This documentation is archived and is not being maintained.
Utility Spotlight The Microsoft Security Assessment Tool
Lance Whitney is an IT consultant, trainer, and technical writer. He has spent countless hours tweaking Windows workstations and servers. Originally a journalist, Lance took a blind leap into the IT world 15 years ago.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Download the code for this article: Microsoft Security Assessment Tool 3.0 (English Only) (10547.2KB)
Tracking down network security problems can be tricky and time-consuming. One tool that can help you identify and resolve security risks is the Microsoft® Security Assessment Tool (MSAT), a free utility that presents an electronic questionnaire in which you describe your security environment. Designed for mid-sized organizations with 50 to 500 computers, the MSAT poses 172 questions organized into different categories, then provides an analysis of your situation and recommendations on how to improve it.
The MSAT begins with a set of queries about your business model, which it uses to create a Business Risk Profile (BRP) that evaluates your security risk compared to others within your industry. The questionnaire typically takes two hours to complete, and you can stop and resume at any point. Here are the categories with sample questions:
Basic Information How many clients and servers are in your organization?
Infrastructure Security Do your employees work remotely? Do external contractors access your network?
Applications Security Does your company develop applications? Does it store sensitive data processed by your applications?
Operations Security Does your corporate network connect to external networks? Does your organization receive data feeds from external parties?
People Security Does your company outsource computer maintenance? Do you let employees download sensitive company data to their workstations?
Environment How many employees are in your organization? Is there high turnover in your IT department?
Next, the MSAT generates an assessment that uses a measurement called a Defense-in-Depth Index (DiDI), which focuses on the security processes you have in place. Using the same categories, typical questions are: does your organization employ firewalls at each location? Do you use custom macros in your Microsoft Office applications? Do your users have administrative rights on their workstations? Do you have a policy for deploying patches and updates to your PCs?
In response to your answers, the MSAT offers three reports. The Summary Report displays a bar graph with the results. A high score in the BRP indicates more risk, while a high score in the DiDI represents more security. As the MSAT points out, while a low BRP and a high DiDI might seem preferable, it's actually more important to examine individual areas. Thus, for each area, the Complete Report indicates whether or not you meet best practices, need improvement, or are severely lacking (see Figure 1).
Figure 1 The complete report (Click the image for a larger view)
Finally, the Comparison Report asks you to upload your results anonymously to a secure MSAT Web site, where you can compare your results with those of other organizations.
You can download the tool from the Microsoft Security Guidance Web site at securityguidance.com or from the TechNet Magazine Web site at technetmagazine.com/code07.aspx.