), click the “Action” dropdown box and then choose “Create Database”, Click Go!

I received an error message "ActiveX Component cannot create object" (429) error message while attempting to create the database. How do I fix it?
First, make sure that either MSDE 2000 or Microsoft SQL Server 2000 is installed on your machine. If it is installed and working properly, then the problem is probably that one of the DLL's used by MSDE/MSSQL is not registered correctly. To solve this problem, open a command prompt window and change to the directory in which MSDE/MSSQL is installed. This directory contains a subdirectory named "BINN". Change to this directory and type in the following command:

regsvr32 sqldmo.dll

This will register the DLL on your machine so that it can be used by the Database Maintenance Utility. After performing this step, run the "Enterprise Security Reporter Database Maintenance" utility from the "Start->Enterprise Security Reporter" menu and try to create the database again.

Where do I get the database for the application?
We provide a redistributable version of MSDE 2000 with Enterprise Security Reporter free of charge. You may also choose to use Microsoft SQL Server 2000 if you have this in your environment.



All trademarks are property of their respective owners or holders. Information subject to change without notice
Copyright © 2000 - 2015 AMT Software. All rights reserved.