FW Editor: Hi, can we please start by you saying a few words about yourself? It is important for our readers to know how old you are and since when do you develop applications.
Kevin Zehrer: I personally am forty-six years old and have been writing computer applications since I was twelve; before the first PC, back when the TRS-80 and Commodore PET were popular and Apple Computer was marketing the Apple II. I have been writing software professionally since I was twenty years old. We have 55 years of combined experience in the computer and technology industry. We established and incorporated VZ Systems in 2008.
FW Editor: How did you come up with the idea for ACLSweep? Do you plan to make constant updates or you are happy with the way it is right now?
Kevin Zehrer: While working on numerous other projects that had security components, we became very interested in the security subsystem implemented in the Windows NT-based operating systems. Specifically the access control and privilege aspects are very flexible and powerful when properly utilized. There are a number of published guidelines on how to correctly administer systems and write applications to use these features. We found that it was common for administrators and developers to take some short-cuts to just make things work, which exposed a number of issues in security settings that ACLSweep scans for and fixes. For this release of the product, our focus was on developing the extensive algorithms used in the scans to fix issues while maintaining the effective access exactly as the user had configured them. We have a number of features planned for future releases and we are listening to customer feedback on how we can continually improve the product.
FW Editor: Can you please describe how this program really works? What is the feature you are the most proud of?
Kevin Zehrer: ACLSweep works by running various scans defined by the user. Depending on the type of scan and the options set, the scans can be used to find access differences between applications or users, replace unused or unknown security IDs, or fix common security issues found in the security settings on individual items such as files, folders, and registry keys. The application uses numerous security related functions provided by the operating system as well as several proprietary routines developed specifically to find settings that do not adhere to best-practice guidelines. We are most proud of the number of setting issues that can be found and corrected without making any change to the effective access that was applied by the user or administrator.
FW Editor: Can you tell us how ACLSweep is able to conserve disk space and speed up access to files and applications?
Kevin Zehrer: When the Check Security Settings scans are used to fix issues, ACLSweep consolidates and reorders entries while maintaining the effective rights applied to the secured item and adhering to proper order rules. This makes the stored security settings smaller and more consistent which helps the operating system utilize built-in functionality for consolidating storage for identical security descriptors, thereby conserving space. Every time any secured item is opened for access, these security settings are examined by the system to verify allowed access. The fixed settings stored by ACLSweep in most cases require the system to do less work for these checks which speeds up access to opening the item. Access checks of this type are being done hundreds of times a second on typical systems so the performance gain tends to be cumulative on the system but probably not noticeable on individual item accesses.
FW Editor: How is this program able to compare security settings between users or processes and to diagnose access issues?
Kevin Zehrer: ACLSweep utilizes a number of proprietary algorithms for all the scans. User and group access is determined by effective access using a unique process of including nested group memberships and granted privileges. Most other applications that show access information don’t use this in-depth information. Access granted to processes simply uses the security information contained in the process token. These effective accesses are compared for each item scanned and the differences are logged. Access issues are determined by searching each item for common pitfalls in security settings that either contradict published guidelines or contain recurring security holes, errors, or inefficiencies.
FW Editor: Does this application have an automatic scan? If you release an update, the program will update itself? Or we are forced to check for updates once in a while?
Kevin Zehrer: ACLSweep comes with a number of predefined scans that can be run as is or they can be copied into new, user defined scans. Any scan can be scheduled to run using the command line application provided, and the complete ‘fix’ scan can be scheduled using the easy user interface in the GUI application. There is a thorough log only scan that identifies all the security issues on the system that users are prompted to run (if they choose) when they first use the application. The current version does not have automatic update checking; however, we do plan on having this feature in a future version.
About this interview