Where to Start? Try the Microsoft Security Assessment Tool
A few of you have email me about where to start with security. That's a great question because computer and network security is a very large field, and to try to come up with a single place to start for any particular network is a difficult task. Since each network is different, just where should you start with your efforts to improve security? One way to get a great start is to use the Microsoft Security Assessment Tool (MSAT).
The Microsoft Security Assessment Tool is a free tool designed to help you assess weaknesses in your current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to begin strengthening the security of your network. You can being the process by taking a snapshot of your current security state, and then use the MSAT on a regular basis to monitor your infrastructure's ability to respond to security threats
The MSAT includes over 200 questions covering infrastructure, applications, operations, and people. The questions, answers, and recommendations are derived from commonly accepted best practices, standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from the Microsoft Trustworthy Computing Group (http://www.microsoft.com/mscorp/twc/default.mspx) and other external security sources.
The assessment is designed to identify the business risk of your organization and the security measures deployed to mitigate risk. The questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that supports your business.
Beginning with a series of questions about your company's business model, the tool builds a Business Risk Profile (BRP), measuring your company's risk of doing business due to the industry and business model defined by BRP. A second series of questions are posed to compile a listing of the security measures your company has deployed over time.
These two security measures form layers of defense, providing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the Areas of Analysis (AoAs)-infrastructure, applications, operations, and people.
Risk management recommendations are suggested for your environment by taking into consideration existing technology deployment, current security posture, and defense-in-depth strategies. Suggestions are designed to move you along a path toward recognized best practices.
This assessment-including the questions, measures, and recommendations-is designed for midsize organizations that have between 50 and 1,500 desktops in their environment. It is meant to broadly cover areas of potential risk across your environment, rather than provide an in-depth analysis of a particular technologies or processes.
As a result, the tool cannot measure the effectiveness of the security measures employed. This report should be used as a preliminary guide to help you develop a baseline to focus on specific areas that require more rigorous attention. From the guidance provided by MSAT and security activities implemented, you can run the tool as often as you would like to gain further knowledge on your progress against an established baseline MSAT report.
I recommend that you run the tool and discover what areas need to be addressed first. If network management and security is not your area of expertise, then I highly recommend that you find a partner who does have this specialization and work with that partner at putting together a plan to improve you overall security posture.
You can download the MSAT at http://www.microsoft.com/downloads/details.aspx?FamilyId=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)