Windows Security Analysis Tool
Download configuration extractor and analyzer
This tool has two parts:
- The Windows configuration extractor is a script that runs on the server to extract necessary security configurations. This script doesn't make any changes to the server other than creating one main file to analyze and one temporary file
Any computer running Windows 95, NT, 98, 98SE, ME, 2000, XP, 2003, or Vista
Download Extract Script version 33 (2012-03-08).
- The Windows configuration analysis tool runs on your workstation. Although I encourage you to download and run it from the website to make sure you have the latest version, the tool does not transfer the confidential configuration information to my server. If you participate in the anonymous statistics program, machine-identifiable information (such as IP and DNS information) is not sent to my statistics-gathering server.
Windows XP, 2000, 2003, or Vista.
Please note: The program will install the .net Framework 2.0 if not already installed.
512MB RAM required, 1GB+ recommended.
Download Analyzer version 1.9 for .net 2.0 (2012-03-13).
- Download the Extract Script and Analyzer
- Have the system administrator of the server in question copy the extract script into a new blank directory, review and run the script (the script is a plain batch file to assure administrators that it won't harm their production servers)
- Install/run the analyzer tool onto a separate workstation
- If you encounter an error while installing a new version of the application, do the following:
- Click Start
- Click Control Panel
- Click Add/Remove programs
- Scroll Down and Click Windows Analyzer
- Select Remove the application from this computer and click OK
- Reinstall the analyzer by downloading it again
To analyze a single dump file:
- Click the "Browse 1 dump" button to select a single dump file to analyze.
- Select the computer type
- Click "Analyze 1 dump" to analyze a single dump file.
- Click "Save" to save the results in HTML format
- Select the "Summary" tab
- Click a cell, press Ctrl+A then Ctrl+C to copy all results to be pasted into Excel
To analyze multiple dump files in a single directory:
- Select the directory by clicking the "Browse & analyze all dumps in folder" button.
Results will be automatically saved in HTML format in the same folder as the dump files.
- Click a cell, press Ctrl+A then Ctrl+C to copy all results to be pasted into Excel
How does the program send optional anonymous statistic contributions?
The analyzer program sends the anonymous statistics through a 1024-bit SSL Connection.
Is this program really free?
Yes. I wrote this program to help automate my Windows security analysis and to understand industry practice.
The program tests the target computer's configuration against industry best practice.
However, would like to better understand industry common practice.
I hope that the optional anonymous statistics contribution system will provide a means to rate configurations against common industry practice in addition to the best practice.
Starting with the December 2006 edition, the analyzer will rate your configuration against the common practice.
Why are some of the "critical" Windows patches not listed?
Some patches, such as those released on Sept. 12, 2006, were only required for some very specific conditions. If the evaluated system doesn't meet those conditions, the patches will not be listed as not installed.
Windows security analysis features
In addition to the checks listed below, the tool also displays the following useful information:
The full "well-known" name of applications currently communicating over a network
The full "well-known" name of applications waiting for communication partners
Local and Domain groups
Members of built-in groups
Users with security-policy permissions
Value-added features added at the request of the user community:
Comparison of current settings against common industry practice under the "Statistics" tab
Bulk script analysis. The "Browse & analyze all dumps in folder" button will automatically analyze multiple dump files in a single directory.
The following is a list of the current checks:
the percentage is the percent of analyzed computers that follow best practice based on:
848 XP Computers,
4041 Windows 2003 computers,
498 Windows 2000 computers, and
9 Windows NT4 computers.)
That have submitted anonymous statistics.
File Permissions Checked
boot.ini (99% follow best practice)
autoexec.bat (99% follow best practice)
Version of Windows
Computer Name / Host name
Computer Manufacturer and Model
Domain Name server
DHCP assigned name server
If you enable the "contribute anonymous statistics" feature, the program will send only the version of windows and computer manufacturer/model. IP, company, domain, and other identifying information will not be sent.
Expanded in version 18.104.22.168 (May 2007 Edition)
Inoculan/eTrust (includes pattern information)
Network Associates/McAfee (includes pattern information)
Snort Intrusion Detection
Often Unneeded or Insecure Services
DHCP Client (usually shouldn't run on servers; unnecessary security risk) (1% follow best practice) . NOTE: Even if a server uses a static IP, if the organization does not manually register DNS entries and relies on the DHCP service to provide dynamic DNS updates, the DHCP Client service needs to run on the server.
Wireless Configuration (demonstrates inadequate updates/configuration processes) (68% follow best practice)
Messenger (often unneeded) (92% follow best practice)
Print Spooler(often unneeded; unnecessary security risk) (31% follow best practice)
IIS Admin service (often unneeded; unnecessary security risk) (67% follow best practice)
Microsoft Exchange IMAP (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
Microsoft Exchange POP3 (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
World Wide Web Publishing Service (sometimes unneeded) (68% follow best practice)
FTP (sends passwords without encryption) (88% follow best practice)
NNTP (often unneeded; unnecessary security risk; exposes organizations to unnecessary liability) (98% follow best practice)
SNMP (often unneeded; unnecessary security risk) (46% follow best practice)
Windows Time (a time synchronization system should be used) (81% follow best practice)
SMS Agent (monitoring systems should be used appropriately) (9% follow best practice)
Compaq/HP Insight Manager (monitoring systems should be used appropriately) (29% follow best practice)
HTTP SSL (encrypted web pages) (33% follow best practice)
Local and Domain Account Configurations
Local password restrictions
Domain-based password restrictions
NIST SP 800-63 password policy compliance
Password complexity requirements
Server visibility status
Maximum Logged on users
Maximum open files per session
Idle session time
Current time at time server
Ctrl+Alt+Delete should be required to log-in (85% follow best practice)
The last logged-in username should not be displayed (1% follow best practice)
A legal notice should be displayed before log-in (68% follow best practice)
Users must log-in before they can shut down the computer (84% follow best practice)
NTLMv2 Authentication (implements 128bit encrypted keys and provides a method to eliminate LANMAN hash, which is easy to attack since it uses only upper-case letters and limit password length to 7 characters) (79% follow best practice)
Anonymous access to usernames (18% follow best practice)
Recovery Console security (0% follow best practice)
Clear page file at shutdown (3% follow best practice)
Prevent remote users from installing printer drivers (6% follow best practice)
Floppy access restrictions (94% follow best practice)
NTFS media (including hot-swappable drives) ejection (93% follow best practice)
CD-ROM access restrictions (94% follow best practice)
Password changes without logging in (16% follow best practice)
Logging and Auditing
Access of global system objects
Backups and restores
Process tracking (requires mechanism to purge logs)
Security rule (policy) changes
Will the server continue to operate without logging
Registry access from remote computers
Renamed Guest account
Renamed Administrator account
Guest account disabled
Administrator account disabled
are updates automatically downloaded and installed (indicates bad change and patch management unless controlled through other means)
automatic update server (if not default, may be used for patch management)
Java Runtime Environment version 1.4.2 and 1.3.1 vulnerabilities (added in version 22.214.171.124)
Computer Associates CAM version 1.11 build 54_4 and earlier vulnerabilities (added in version 126.96.36.199)
TCP/IP Filters (23% follow best practice)
Global TCP/IP filters
TCP/IP filters by network card
Restricted TCP and UDP ports by IP address
Restricted Protocols by IP address
Default directories that should be removed
default .dll and .asp files
Active connections are translated by well-known port numbers
services listening for activity are translated by well-known port numbers
Event Logs (added in version 188.8.131.52)
Check for retention and purging
Display log file sizes
Trojans, Backdoors, and Worms (added in version 184.108.40.206 on Feb 6, 2007)
Back Orifice 2000
Citrix ICA (also has legitimate uses)
Netmeting Remote Desktop Control (also has legitimate uses)
pcAnywhere (also has legitimate uses)
Reachout (also has legitimate uses)
Remotely Anywhere (also has legitimate uses)
Remote (also has legitimate uses)
Timbuktu (also has legitimate uses)
VNC (also has legitimate uses)
Active Directory (added in version 220.127.116.11)
Users with passwords that don't expire
Users with accounts that don't require passwords
Users with accounts that don't expire and don't require passwords
Users who haven't logged in for over a year
Bad password attempts
Greatest length of inactivity for a user
Potential test, guest, and temporary accounts
Following every black Tuesday, the software is updated to reflect the lastest patches. I am still expanding this section to include historical critical updates.
Patches are only tested for Windows XP, 2000, 2003, and Vista
The Windows Security Analysis tool evaluates different patches based on the dump date and version of windows as follows. It only evaluates for the critical patches that impact most users of the applicable version of Windows. As such, the patch checker should be used to determine if a computer's patches are up-to-date; it should not be used to check for all patches.
|Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969): MS07-004||Windows XP, 2000, 2003||Jan. 9,2007|
|Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689): MS06-078 ||Windows XP, 2000, 2003||Dec. 12,2006|
|Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121): MS06-077 ||Windows 2000||Dec. 12,2006|
|Vulnerability in Windows Could Allow Elevation of Privilege (926255): MS06-075 ||Windows XP, 2003||Dec. 12,2006|
|Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088): MS06-071 ||Windows XP, 2000, 2003||Nov. 14,2006|
|Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213): MS06-068 ||Windows XP, 2000, 2003||Nov. 14,2006|
|Vulnerability in Server Service Could Allow Denial of Service (923414): MS06-063 ||Windows XP, 2000, 2003||Oct. 10,2006|
|Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191): MS06-061 ||Windows XP, 2000, 2003||Oct. 10,2006|
|Vulnerability in Windows Explorer Could Allow Remote Execution (923191): MS06-057 ||Windows XP, 2000, 2003||Oct. 10,2006|
|Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486): MS06-055||Windows XP, 2000, 2003||Sept. 26,2006|
|Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007): MS06-052||Windows XP, 2000, 2003||Sept. 12,2006|
|Vulnerability in Server Service Could Allow Remote Code Execution (921883): MS06-040||Windows XP, 2000, 2003||Aug. 8,2006|
|Vulnerabilities in DNS Resolution Could Allow Remote Code Execution (920683): MS06-041||Windows XP, 2000, 2003||Aug. 8,2006|
|Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008): MS06-044||Windows 2000||Aug. 8,2006|
|Vulnerability in HTML Help Could Allow Remote Code Execution (922616): MS06-046||Windows XP, 2000, 2003||Aug. 8,2006|
|Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422): MS06-051||Windows XP, 2000, 2003||Aug. 8,2006|
|Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388): MS06-036||Windows XP, 2000, 2003||July 11,2006|
|Vulnerability in Server Service Could Allow Remote Code Execution (917159): MS06-035||Windows XP, 2000, 2003||July 11,2006|
|Vulnerability in Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537): MS06-034 ||Windows XP Pro, 2000, 2003 with IIS||July 11,2006|
|Vulnerability in ASP.NET Could Allow Information Disclosure (917283): MS06-033 ||Windows XP, 2000, 2003 with .net Framework 2.0||July 11,2006|
|Vulnerability in TCP/IP Could Allow Remote Code Execution (917953): MS06-032 ||Windows XP, 2000, 2003||June 13,2006|
|Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736): MS06-031 ||Windows 2000||June 13,2006|
|Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389): MS06-030 ||Windows XP, 2000, 2003||June 13,2006|
|Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280): MS06-025||Windows XP, 2000, 2003||June 13,2006|
|Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): MS06-023 ||Windows XP, 2000, 2003||June 13,2006|
|Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439): MS06-022 ||Windows XP, 2003 (windows 2000 only with IE6)||June 13,2006|
|Cumulative Security Update for Internet Explorer (916281): MS06-021 ||Windows XP, 2000, 2003 with IE6||June 13,2006|
More explanations of findings
Links that describe how to fix problems
Display results based on computer type
Sites that publish this tool
through a little ego-Google™ing, I've discovered that the following sites now offer this tool:
Download counts are as of September 21, 2008
Download.com (1,320 downloads)
Version Tracker (1,406 downloads)
Softpedia (609 downloads)
In addition, 2698 visitors have downloaded the Windows Analyzer directly from this site.
However, only 2207 users have downloaded the Windows Dump Script.
Please contact me if you find any other sites that offer downloads of this tool.