Because it will save hours of (boring!) checkings (and oblivion) with an existing server to audit (or server you’ve just installed and you’re about to launch to production) everyone of us should have these tools at hand!
- Microsoft Web Application Configuration Analyzer v2.0
- Microsoft Baseline Security Analyzer 2.2 (for IT Professionals)
- Microsoft Baseline Configuration Analyzer 2.1
- Attack Surface Analyzer
Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers).
To easily assess the security state of Windows machines, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.
MBSA 2.2 builds on the previous MBSA 2.1.1 version that supports Windows 7 and Windows Server 2008 R2 and corrects minor issues reported by customers. As with the previous MBSA versions, MBSA 2.2 includes 64-bit installation, security update and vulnerability assessment (VA) checks and support for the latest Windows Update Agent (WUA) and Microsoft Update technologies. More information on the capabilities of MBSA is available on the MBSA Web site.
Microsoft Baseline Configuration Analyzer 2.1 (MBCA 2.1) can help you maintain optimal system configuration by analyzing configurations of your computers against a predefined set of best practices, and reporting results of the analyses. Best practices are developed by a product development team or domain experts, and are packaged in the form of a best practice model. Models are available as separately-downloadable packages that can be run and analyzed by MBCA. MBCA lets users work with best practice models in a consistent, user-friendly way.
Attack Surface Analyzer is developed by the Trustworthy Computing Security group. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software.
Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.