Hosting Web servers on Windows NT or Windows 2000 systems is a very popular solution. However, it's not always the most secure option. The Windows operating systems and Internet Information Server (the Web server platform) are vulnerable to many attacks right out of the box and even more when combined with other software, poor configuration and less than vigilant patch management.
Testing new software before and after deployment for security breaches and vulnerabilities is always a good idea. Likewise, staying abreast of the latest secure configuration settings helps maintain the protection your Web site desperately needs.
Maintaining vigilance at becoming aware of, researching and applying new security patches from Microsoft can be a full-time job all its own. There never seems to be a month free from at least one mission-critical security vulnerability discovery that requires a re-configuration or application of a hotfix to prevent ultimate disaster.
Fortunately, Microsoft has teamed up with Shavlik Technologies to bring you a free utility: Microsoft Baseline Security Analyzer. This tool is used to inspect a system locally or remotely for all known security vulnerabilities which are corrected by a hotfix or service pack as well as for secure configurations and settings of the OS and GPOs. If you use the tool's GUI, you get a clean report with clearly marked high, medium and low priority issues. If you are a wiz at scripting, you can use the plain text report generated from the command line functionality of MBSA to automatically detect missing hotfixes and automate their installation.
MBSA can be obtained from: www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
MBSA can be used to scan Windows NT 4.0 and newer Microsoft OS, IIS 4.0+, SQL 7.0+, Office 2000+ and IE 5.01+.
With regular use, the MBSA can greatly reduce the administrative time required to maintain a system at peak security (at least as far as Microsoft patches and baseline security settings are concerned). This tool should be used as a time saver and not as a replacement for solid security practices and an enforced organizational security policy.
Shavlik Technologies offers a commercial version (EnterpriseInspector) of this tool with many more features at www.shivlik.com.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
Share your thoughts on this tip in our Letters to the Editors Discussion Forum.
This was first published in May 2002