Windows Security Analysis Tool
Download configuration extractor and analyzer
This tool has two parts:
- The Windows configuration extractor is a script that runs on the server to extract necessary security configurations. This script doesn't make any changes to the server other than creating one main file to analyze and one temporary file
System Requirements:
Any computer running Windows 95, NT, 98, 98SE, ME, 2000, XP, 2003, or Vista
Download Extract Script version 24 (2007-12-17).
- The Windows configuration analysis tool runs on your workstation. Although I encourage you to download and run it from the website to make sure you have the latest version, the tool does not transfer the confidential configuration information to my server. If you participate in the anonymous statistics program, machine-identifiable information (such as IP and DNS information) is not sent to my statistics-gathering server.
System Requirements:
Windows XP, 2000, 2003, or Vista.
Please note: The program will install the .net Framework 2.0 if not already installed.
512MB RAM required, 1GB+ recommended.
Download Analyzer version 1.6.8.142 for .net 2.0 (2007-12-17).
Download Analyzer for .net 1.1 (2007-07-07).
Instructions
- Download the Extract Script and Analyzer
- Have the system administrator of the server in question copy the extract script into a new blank directory, review and run the script (the script is a plain batch file to assure administrators that it won't harm their production servers)
- Install/run the analyzer tool onto a separate workstation
- If you encounter an error while installing a new version of the application, do the following:
- Click Start
- Click Control Panel
- Click Add/Remove programs
- Scroll Down and Click Windows Analyzer
- Select Remove the application from this computer and click OK
- Reinstall the analyzer by downloading it again
- once the script runs, copy the windump.txt (generated by the extract script) to the analysis workstation
- In the Analyzer, click the "Browse" button and select the appropriate windump.txt file
- Click the "Analyze" button to analyze the server configuration
FAQ
How does the program send optional anonymous statistic contributions?
The analyzer program sends the anonymous statistics through a 1024-bit SSL Connection.
Is this program really free?
Yes. I wrote this program to help automate my Windows security analysis and to understand industry practice.
The program tests the target computer's configuration against industry best practice.
However, would like to better understand industry common practice.
I hope that the optional anonymous statistics contribution system will provide a means to rate configurations against common industry practice in addition to the best practice.
Starting with the December 2006 edition, the analyzer will rate your configuration against the common practice.
Why are some of the "critical" Windows patches not listed?
Some patches, such as those released on Sept. 12, 2006, were only required for some very specific conditions. If the evaluated system doesn't meet those conditions, the patches will not be listed as not installed.
Windows security analysis features
In addition to the checks listed below, the tool also displays the following useful information:
The full "well-known" name of applications currently communicating over a network
The full "well-known" name of applications waiting for communication partners
Local and Domain groups
Members of built-in groups
Users with security-policy permissions
The following is a list of the current checks:
the percentage is the percent of analyzed computers that follow best practice based on:
156 XP Computers,
224 Windows 2003 computers,
58 Windows 2000 computers, and
9 Windows NT4 computers.)
That have submitted anonymous statistics.
File Permissions Checked
boot.ini (99% follow best practice)
autoexec.bat (99% follow best practice)
System Information
Version of Windows
domain
DNS name
User Name
Computer Name / Host name
Computer Manufacturer and Model
Domain Name server
DHCP assigned name server
DHCP domain
IP address
Default gateway
If you enable the "contribute anonymous statistics" feature, the program will send only the version of windows and computer manufacturer/model. IP, company, domain, and other identifying information will not be sent.
Antivirus
Expanded in version 1.7.1.168 (May 2007 Edition)
AVP
AckWin
Anti-Trojan
BlackICE Firewall
Claw95
F-Prot
F-StopW
Gnat Box
ICMon
Inoculan/eTrust (includes pattern information)
IOMon
Kapersky
Lockdown
Network Associates/McAfee (includes pattern information)
Norton/Symantec Antivirus
OfficeScan
Panda
PCCillin
Safeweb
ServerProtect
Snort Intrusion Detection
Sophos
Often Unneeded or Insecure Services
DHCP Client (usually shouldn't run on servers; unnecessary security risk) (1% follow best practice) . NOTE: Even if a server uses a static IP, if the organization does not manually register DNS entries and relies on the DHCP service to provide dynamic DNS updates, the DHCP Client service needs to run on the server.
Wireless Configuration (demonstrates inadequate updates/configuration processes) (55% follow best practice)
Messenger (often unneeded) (76% follow best practice)
Print Spooler(often unneeded; unnecessary security risk) (10% follow best practice)
IIS Admin service (often unneeded; unnecessary security risk) (78% follow best practice)
Microsoft Exchange IMAP (unencrypted passwords when exchange mail can encrypt) (99% follow best practice)
Microsoft Exchange POP3 (unencrypted passwords when exchange mail can encrypt) (99% follow best practice)
World Wide Web Publishing Service (sometimes unneeded) (80% follow best practice)
FTP (sends passwords without encryption) (90% follow best practice)
NNTP (often unneeded; unnecessary security risk; exposes organizations to unnecessary liability) (98% follow best practice)
SNMP (often unneeded; unnecessary security risk) (54% follow best practice)
Useful Services
Windows Time (a time synchronization system should be used) (91% follow best practice)
SMS Agent (monitoring systems should be used appropriately) (12% follow best practice)
Compaq/HP Insight Manager (monitoring systems should be used appropriately) (27% follow best practice)
HTTP SSL (encrypted web pages) (24% follow best practice)
Local and Domain Account Configurations
Local password restrictions
Domain-based password restrictions
NIST SP 800-63 password policy compliance
Password complexity requirements
Password encryption
Password lifespan
Network Information
NetBIOS shares
Communication Statistics
Server visibility status
Maximum Logged on users
Maximum open files per session
Idle session time
Current time at time server
Security Hardening
Ctrl+Alt+Delete should be required to log-in (67% follow best practice)
The last logged-in username should not be displayed (14% follow best practice)
A legal notice should be displayed before log-in (46% follow best practice)
Users must log-in before they can shut down the computer (61% follow best practice)
NTLMv2 Authentication (implements 128bit encrypted keys and provides a method to eliminate LANMAN hash, which is easy to attack since it uses only upper-case letters and limit password length to 7 characters) (46% follow best practice)
Anonymous access to usernames (12% follow best practice)
Recovery Console security (100% follow best practice)
Clear page file at shutdown (3% follow best practice)
Prevent remote users from installing printer drivers (9% follow best practice)
Floppy access restrictions (88% follow best practice)
NTFS media (including hot-swappable drives) ejection (88% follow best practice)
CD-ROM access restrictions (88% follow best practice)
Password changes without logging in (20% follow best practice)
Logging and Auditing
Access of global system objects
Backups and restores
Administrative activities
Logons
Directory Services
Process tracking (requires mechanism to purge logs)
Account changes
Security rule (policy) changes
system events
Will the server continue to operate without logging
Server Access
Registry access from remote computers
Renamed Guest account
Renamed Administrator account
Guest account disabled
Administrator account disabled
Automatic updates
are updates automatically downloaded and installed (indicates bad change and patch management unless controlled through other means)
automatic update server (if not default, may be used for patch management)
Patch Management
Java Runtime Environment version 1.4.2 and 1.3.1 vulnerabilities (added in version 1.6.8.143)
Computer Associates CAM version 1.11 build 54_4 and earlier vulnerabilities (added in version 1.6.8.143)
TCP/IP Filters (3% follow best practice)
Global TCP/IP filters
TCP/IP filters by network card
Restricted TCP and UDP ports by IP address
Restricted Protocols by IP address
Default directories that should be removed
Adminscripts
IISsamples
InetSRV
default .dll and .asp files
InetAdmins
IISAdmin
IADMpwd
Network activity
Active connections are translated by well-known port numbers
services listening for activity are translated by well-known port numbers
Event Logs (added in version 1.4.4.92)
Check for retention and purging
Display log file sizes
Trojans, Backdoors, and Worms (added in version 1.4.4.101 on Feb 6, 2007)
Back Orifice
Back Orifice 2000
Beast
Citrix ICA (also has legitimate uses)
Donald Dick
Masters Paradise
Netmeting Remote Desktop Control (also has legitimate uses)
Netbus
pcAnywhere (also has legitimate uses)
Reachout (also has legitimate uses)
Remotely Anywhere (also has legitimate uses)
Remote (also has legitimate uses)
Timbuktu (also has legitimate uses)
VNC (also has legitimate uses)
Active Directory (added in version 1.4.4.91)
Users with passwords that don't expire
Users with accounts that don't require passwords
Users with accounts that don't expire and don't require passwords
Users who haven't logged in for over a year
Bad password attempts
Greatest length of inactivity for a user
Potential test, guest, and temporary accounts
Windows Patches
Following every black Tuesday, the software is updated to reflect the lastest patches. I am still expanding this section to include historical critical updates.
Patches are only tested for Windows XP, 2000, 2003, and Vista
The Windows Security Analysis tool evaluates different patches based on the dump date and version of windows as follows. It only evaluates for the critical patches that impact most users of the applicable version of Windows. As such, the patch checker should be used to determine if a computer's patches are up-to-date; it should not be used to check for all patches.
| Patch | Windows Version(s) | Date |
| Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969): MS07-004 | Windows XP, 2000, 2003 | Jan. 9,2007 |
| Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689): MS06-078 | Windows XP, 2000, 2003 | Dec. 12,2006 |
| Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121): MS06-077 | Windows 2000 | Dec. 12,2006 |
| Vulnerability in Windows Could Allow Elevation of Privilege (926255): MS06-075 | Windows XP, 2003 | Dec. 12,2006 |
| Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088): MS06-071 | Windows XP, 2000, 2003 | Nov. 14,2006 |
| Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213): MS06-068 | Windows XP, 2000, 2003 | Nov. 14,2006 |
| Vulnerability in Server Service Could Allow Denial of Service (923414): MS06-063 | Windows XP, 2000, 2003 | Oct. 10,2006 |
| Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191): MS06-061 | Windows XP, 2000, 2003 | Oct. 10,2006 |
| Vulnerability in Windows Explorer Could Allow Remote Execution (923191): MS06-057 | Windows XP, 2000, 2003 | Oct. 10,2006 |
| Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486): MS06-055 | Windows XP, 2000, 2003 | Sept. 26,2006 |
| Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007): MS06-052 | Windows XP, 2000, 2003 | Sept. 12,2006 |
| Vulnerability in Server Service Could Allow Remote Code Execution (921883): MS06-040 | Windows XP, 2000, 2003 | Aug. 8,2006 |
| Vulnerabilities in DNS Resolution Could Allow Remote Code Execution (920683): MS06-041 | Windows XP, 2000, 2003 | Aug. 8,2006 |
| Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008): MS06-044 | Windows 2000 | Aug. 8,2006 |
| Vulnerability in HTML Help Could Allow Remote Code Execution (922616): MS06-046 | Windows XP, 2000, 2003 | Aug. 8,2006 |
| Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422): MS06-051 | Windows XP, 2000, 2003 | Aug. 8,2006 |
| Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388): MS06-036 | Windows XP, 2000, 2003 | July 11,2006 |
| Vulnerability in Server Service Could Allow Remote Code Execution (917159): MS06-035 | Windows XP, 2000, 2003 | July 11,2006 |
| Vulnerability in Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537): MS06-034 | Windows XP Pro, 2000, 2003 with IIS | July 11,2006 |
| Vulnerability in ASP.NET Could Allow Information Disclosure (917283): MS06-033 | Windows XP, 2000, 2003 with .net Framework 2.0 | July 11,2006 |
| Vulnerability in TCP/IP Could Allow Remote Code Execution (917953): MS06-032 | Windows XP, 2000, 2003 | June 13,2006 |
| Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736): MS06-031 | Windows 2000 | June 13,2006 |
| Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389): MS06-030 | Windows XP, 2000, 2003 | June 13,2006 |
| Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280): MS06-025 | Windows XP, 2000, 2003 | June 13,2006 |
| Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): MS06-023 | Windows XP, 2000, 2003 | June 13,2006 |
| Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439): MS06-022 | Windows XP, 2003 (windows 2000 only with IE6) | June 13,2006 |
| Cumulative Security Update for Internet Explorer (916281): MS06-021 | Windows XP, 2000, 2003 with IE6 | June 13,2006 |
To Do
January 2007: Compare settings against common industry practice
More explanations of findings
Links that describe how to fix problems
Display results based on computer type
Better handle disk full error
Sites that publish this tool
through a little ego-Google™ing, I've discovered that the following sites now offer this tool:
Download counts are as of July 7, 2007
Download.com (459 downloads)
Version Tracker (634 downloads)
Softpedia (296 downloads)
In addition, 214 visitors have downloaded the Windows Analyzer directly from this site.
However, only 527 users have downloaded the Windows Dump Script.
Please contact me if you find any other sites that offer downloads of this tool.
|
|
| |
|
|
|
|
|
| Farmington, CT |
|
|
| Edmonton, AB |
|
|
|
