Six Free Microsoft Security Resources
and Kai Axford
Microsoft Baseline Security Analyzer, Port Reporter, plus information on Windows XP SP2, Software Update Services, Microsoft security events, and more
Free? Just hearing that word on the radio or TV makes me cringe. Like you, I'm an IT professional. I'd be interested if one of the big hardware vendors decided to pass out free 20,000 RPM SCSI drives along with a fiber channel SAN, but that's about it.
So why in the world am I telling you about free stuff in this column? Well, because at Microsoft, we've got some amazing free security tools and whitepapers. If you fail to check them out, you're going to kick yourself just like you would if you missed out on a free SCSI drive. I do a lot of presentations and webcasts, and I've noticed that many IT pros have never heard of these tools. To be honest with you, that's a travesty.
This stuff is available now, you can get it today, and it's a whole lot more valuable than a SCSI drive.
Microsoft Baseline Security Analyzer
How would you like a tool that will help you assess some of the common security misconfigurations on your machines? The Microsoft® Baseline Security Analyzer (MBSA) is for you. MBSA is a best practices vulnerability assessment tool for the Microsoft platform. Once you install the MSI package locally (and as long as you have admin privileges), you can use it to scan multiple machines from just that one central location. MBSA runs on Windows® 2000, Windows XP, and Windows Server™ 2003. It can be used in GUI or command-line modes (for all you scripting gurus). It can also be used in conjunction with SMS.
As of this writing, the current version, MBSA 1.2.1, will scan the core operating system and a variety of applications (IIS, Exchange Server, SQL Server™, Office, BizTalk® Server, and Commerce Server, for example). The MBSA will then save these scans in a neat little XML report that you can view immediately or save for future use.
Now you might ask, "Is this one of those tools that I have to be able to read binary to understand?" The answer is absolutely not! The reports generated by this tool are simple to read and are easily understood by an IT pro. It uses a few simple colored icons to distinguish results: green (looking good!), yellow (warning: this has the potential to be bad), red (danger! danger! impending doom!), or blue (are you following the best practice here?). Basically, if you can drive a car, you can understand this tool—although if you see a blue flashing light, it's better just to pull over and not debate whether you were following a "best practice."
You can find out more information about MBSA and download it from
Microsoft Baseline Security Analyzer
Software Update Services with SP1
Patch management. It's a necessary task, but it shouldn't be a lifestyle. How you deploy patches in your organization directly affects your ability to get out of the office by 4:00 PM. If users install patches in your organization, you might wonder if this is something you really want to leave in the hands of people who only care about e-mail, solitaire, and instant messenging.
How do your users typically deploy their patches? They go to Windows Update and Select All, then they roll out all 90 updates onto their desktops at once. Have you ever heard a user say, "I really should test this patch in a controlled lab setting before deploying it to my desktop?" Almost never. They simply dump patch after patch onto their machines and reboot. If some obscure application doesn't work afterward, well, they just think it's the fault of the patches, but you'll get a big helping of blame, too.
Enter Software Update Services with SP1 (SUS), another free tool from Microsoft. Once loaded onto Windows 2000 or Windows Server 2003, it allows you to control patch deployments in your organization. SUS will pull down from the net all critical patches, security packs, and security updates that are currently available. Then you can selectively test and deploy those needed in your organization.
In addition, through either Group Policy Objects or a client registry setting, you can force the Auto Update client to point only to your SUS server for updates. You can also set the parameters regarding how and when the updating process occurs.
Watch for the next version of SUS, which will be called Windows Update Services. This new version, due out in the first half of 2005, will give you the ability to update drivers, noncritical patches, and so on.
Updates that do not require a reboot can be configured to be installed silently without user interaction or notification (we all know we don't want users determining what's best). Updates that do require a reboot will be grouped together so a single reboot accomplishes the task. Finally, the logging and reporting features will be greatly improved.
We all are familiar with Windows services and TCP ports and the like. (If you're not, then you are probably in marketing and can stop reading. Put down the magazine and slowly walk away from the Network Administrator's office.) Tools like NetStat can tell you which ports are open on a machine, but did you ever wonder exactly which process is listening on what port or whether it was a process at all? Check out the new Port Reporter at support.microsoft.com/?id=837243. The tool logs TCP and UDP port activity and provides you with a useful logfile.
The newly released
Port Reporter Parser
tool can help you quickly scan through these logfiles. It is a GUI-based tool that can scan based on IP addresses, ports, services, user accounts, host names, and so on. This is great for doing things like computer forensics and incident response or for just proving that you're right to a bunch of marketing people.
Microsoft spent a lot of money getting the security message out to the IT pro community. In five months, we've reached more than 500,000 IT pros worldwide. We've done summits, roadshows, forums, briefings, webcasts, and eLearning. We plan on continuing our security push well into next year. Be sure to check out the live shows, but if we miss your town or if you miss us while we're in town, then catch the security webcasts. There's no excuse for not getting this info! (Trust me—we'll have you home by 4:00 PM.)
For more information on Microsoft security events, see
Security Events & Webcasts
Windows XP and Windows Server 2003 Security
Finally, I need to mention some of the excellent security guides and whitepapers that have been assembled by some of the smartest guys I know. These docs contain a wealth of knowledge and answers to almost every Windows-based security configuration question I get. The Windows XP Security Guide contains detailed information on security settings in Group Policy ("What the heck is the difference between Audit Account Logon versus Audit Logon?"), securing standalone clients, and how to configure a Software Restriction Policy ("They'll never play solitaire again! Bwahahaha!"). Not only does the Guide discuss these things, it provides templates, checklists, scripts, and so on to assist you in rolling it out. The guide has been updated to include Windows XP SP2-related material, so go get this today! (Or send your junior admin to get it... they enjoy that sort of stuff.)
The Windows Server 2003 Security Guide outlines best practices for configuring your domain infrastructure as well as specifics on setting up your IIS, file, print, IAS, and infrastructure servers. It provides a stack of templates and tools that pertain directly to servers (and everyone loves servers). You will definitely want to get these guides!
Windows XP SP2
I'm sure that by now you've already tested and diligently loaded Windows XP SP2 onto all your clients. So let's move on... just kidding. I realize from talking with many of you in the field that many of you are still in the testing process (testing is good!), but unfortunately you cannot sit back and not deploy SP2 simply because it causes the "Sr. Executive Golf Score Tracking Tool" to hiccup. At some point, you need to get patches out of the lab and into production. Remember, you're in a race with all those malicious worm and virus writers, so test and move! This is especially important with Windows XP SP2 since it offers some really amazing advances in browser safety, network protection, memory protection, and safer e-mail handling, among other things. If you're concerned that your corporate customers will get this through Automatic Update before you can test it, Microsoft has actually provided a tool that will block SP2 deployment via Automatic Update until April 12, 2005. That buys you an additional six months of testing time! That tool is available at
Temporarily Disabling Delivery of Windows XP Service Pack 2 Through Windows Update and Automatic Updates
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited
So don't just test it, deploy it! Your users will thank you (which, as we all know, is a rare experience). You can then get back to more important things, like figuring out exactly how many 20,000 RPM SCSI drives you'll need to hold all of your vacation pictures. For more info on Windows XP SP2, visit
Windows XP Service Pack 2 Resources for IT Professionals