Microsoft released a couple of interesting tools for examining and keeping track of server configuration, particularly from the point of view of security:
"Web Application Configuration Analyzer" is a tool that scans a server against a set of best practices recommended for pre-production and production servers. The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications," the software company notes.
"The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available here. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers).," explained Microsoft.
This release included some new features:
- Suppressions - you can now suppress any rule you feel is not appropriate for your scan.
- Saving of suppression files - once you set up a suppression list you want to use you can save it off for future uses.
- You can change the suppressions and regenerate the report without needing to re-run the scan.
- Reporting - Updated the reporting section to include suppression information so you know what passed, failed, was not applicable and what was suppressed.
- Multiple reports - you can view multiple scans of the same machine or view a single machine's scan and compare it to other machines.
- Export to the Microsoft RED format.
- Scan multiple systems and SQL instances in one bulk scan.
- Additional rules - we've added in additional SQL rules.
- And of course bug fixes that were missed in the last release.
"Attack Surface Analyzer" is developed by the Security Engineering group, building on the work of our Security Science team. It is the same tool used by Microsoft's internal product groups to catalogue changes made to operating system attack surface by the installation of new software," the software giant stated.
"Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface."
- Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
- IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
- IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
- IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)