Windows Security Tools
Microsoft has been putting more effort into security, which Windows Server 2008 R2 and Windows 7 proves. They have been hardening the "out of the box" experience for some time and with the new Firewall and User Account Control features that come preconfigured, it is no wonder why many are moving to these more powerful and secure operating systems. Although the new, and even older, Windows operating systems are and can be more secure, what tools are available to help you configure your system for more than the firewall and UAC?
Microsoft Baseline Security Analyzer
MBSA has now been around for quite some time. The tool had great hopes when it first arrived on the scene, but has never developed into anything more than a tool that can be used to scan for installed patches. Yeah, MBSA does more than scan for patches, but the overall sense of the tool from nearly everyone is that it was never really all that useful.
The latest version of MBSA is v2.2 and can be downloaded here. The updated version of MBSA is not all that shocking, as it now supports Windows 7 and Windows Server 2008 R2, which everyone on the planet seems to be migrating to. Other features that MBSA v2.2 brings to the table include:
- Offline mode from graphical and command-line interfaces
- Support for Windows 7 and Windows Server 2008 R2
- Updated graphical user interface
- Full support for 64-bit platforms
- Improved support for Windows XP Embedded platform
- Automatic Microsoft Update registration and agent update for graphical interface or from the command-line
- Output completed scan reports to a user-selected directory path or network share
- Windows Server Update Services 2.0 and 3.0 compatibility
As you can see from Figure 1, the tool is easy to configure and picking the computers you want to scan is easy too. You can either scan the computer where you are running MBSA, or you can pick a range of IP addresses.
Figure 1: MBSA 2.2 configuration options before scanning.
Once a computer is scanned, the results are clearly displayed and easy to read as shown in Figure 2.
Figure 2: MBSA 2.2 scan output and summary.
The major issues that I have with MBSA are that it just does not have any customization and the security scans seem to be arbitrary and not very extensive. I wish I could add additional Registry entries to the scan, so I can include all of the other security settings that need to be configured.
Security templates are not new, actually, they were first introduced in Windows NT! Yeah, this security tool has been around the block, but still provides some good centralized security options.
Security templates provide an administrator the opportunity to configure some key security features, then use Group Policy via Active Directory to deploy the settings. Since Group Policy can configure multiple computers with just one set of configurations, security templates provide a way to configure many computers with very little effort.
Security templates have been leveraged, then not used, then leveraged, then not used... as each operating system has been updated. For example, in the Windows 2000 era there were "pre-configured" security templates such as basicsv.inf, hisecdc.inf, securedc.inf, compatws.inf, etc. These pre-configured security templates allowed an administrator to easily implement a baseline of security without much effort.
Security templates provide a way to configure some of the most common security features, which can be seen in Figure 3.
Figure 3: Security template configuration areas.
For more information on how to leverage security templates into a GPO go here.
In a similar way that MBSA fails to impress me, security templates fall short of an amazing way to deploy security due to the lack of customization. Yes, Group Policy is customizable, but security templates are not. What you see is what you can configure.
Security Configuration Wizard
I don't want to spend too much time on this tool, as it is only for servers, not for desktops. Therefore, this tool can't help you with the majority of the computers on the network, although it does provide a centralized method for configuring some hard to reach areas, such as the firewall.
Security Configuration Wizard (SCW) has been available for some time, back to the Windows Server 2003 days. The tool used to be an out of band download, but now is installed on every Windows Server 2008 and 2008 R2 computer, available on the Start Menu-Administrative Tools list.
The main points I want to make about the SCW tool are the following:
- SCW uses a security database, which is useful for what each Windows Server Role includes, including required firewall rules
- SCW touches on some hard to reach security areas, such as LM authentication protocol, SMB signing, and firewall rules
- SCW can consume security templates, adding to the configuration baseline options
- SCW results can be ported into a GPO using command-line options
For more information on SCW go here.
Security Compliance Manager
The latest in the Microsoft suite of tools that can help an organization setup security on Windows XP, 2003, Vista, 7, and Server 2008/2008 R2 is Security Compliance Manager (SCM). This tool is by far the best of the other tools on the list, but with more power comes more complexity. Not that the tool is all that complex, just that it is more complex than the others.
SCM is built on industry standards for security. Industry standards such as ITIL, SOX, GLBA, and HIPPA. The tool can be summarized for its overall capabilities in the following bullets:
- Security configurations are configured/documented in security baselines
- Security configurations are deployed using Group Policy
- Security configurations are checked/verified/audited using DCM packs via SCCM
In essence, Microsoft spent countless resources putting together a database of nearly every security setting possible in a GPO, making them available in an easy to read and configure tool. For each operating system, plus additional tools such as SQL and Office, Microsoft has preconfigured security baselines that are easily imported into SCM. An administrator can either take the baseline of settings as is, or customize them for the environment. Additional Registry entries can be added through the import and export to GPO option that SCM v2 provides.
I think this tool goes leaps and bounds beyond the other tools in this list. It is complete, works with Group Policy, works with SCCM, and is customizable.
Microsoft has been working to make security better and tools to help you configure security more complete. You should look at each tool in this list to see if it works for you, but you will find that each tool has some limitations in what it includes for security settings. Ideally, you will need to use more than one tool in your quest to secure your Windows desktops and servers, but maybe you can find one that does it all. In my opinion, the SCM tool is the most comprehensive, powerful, and customizable of all the tools available.