Share via


Security Tools to Administer Windows Server 2012

 

Applies To: Windows Server 2012, Windows 8

This topic for the IT professional lists and describes Microsoft tools that are available for Windows Server 2012 to administer security technologies and address ongoing threats to your computers and network.

To help you find the right tool for the job, the following security tools are grouped by category and task:

Category

Task

Access

Manage access to network resources

Auditing

Manage access to network resources

Certificate Services

Manage a CA and other Active Directory Certificate Services tasks

Computer

Analyze and manage computer processes and performance

Credentials

Manage user accounts, groups, and credentials 

Cryptography

Manage certificates and encryption

Files

Take ownership or securely delete files

Security policies

Analyze and manage security policies

Security principals

Modify or create new security principals

System security

Diagnose, plan and remediate overall system security

The following list provides links to the security cmdlets included in the Windows PowerShell Core Modules, and links to cmdlets for technologies that are sometimes used to manage security in your enterprise.

Manage user accounts, groups, and credentials

Managing user identities and processes for logon and authentication involve important yet often repetitive tasks. To obtain information about and manage user accounts, groups, and credentials, use one of the following tools.

Tool

Type

Description

Whoami [LH]

Windows command-line tool

Displays user, group, and privileges information for the user who is currently logged on to the local computer. If used without parameters, whoami displays the current domain and user name.

Cmdkey [LH]

Windows command-line tool

Creates, lists, and deletes stored user names and passwords or credentials.

Net localgroup [LH]

Windows command-line tool

Adds, displays, or modifies local groups.

Net user [LH]

Windows command-line tool

Adds or modifies user accounts, or displays user account information.

Get-Credential

Windows PowerShell cmdlet

Gets a credential object based on a user name and password.

Get-Authenticode Signature

Windows PowerShell cmdlet

Gets information about the Authenticode signature in a file.

LogonSessions

Sysinternals utility

Lists active logon sessions.

PsLoggedOn

Sysinternals utility

Lists users logged on to a computer.

Modify or create new security principals

Adding, deleting, and modifying account and group information is one of the most frequent administrator tasks. To modify or create new security principals, use one of the following tools.

Tool

Type

Description

Ktpass [LH]

Windows command-line tool

Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file containing the shared secret key of the service.

Note

The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The Ktpass command-line tool allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Key Distribution Center (KDC) service in Windows Server 2008.

Cmdkey [LH]

Windows command-line tool

Creates, lists, and deletes stored user names and passwords or credentials.

Net localgroup [LH]

Windows command-line tool

Adds, displays, or modifies local groups.

Net user [LH]

Windows command-line tool

Adds or modifies user accounts, or displays user account information.

Dsadd [LH]

Windows command-line tool

Allows you to add specific types of objects to the directory.

Add-Computer

Windows PowerShell cmdlet

Adds computers to a workgroup or domain.

Remove-Computer

Windows PowerShell cmdlet

Removes computers from workgroups or domains.

Reset-ComputerMachinePassword

Windows PowerShell cmdlet

Resets the computer account password.

Manage certificates and encryption

Certificate and encryption can significantly strengthen the security of a network and its resources. To manage certificate requests and encrypted files or directories, use the following tools.

Tool

Type

Description

Certreq [WS2012]

Windows command-line tool

Requests certificates from a certification authority (CA), retrieves a response to a previous request from a CA, creates a new request from an .inf file, accepts and installs a response to a request, constructs a cross-certification or qualified subordination request from an existing CA certificate or request, or signs a cross-certification or qualified subordination request.

Cipher

Windows command-line tool

Displays or alters the encryption of directories and files on NTFS volumes. If used without parameters, cipher displays the encryption state of the current directory and any files it contains.

Get-PfxCertificate

Windows PowerShell cmdlet

Gets information about .pfx certificate files on the computer.

Certificate Provider 

Windows PowerShell provider

Allows you to navigate the certificate namespace and view the certificate stores and certificates. You can also copy, move, and delete certificates and certificate stores, and open the Certificates snap-in for the Microsoft Management Console (MMC).

Manage a CA and other Active Directory Certificate Services tasks

Active Directory Certificate Services (AD CS) role services allow an organization to issue and manage certificates that enable a variety of network infrastructure requirements. To manage a CA and complete a variety of other AD CS tasks, use the following tool.

Tool

Type

Description

Certutil [W2012]

Windows command-line tool

Collects and displays certification authority (CA) configuration information, configures AD CS, backs up and restores CA components, and verifies certificates, key pairs, and certification paths.

Manage access to network resources

Files, folders, and shares that are protected by using access control lists (ACLs) can be monitored and managed by using the following tools, cmdlets, and utilities. To obtain information about access permissions on resources, use one of the following tools.

Tool

Type

Description

Icacls [LH]

Windows command-line tool

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. Icacls.exe replaces the Cacls.exe tool for viewing and editing DACLs.

Dsacls [LH]

Windows command-line tool

Displays and changes permissions (access control entries) in the ACL of objects in Active Directory Domain Services (AD DS).

Get-Acl

Windows PowerShell cmdlet

Gets the security descriptor for a resource, such as a file or registry key.

ShareEnum

Sysinternals utility

Allows you to scan file shares on your network and view their security settings.

AccessChk

Sysinternals utility

Displays access permissions to files, registry keys, or Windows services for a specified user or group.

AccessEnum

Sysinternals utility

Displays access permissions to directories, files, and registry keys for all users and groups on computers in your domain.

Take ownership or securely delete files

Administrators might need to modify the ownership of files or ensure that deleted files cannot be accessed. To take ownership or securely delete files, use one of the following tools.

Tool

Type

Description

Takeown [LH]

Windows command-line tool

Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file.

SDelete

Sysinternals utility

Allows you to securely overwrite your sensitive files and remove previously deleted files by using this Department of Defense–compliant secure deletion program.

Manage security auditing and audit logs

Security auditing allows you to monitor and analyze a wide variety of computer and network activities. The following utilities can be used to configure event logging and manage event logs and event log entries.

Tool

Type

Description

Auditpol [Vista]

Windows command-line tool

Displays information about and performs functions to modify audit policy settings.

Logman [vista]

Windows command-line tool

Creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

Clear-EventLog

Windows PowerShell cmdlet

Deletes all entries from specified event logs on a local or remote computer.

Get-Event

Windows PowerShell cmdlet

Gets the events in the event queue.

Get-EventLog

Windows PowerShell cmdlet

Gets the events in a specified event log or a list of the event logs on a computer.

New-Event

Windows PowerShell cmdlet

Creates a new event.

New-EventLog

Windows PowerShell cmdlet

Creates a new event log and a new event source on a local or remote computer.

Remove-event

Windows PowerShell cmdlet

Deletes events from the event queue.

Remove-EventLog

Windows PowerShell cmdlet

Deletes an event log or unregisters an event source.

Show-EventLog

Windows PowerShell cmdlet

Displays the event logs of the local or a remote computer in Event Viewer.

Write-EventLog

Windows PowerShell cmdlet

Writes an event to an event log.

Limit-EventLog

Windows PowerShell cmdlet

Sets the event log properties that limit the size of the event log and the age of its entries.

PsLogList

Sysinternals utility

Allows you to collect event log records.

Wevtutil [Vista]

Windows command-line tool

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

Analyze and manage security policies

Security policy is the configurable set of rules that the operating system follows when determining the permissions to grant in response to a request for access to resources. You can use the following tools to analyze and manage security policy settings for a single computer or a domain.

Tool

Type

Description

Security Configuration Wizard [w8]

Windows administrative tool

Determines the minimum functionality required for a server's role or roles and disables functionality that is not required.

Secedit [LH]

Windows command-line tool

Configures and analyzes system security by comparing an existing configuration to at least one template.

GPUpdate

Windows command-line tool

Refreshes local and domain Group Policy settings, including security settings.

Note

This command-line tool supersedes the /refreshpolicy option for the secedit command.

Gpresult [LH]

Windows command-line tool

Displays Resultant Set of Policy (RSoP) information for a local or domain user and computer.

Local Security Policy

Microsoft Management Console (MMC) snap-in

The Security Policy snap-in (secpol.msc) allows you to adjust settings for Account Policies, Local Policies, Windows Firewall with Advanced Security, Network List Manager Policies, Public Key Policies, Software Restriction Policies, Application Control Policies, IP Security Policies on Local Computer, and Advanced Audit Policy Configuration.

Security templates

Microsoft Management Console (MMC) snap-in

Security templates provide standard security settings to use as a model for your security policies. They help you troubleshoot problems with computers whose security settings are not in compliance with policy or are unknown. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis snap-in to MMC.

AppLocker Overview

Microsoft Management Console (MMC) snap-in

AppLocker helps you control which applications and files users can run. These include executable files, scripts, Windows® Installer files, DLLs, Packaged apps and Packaged app installers. You can also use AppLocker to inventory applications running on your computers.

Software Restriction Policies

Microsoft Management Console (MMC) snap-in

You can use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. Software restriction policies are integrated with Microsoft Active Directory and Group Policy. You can also create software restriction policies on stand-alone computers. Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running.

Analyze and manage computer processes and performance

Understanding the configuration and behavior of a computer and the applications and processes running on that computer are important to diagnosing performance issues and system failures but can require detailed investigation. The following tools can assist with many of these tasks.

Tool

Type

Description

Runas [LH]

Windows command-line tool

Allows a user to run specific tools and programs with different permissions than the user's current logon provides.

Sc [Vista]

Windows command-line tool

Communicates with the Service Controller and installed services.

Shutdown [Vista]

Windows command-line tool

Enables you to shut down or restart local or remote computers one at a time.

Tasklist [LH]

Windows command-line tool

Displays a list of currently running processes on the local computer or on a remote computer.

Taskkill [LH]

Windows command-line tool

Ends one or more tasks or processes. Processes can be ended by process ID or image name.

Bootcfg [Vista]

Windows command-line tool

Configures, queries, or changes Boot.ini file settings.

Get-ExecutionPolicy

Windows PowerShell cmdlet

Gets the execution policies in the current session.

Set-ExecutionPolicy

Windows PowerShell cmdlet

Changes the user preference for the execution policy of the shell.

ShellRunAs

Sysinternals utility

Allows you to start programs as a different user via a shell context-menu entry.

PsTools

Sysinternals utility

Includes command-line tools for listing the processes running on local or remote computers, running processes remotely, restarting computers, and obtaining copies of event logs.

Autologon

Sysinternals utility

Allows you to bypass the password screen during logon.

Autoruns

Sysinternals utility

Shows what programs are configured to start automatically when a computer starts and the user logs on. Autoruns also shows the registry and file locations where applications can configure auto-start settings.

Process Explorer

Sysinternals utility

Allows you to find out what files, registry keys, and other objects processes are open, which dynamic link libraries (DLLs) they have loaded, and who owns each process.

PsExec

Sysinternals utility

Allows you to run processes with limited-user rights.

Diagnose, plan and remediate overall system security

Microsoft provides a number of free tools that can be used to diagnose overall system health, plan for improvements and migrations, and security and protect against the risk of infection from malware. The following tools can be used to accomplish these tasks.

Tool

Type

Description

The Security Development Lifecycle Developer Starter Kit

Download

The SDL Developer Starter Kit offers 14 content modules (with speaker notes, presenter guides, and sample comprehension questions) plus eight MSDN virtual labs with lab manuals—all created to help you build a customized SDL training program for your development teams.

Malicious Software Removal Tool

Download

Checks computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003Windows 8, Windows 7, Windows Vista, and Windows XP for infections by specific, prevalent malicious software and helps remove any infection found.

Microsoft Security Assessment Tool

Download

Provides information and recommendations about best practices to help enhance security within your IT infrastructure.

Enhanced Mitigation Experience Toolkit v4.0

Download

Allows you to design mitigation methods to help prevent malicious users from gaining access to your system.

Microsoft Threat Analysis & Modeling Tool

Download

Allows you to enter information including business requirements and application architecture, which is then used to produce a threat model.

RootkitRevealer

Sysinternals utility

Allows you to scan your computer for rootkit-based malware.

Sigcheck

Sysinternals utility

Allows you to collect file version information and verify that images on your computer are digitally signed.

Attack Surface Analyzer

Download

Allows you to catalogue changes made to the operating system attack surface by the installation of new software.

Microsoft Assessment and Planning Toolkit

Download

The MAP Toolkit is a powerful inventory, assessment and reporting tool that can securely assess IT environments for various platform migrations. Having an inventory of what platforms exist in your environment can enable you to more quickly deploy security updates, react to security incidents, contain any issues that may arise, and recover more quickly from those issues.

See also

The following table provides additional resources for security tools in related technologies.

Group Policy

Group Policy Overview

Active Directory Domain Services

Active Directory Domain Services Overview

Active Directory Certificate Services

Active Directory Certificate Services Overview

Security Troubleshooting

Wiki: Troubleshooting Portal

Windows Server Update Services

Windows Server Update Services Overview

Microsoft System Center

Microsoft System Center 2012