Hack 78 Microsoft Security Tools

figs/beginner.gif figs/hack78.gif

Here's a quick guide to various tools from Microsoft to help secure your systems against attack.

This list represents my personal take on the wide variety of security tools currently offered by Microsoft. It includes tools for security assessment, patch management, security scanning, system updating, lockdown, auditing, intrusion detection, virus protection, and system cleaning. There's also a brief list of RFCs that every security professional (including those who work with platforms other than Windows) should become familiar with.

I plan to update this list at myITforum.com (http://www.myitforum.com) as new items become available. If you have any suggestions to add to the list, drop me a note at myITforum@cinci.rr.com.

Assessment, Patch Management, and Software Update Services and Tools

The Microsoft Baseline Security Analyzer (MBSA) (http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp) is a popular security tool that scans single systems or multiple systems across a network for common system misconfigurations and missing security updates.

Software Update Services (SUS) (http://www.microsoft.com/windowsserversystem/sus/default.mspx) simplifies the process of keeping Windows-based systems up-to-date with the latest critical updates. See [Hack #89] in Chapter 9 for tips on using this tool.

QChain (http://support.microsoft.com/default.aspx?scid=KB;EN-US;296861) allows administrators to script the installation of several patches without requiring multiple reboots. To use this tool, you create a batch file to update your security configuration with hotfixes. Note that QChain is not required if you are running Windows 2000 Service Pack 3 or later, or more recent versions of Windows, such as XP and 2003.

Finally, the KB 824146 Scanning Tool (http://support.microsoft.com/default.aspx?scid=kb;en-us;827363) can be used to identify computers on networks that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed.

Automatic Scan and Update Tools for Windows and Office

To keep your operating system up-to-date with patches, use the Windows Update web site (http://windowsupdate.microsoft.com), which scans your computer and provides a selection of updates tailored for your operating system, software, and hardware. For updating Microsoft Office products, use the Microsoft Office Product Updates web site (http://office.microsoft.com/officeupdate/default.aspx).

Lockdown, Auditing, and Intrusion Detection Tools

The IIS Web Server Lockdown Wizard (http://www.microsoft.com/technet/security/tools/tools/locktool.asp) works by reducing the attack surface of Internet Information Services and includes URLScan to provide multiple layers of protection against attackers. Note that this tool is designed only for IIS 5 (Windows 2000); because IIS 6 (Windows Server 2003) has this functionality built into it, a download isn't necessary for that platform.

The UrlScan Security Tool (http://www.microsoft.com/technet/security/tools/tools/URLScan.asp) helps prevent potentially harmful HTTP requests from reaching IIS web servers. This tool also is designed mainly for IIS 5, because much (but not all) of the functionality of UrlScan is built into IIS 6.

EventCombMT is available as part of the Security Guide Scripts Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=9989D151-5C55-4BD3-A9D2-B95A15C73E92). This multithreaded tool parses event logs from many servers at the same time, which is highly useful for monitoring your event logs for signs of intrusion.

The Cipher Security Tool for Windows 2000 (http://www.microsoft.com/technet/security/tools/tools/cipher.asp) permanently overwrites deleted data on hard drives. It's basically a replacement for the cipher command used to manage the Encrypting File System (EFS) from the command line.

Virus Protection and Cleaner Tools

The Office 2000 Update Service Pack 3 (http://www.microsoft.com/downloads/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE) includes the Outlook 2000 SR1 E-mail Security Update (OESU), which prevents users from accessing several potentially dangerous file types when sent as email attachments. It also increases the default security zone settings within Outlook.

The SQL Server 2000 Security Tools (http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600) can help you determine whether your computer or environment is vulnerable to the Slammer worm.

Top Security RFCs

Finally, here are some Request For Comment (RFC) documents that every security professional should become familiar with. These RFCs apply to any enterprise networking environment?pure Microsoft, mixed Windows/Unix, or pure Unix:

RFC 2196 Site Security Handbook (ftp://ftp.rfc-editor.org/in-notes/rfc2196.txt)

Describes how to develop security policies and procedures for sites connected to the Internet

RFC 2504 Users' Security Handbook (ftp://ftp.rfc-editor.org/in-notes/rfc2504.txt)

Similar to the Site Security Handbook, but designed for users.

RFC 2350 Expectations for Computer Security Incident Response (ftp://ftp.rfc-editor.org/in-notes/rfc2350.txt)

Describes expectations for computer security incident response teams.

These RFCs are also worth skimming through:

RFC2828 Internet Security Glossary (ftp://ftp.rfc-editor.org/in-notes/rfc2828.txt)

A glossary of security terms and abbreviations

RFC 2577 FTP Security Considerations (ftp://ftp.rfc-editor.org/in-notes/rfc2577.txt)

A collection of tips on how to implement FTP servers securely

RFC 3013 Recommended Internet Service Provider Security Services and Procedures (ftp://ftp.rfc-editor.org/in-notes/rfc3013.txt)

Describes expectations of security for ISPs

?Rod Trent and Mitch Tulloch