Skip to main content
Sign in
HomeSecurity BulletinsLibraryLearnDownloadsSupport
Security TechCenter > Downloads > Security Tools > Microsoft Security Assessment Tool

Microsoft Security Assessment Tool

The Microsoft Security Assessment Tool (MSAT) is a free tool designed to help organizations like yours assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your computing environment and your business. Begin the process by taking a snapshot of your current security state, and then use MSAT to continuously monitor your infrastructure’s ability to respond to security threats.

At Microsoft, the security of our customers' networks, business servers, end-user computers, mobile devices, and data assets are a top priority. We are committed to providing security tools like MSAT to help you improve the security state of your business.

Understanding Your Risks

MSAT is designed to help you identify and address security risks in your IT environment. The tool employs a holistic approach to measuring your security posture and covers topics including people, process, and technology.

MSAT provides:

  • Easy to use, comprehensive, and continuous security awareness
  • A defense-in-depth framework with industry comparative analysis
  • Detailed, ongoing reporting comparing your baseline to your progress
  • Proven recommendations and prioritized activities to improve security
  • Structured Microsoft and industry guidance

Visit the Trustworthy Computing site to find out more about the Microsoft commitment to trustworthy computing.

Read the most current Microsoft Security Intelligence Report. For further information, visit the Malware Protection Center.

The MSAT Process

MSAT consists of over 200 questions covering infrastructure, applications, operations, and people. The questions, associated answers, and recommendations are derived from commonly accepted best practices, standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from the Microsoft Trustworthy Computing Group and other external security sources.

The assessment is designed to identify the business risk of your organization and the security measures deployed to mitigate risk. Focusing on common issues, the questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that supports your business.

Beginning with a series of questions about your company's business model, the tool builds a Business Risk Profile (BRP), measuring your company’s risk of doing business due to the industry and business model defined by BRP. A second series of questions are posed to compile a listing of the security measures your company has deployed over time. Together, these security measures form layers of defense, providing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the areas of analysis (AoAs)—infrastructure, applications, operations, and people.

In addition to measuring the alignment of security risk and defenses, this tool also measures the security maturity of your organization. Security maturity refers to the evolution of strong security and maintainable practices. At the low end, few security defenses are employed and actions are reactive. At the high end, established and proven processes allow a company to be more proactive, and respond more efficiently and consistently when needed.

Risk management recommendations are suggested for your environment by taking into consideration existing technology deployment, current security posture, and defense-in-depth strategies. Suggestions are designed to move you along a path toward recognized best practices.

This assessment—including the questions, measures, and recommendations—is designed for midsize organizations that have between 50 and 1,500 desktops in their environment. It is meant to broadly cover areas of potential risk across your environment, rather than provide an in-depth analysis of a particular technologies or processes. As a result, the tool cannot measure the effectiveness of the security measures employed. This report should be used as a preliminary guide to help you develop a baseline to focus on specific areas that require more rigorous attention. From the guidance provided by MSAT and security activities implemented, you can run the tool as often as you would like to gain further knowledge on your progress against an established baseline MSAT report.

Assessment Tool Overview

This Microsoft Security Assessment Tool is designed to assist you with identifying and addressing security risks in your computing environment. The tool employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance as needed. These resources may assist you in learning more about the specific tools and methods that can help you change the security posture of your IT environment.

The assessment is made up of over 200 questions, broken down into four categories:

  • Infrastructure
  • Applications
  • Operations
  • People

The questions that make up the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group but also other external security sources.

The following table lists the areas that are included in the security risk assessment.

InfrastructureImportance to Security
Perimeter DefensePerimeter defense addresses security at network borders, where your internal network connects to the outside world. This constitutes your first line of defense against intruders.
AuthenticationRigorous authentication procedures for users, administrators, and remote users help prevent outsiders from gaining unauthorized access to the network through the use of local or remote attacks.
Management and MonitoringManagement, monitoring, and proper logging are critical to maintaining and analyzing IT environments. These tools are even more important after an attack has occurred and incident analysis is required.
WorkstationsThe security of individual workstations is a critical factor in the defense of any environment, especially when remote access is allowed. Workstations should have safeguards in place to resist common attacks.

 

ApplicationsImportance to Security
Deployment and UseWhen business-critical applications are deployed in production, the security and availability of those applications and hosting servers must be protected. Continued maintenance is essential to help ensure that security bugs are patched and that new vulnerabilities are not introduced into the environment.
Application DesignDesign that does not properly address security mechanisms such as authentication, authorization, and data validation can allow attackers to exploit security vulnerabilities and thereby gain access to sensitive information.

Secure application development methodologies are key to ensuring that in-house or contracted developed applications address security threat models that could leave an organization open to exploits.

Integrity and confidentiality of data is one of the greatest concerns for any business. Data loss or theft can negatively impact organization revenue as well as its reputation. It is important to understand how applications handle business critical data and how that data is protected.

 

OperationsImportance to Security
EnvironmentThe security of an organization is dependent on the operational procedures, processes and guidelines that are applied to the environment. They enhance the security of an organization by including more than just technology defenses. Accurate environment documentation and guidelines are critical to the operation team's ability to govern, support and maintain the security of the environment.
Security PolicyCorporate security policy refers to the collection of individual policies and guidelines that exist to govern the secure and appropriate use of technology and processes within the organization. This area covers policies to address all types of security, such as user, system, and data.
Backup and RecoveryData backup and recovery is essential to maintaining business continuity in the event of a disaster or hardware/software failure. Lack of appropriate backup and recovery procedures could lead to significant loss of data and productivity. Company reputation and brand could be at risk.
Patch and Update ManagementGood management of patches and updates is important in helping secure an organization's IT environment. The timely application of patches and updates is necessary to help protect against known and exploitable vulnerabilities.

 

PeopleImportance to Security
Requirements and AssessmentsSecurity requirements should be understood by all decision-makers so that both their technical and their business decisions enhance security rather than conflict with it. Regular assessments by a third party can help a company review, evaluate, and identify areas for improvement.
Policies and ProceduresClear, practical procedures for managing relationships with vendors and partners can help protect the company from exposure to risk. Procedures covering employee hiring and termination can help protect the company from unscrupulous or disgruntled employees.
Training and AwarenessEmployees should be trained and made aware of security policies and how security applies to their daily job activities so that they do not inadvertently expose the company to greater risks.

Download

Related Links

MSAT Videos

  

MSAT Demo
Learn about developing a security strategy in terms of discovery, awareness, and prioritization while using MSAT.

4 minutes 20 seconds

  

Security Interview: Jeff Jones and Thomas Dawkins (Part 1 of 2)
Meet the product manager behind MSAT to learn about its development and design.

5 minutes 51 seconds

  

Security Interview: Jeff Jones and Thomas Dawkins (Part 2 of 2)
Security experts walk through MSAT with additional guidance and insight.

15 minutes 52 seconds

Manage Your Profile | Contact Us | Newsletter
© 2011 Microsoft. All rights reserved.Terms of Use | Trademarks | Privacy Statement | Site Feedback