Microsoft has released to web version 2.0 of Web Application Configuration Analyzer (WACA).
"WACA is a tool that scans a server against a set of best practices recommended for pre-production and production servers. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers)," Microsoft stated.
"The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available here. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine."
- Suppressions - you can now suppress any rule you feel isn't appropriate for your scan.
- Saving of suppression files - once you set up a suppression list you want to use you can save it off for future uses.
- You can change the suppressions and regenerate the report without needing to re-run the scan.
- Reporting - Updated the reporting section to include suppression information so you know what passed, failed, wasn't applicable and what was suppressed.
- Multiple reports - you can view multiple scans of the same machine or view a single machine's scan and compare it to other machines.
- Export to the Microsoft RED format.
- Scan multiple systems and SQL instances in one bulk scan.
- Additional rules - we've added in additional SQL rules.
- And of course bug fixes that were missed in the last release.
More Info: Download