Security Tools

Applies To: Windows Server 2008, Windows Vista

A variety of tools are available to administer security and address ongoing threats to your computers and network. To help you find the right tool for the job, the following security tools are grouped by task:

  • Manage user accounts, groups, and credentials

  • Modify or create new security principals

  • Manage certificates and encryption

  • Manage a CA and other Active Directory Certificate Services tasks

  • Manage access to network resources

  • Take ownership or securely delete files

  • Manage security auditing and audit logs

  • Analyze and manage security policies

  • Analyze and manage computer processes and performance

  • Diagnose and remediate overall system security

This is not an exhaustive list, either of security-related tasks or of security-related tools. Other tools that are not listed here can be used to perform tasks that have security implications, and additional security-related tools will be added to this list periodically. For additional tools, see:

Manage user accounts, groups, and credentials

Managing user identities and processes for logon and authentication involve important yet often repetitive tasks. To obtain information about and manage user accounts, groups, and credentials, use one of the following tools.

Tool Type Description

Whoami

Windows command-line tool

Displays user, group, and privileges information for the user who is currently logged on to the local computer. If used without parameters, whoami displays the current domain and user name.

cmdkey

Windows command-line tool

Creates, lists, and deletes stored user names and passwords or credentials.

NET LocalGroup

Windows command-line tool

Adds, displays, or modifies local groups.

NET User

Windows command-line tool

Adds or modifies user accounts, or displays user account information.

Get-Credential

Windows PowerShell cmdlet

Gets a credential object based on a user name and password.

Get-Authenticode Signature

Windows PowerShell cmdlet

Gets information about the Authenticode signature in a file.

LogonSessions

Sysinternals utility

Lists active logon sessions.

PsLoggedOn

Sysinternals utility

Lists users logged on to a computer.

Modify or create new security principals

Adding, deleting, and modifying account and group information is one of the most frequent administrator tasks. To modify or create new security principals, use one of the following tools.

Tool Type Description

Ktpass

Windows command-line tool

Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file containing the shared secret key of the service.

Note
The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The Ktpass command-line tool allows UNIX-based services that support Kerberos authentication to use the interoperability features provided by the Key Distribution Center (KDC) service in Windows Server 2008.

cmdkey

Windows command-line tool

Creates, lists, and deletes stored user names and passwords or credentials.

NET LOCALGROUP

Windows command-line tool

Adds, displays, or modifies local groups.

NET USER

Windows command-line tool

Adds or modifies user accounts, or displays user account information.

Dsadd

Windows command-line tool

Allows you to add specific types of objects to the directory.

Add-Computer

Windows PowerShell cmdlet

Adds computers to a workgroup or domain.

Remove-Computer

Windows PowerShell cmdlet

Removes computers from workgroups or domains.

Reset-ComputerMachinePassword

Windows PowerShell cmdlet

Resets the computer account password.

Manage certificates and encryption

Certificate and encryption can significantly strengthen the security of a network and its resources. To manage certificate requests and encrypted files or directories, use the following tools.

Tool Type Description

Certreq

Windows command-line tool

Requests certificates from a certification authority (CA), retrieves a response to a previous request from a CA, creates a new request from an .inf file, accepts and installs a response to a request, constructs a cross-certification or qualified subordination request from an existing CA certificate or request, or signs a cross-certification or qualified subordination request.

Cipher

Windows command-line tool

Displays or alters the encryption of directories and files on NTFS volumes. If used without parameters, cipher displays the encryption state of the current directory and any files it contains.

Get-PfxCertificate

Windows PowerShell cmdlet

Gets information about .pfx certificate files on the computer.

Certificate Provider

Windows PowerShell provider

Allows you to navigate the certificate namespace and view the certificate stores and certificates. You can also copy, move, and delete certificates and certificate stores, and open the Certificates snap-in for the Microsoft Management Console (MMC).

Manage a CA and other Active Directory Certificate Services tasks

Active Directory Certificate Services (AD CS) role services allow an organization to issue and manage certificates that enable a variety of network infrastructure requirements. To manage a CA and complete a variety of other AD CS tasks, use the following tool.

Tool Type Description

Certutil

Windows command-line tool

Collects and displays certification authority (CA) configuration information, configures AD CS, backs up and restores CA components, and verifies certificates, key pairs, and certification paths.

Manage access to network resources

Files, folders, and shares that are protected by using access control lists (ACLs) can be monitored and managed by using the following tools, cmdlets, and utilities. To obtain information about access permissions on resources, use one of the following tools.

Tool Type Description

Icacls

Windows command-line tool

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. Icacls.exe replaces the Cacls.exe tool for viewing and editing DACLs.

Dsacls

Windows command-line tool

Displays and changes permissions (access control entries) in the ACL of objects in Active Directory Domain Services (AD DS).

Get-Acl

Windows PowerShell cmdlet

Gets the security descriptor for a resource, such as a file or registry key.

ShareEnum

Sysinternals utility

Allows you to scan file shares on your network and view their security settings.

AccessChk

Sysinternals utility

Displays access permissions to files, registry keys, or Windows services for a specified user or group.

AccessEnum

Sysinternals utility

Displays access permissions to directories, files, and registry keys for all users and groups on computers in your domain.

Take ownership or securely delete files

Administrators might need to modify the ownership of files or ensure that deleted files cannot be accessed. To take ownership or securely delete files, use one of the following tools.

Tool Type Description

Takeown

Windows command-line tool

Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file.

SDelete

Sysinternals utility

Allows you to securely overwrite your sensitive files and remove previously deleted files by using this Department of Defense–compliant secure deletion program.

Manage security auditing and audit logs

Security auditing allows you to monitor and analyze a wide variety of computer and network activities. The following utilities can be used to configure event logging and manage event logs and event log entries.

Tool Type Description

Auditpol

Windows command-line tool

Displays information about and performs functions to modify audit policy settings.

Logman

Windows command-line tool

Creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.

Clear-EventLog

Windows PowerShell cmdlet

Deletes all entries from specified event logs on a local or remote computer.

Get-Event

Windows PowerShell cmdlet

Gets the events in the event queue.

Get-EventLog

Windows PowerShell cmdlet

Gets the events in a specified event log or a list of the event logs on a computer.

New-Event

Windows PowerShell cmdlet

Creates a new event.

New-EventLog

Windows PowerShell cmdlet

Creates a new event log and a new event source on a local or remote computer.

Remove-event

Windows PowerShell cmdlet

Deletes events from the event queue.

Remove-EventLog

Windows PowerShell cmdlet

Deletes an event log or unregisters an event source.

Show-EventLog

Windows PowerShell cmdlet

Displays the event logs of the local or a remote computer in Event Viewer.

Write-EventLog

Windows PowerShell cmdlet

Writes an event to an event log.

Limit-EventLog

Windows PowerShell cmdlet

Sets the event log properties that limit the size of the event log and the age of its entries.

PsLogList

Sysinternals utility

Allows you to collect event log records.

WEvtUtil

Windows command-line tool

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

Analyze and manage security policies

Security policy is the configurable set of rules that the operating system follows when determining the permissions to grant in response to a request for access to resources. You can use the following tools to analyze and manage security policy settings for a single computer or a domain.

Tool Type Description

Security Configuration Wizard (SCW)

Windows administrative tool

Determines the minimum functionality required for a server's role or roles and disables functionality that is not required.

Secedit

Windows command-line tool

Configures and analyzes system security by comparing an existing configuration to at least one template.

GPUpdate

Windows command-line tool

Refreshes local and domain Group Policy settings, including security settings.

Note
This command-line tool supersedes the /refreshpolicy option for the secedit command.

GPResult

Windows command-line tool

Displays Resultant Set of Policy (RSoP) information for a remote user and computer.

Analyze and manage computer processes and performance

Understanding the configuration and behavior of a computer and the applications and processes running on that computer are important to diagnosing performance issues and system failures but can require detailed investigation. The following tools can assist with many of these tasks.

Tool Type Description

Runas

Windows command-line tool

Allows a user to run specific tools and programs with different permissions than the user's current logon provides.

SC

Windows command-line tool

Communicates with the Service Controller and installed services.

Shutdown

Windows command-line tool

Enables you to shut down or restart local or remote computers one at a time.

Tasklist

Windows command-line tool

Displays a list of currently running processes on the local computer or on a remote computer.

Taskkill

Windows command-line tool

Ends one or more tasks or processes. Processes can be ended by process ID or image name.

Bootcfg

Windows command-line tool

Configures, queries, or changes Boot.ini file settings.

Get-ExecutionPolicy

Windows PowerShell cmdlet

Gets the execution policies in the current session.

Set-ExecutionPolicy

Windows PowerShell cmdlet

Changes the user preference for the execution policy of the shell.

ShellRunAs

Sysinternals utility

Allows you to start programs as a different user via a shell context-menu entry.

PsTools

Sysinternals utility

Includes command-line tools for listing the processes running on local or remote computers, running processes remotely, restarting computers, and obtaining copies of event logs.

Autologon

Sysinternals utility

Allows you to bypass the password screen during logon.

Autoruns

Sysinternals utility

Shows what programs are configured to start automatically when a computer starts and the user logs on. Autoruns also shows the registry and file locations where applications can configure auto-start settings.

Process Explorer

Sysinternals utility

Allows you to find out what files, registry keys, and other objects processes are open, which dynamic link libraries (DLLs) they have loaded, and who owns each process.

PsExec

Sysinternals utility

Allows you to run processes with limited-user rights.

Diagnose and remediate overall system security

Microsoft provides a number of free tools that can be used to diagnose overall system health and security and protect against the risk of infection from malware. The following tools can be used to accomplish these tasks.

Tool Type Description

Malicious Software Removal Tool

Download

Checks computers running Windows 7, Windows Vista, Windows XP, Windows Server 2008, or Windows Server 2003 for infections by specific, prevalent malicious software and helps remove any infection found.

Microsoft Baseline Security Analyzer (MBSA)

Download

Helps small-sized and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.

Microsoft Security Assessment Tool

Download

Provides information and recommendations about best practices to help enhance security within your IT infrastructure.

Microsoft Threat Analysis & Modeling Tool

Download

Allows you to enter information including business requirements and application architecture, which is then used to produce a threat model.

RootkitRevealer

Sysinternals utility

Allows you to scan your computer for rootkit-based malware.

Sigcheck

Sysinternals utility

Allows you to collect file version information and verify that images on your computer are digitally signed.