Chris Nowell
Information Security
Englýsh   Franšais   Espa˝ol   Deutsch   Russian   Japanese   Chinese
About Chris Tools and Downloads Presentations, Instructions, and Booklets Links Contact Support
Windows Security Analysis Tool
Windows Security Check Analyzer Tool Downloads
Instructions
FAQ
Features
To Do
Download configuration extractor and analyzer
This tool has two parts:
  1. The Windows configuration extractor is a script that runs on the server to extract necessary security configurations. This script doesn't make any changes to the server other than creating one main file to analyze and one temporary file

    System Requirements:
    Any computer running Windows 95, NT, 98, 98SE, ME, 2000, XP, 2003, or Vista

    Download Extract Script version 33 (2012-03-08).

  2. The Windows configuration analysis tool runs on your workstation. Although I encourage you to download and run it from the website to make sure you have the latest version, the tool does not transfer the confidential configuration information to my server. If you participate in the anonymous statistics program, machine-identifiable information (such as IP and DNS information) is not sent to my statistics-gathering server.

    System Requirements:
    Windows XP, 2000, 2003, or Vista.
    Please note: The program will install the .net Framework 2.0 if not already installed.
    512MB RAM required, 1GB+ recommended.

    Download Analyzer version 1.9 for .net 2.0 (2012-03-13).


Instructions
  1. Download the Extract Script and Analyzer
  2. Have the system administrator of the server in question copy the extract script into a new blank directory, review and run the script (the script is a plain batch file to assure administrators that it won't harm their production servers)
  3. Install/run the analyzer tool onto a separate workstation
  4. If you encounter an error while installing a new version of the application, do the following:
    1. Click Start
    2. Click Control Panel
    3. Click Add/Remove programs
    4. Scroll Down and Click Windows Analyzer
    5. Select Remove the application from this computer and click OK
    6. Reinstall the analyzer by downloading it again

To analyze a single dump file:
  1. Click the "Browse 1 dump" button to select a single dump file to analyze.
  2. Select the computer type
  3. Click "Analyze 1 dump" to analyze a single dump file.
  4. Click "Save" to save the results in HTML format
  5. Select the "Summary" tab
  6. Click a cell, press Ctrl+A then Ctrl+C to copy all results to be pasted into Excel

To analyze multiple dump files in a single directory:
  1. Select the directory by clicking the "Browse & analyze all dumps in folder" button.
    Results will be automatically saved in HTML format in the same folder as the dump files.
  2. Click a cell, press Ctrl+A then Ctrl+C to copy all results to be pasted into Excel


FAQ
How does the program send optional anonymous statistic contributions?
The analyzer program sends the anonymous statistics through a 1024-bit SSL Connection.

Is this program really free?
Yes. I wrote this program to help automate my Windows security analysis and to understand industry practice. The program tests the target computer's configuration against industry best practice. However, would like to better understand industry common practice. I hope that the optional anonymous statistics contribution system will provide a means to rate configurations against common industry practice in addition to the best practice. Starting with the December 2006 edition, the analyzer will rate your configuration against the common practice.

Why are some of the "critical" Windows patches not listed?
Some patches, such as those released on Sept. 12, 2006, were only required for some very specific conditions. If the evaluated system doesn't meet those conditions, the patches will not be listed as not installed.


Windows security analysis features
In addition to the checks listed below, the tool also displays the following useful information:

  • The full "well-known" name of applications currently communicating over a network
  • The full "well-known" name of applications waiting for communication partners
  • Local and Domain groups
  • Members of built-in groups
  • Users with security-policy permissions


    Value-added features added at the request of the user community:
  • Comparison of current settings against common industry practice under the "Statistics" tab
  • Bulk script analysis. The "Browse & analyze all dumps in folder" button will automatically analyze multiple dump files in a single directory.


    The following is a list of the current checks:
    the percentage is the percent of analyzed computers that follow best practice based on:
  • 848 XP Computers,
  • 4041 Windows 2003 computers,
  • 498 Windows 2000 computers, and
  • 9 Windows NT4 computers.)
    That have submitted anonymous statistics.


    File Permissions Checked
  • boot.ini (99% follow best practice)
  • autoexec.bat (99% follow best practice)


    System Information
  • Version of Windows
  • domain
  • DNS name
  • User Name
  • Computer Name / Host name
  • Computer Manufacturer and Model
  • Domain Name server
  • DHCP assigned name server
  • DHCP domain
  • IP address
  • Default gateway
    If you enable the "contribute anonymous statistics" feature, the program will send only the version of windows and computer manufacturer/model. IP, company, domain, and other identifying information will not be sent.


    Antivirus
    Expanded in version 1.7.1.168 (May 2007 Edition)
  • AVP
  • AckWin
  • Anti-Trojan
  • BlackICE Firewall
  • Claw95
  • F-Prot
  • F-StopW
  • Gnat Box
  • ICMon
  • Inoculan/eTrust (includes pattern information)
  • IOMon
  • Kapersky
  • Lockdown
  • Network Associates/McAfee (includes pattern information)
  • Norton/Symantec Antivirus
  • OfficeScan
  • Panda
  • PCCillin
  • Safeweb
  • ServerProtect
  • Snort Intrusion Detection
  • Sophos


    Often Unneeded or Insecure Services
  • DHCP Client (usually shouldn't run on servers; unnecessary security risk) (1% follow best practice) . NOTE: Even if a server uses a static IP, if the organization does not manually register DNS entries and relies on the DHCP service to provide dynamic DNS updates, the DHCP Client service needs to run on the server.
  • Wireless Configuration (demonstrates inadequate updates/configuration processes) (68% follow best practice)
  • Messenger (often unneeded) (92% follow best practice)
  • Print Spooler(often unneeded; unnecessary security risk) (31% follow best practice)
  • IIS Admin service (often unneeded; unnecessary security risk) (67% follow best practice)
  • Microsoft Exchange IMAP (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
  • Microsoft Exchange POP3 (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
  • World Wide Web Publishing Service (sometimes unneeded) (68% follow best practice)
  • FTP (sends passwords without encryption) (88% follow best practice)
  • NNTP (often unneeded; unnecessary security risk; exposes organizations to unnecessary liability) (98% follow best practice)
  • SNMP (often unneeded; unnecessary security risk) (46% follow best practice)


    Useful Services
  • Windows Time (a time synchronization system should be used) (81% follow best practice)
  • SMS Agent (monitoring systems should be used appropriately) (9% follow best practice)
  • Compaq/HP Insight Manager (monitoring systems should be used appropriately) (29% follow best practice)
  • HTTP SSL (encrypted web pages) (33% follow best practice)


    Local and Domain Account Configurations
  • Local password restrictions
  • Domain-based password restrictions
  • NIST SP 800-63 password policy compliance
  • Password complexity requirements
  • Password encryption
  • Password lifespan


    Network Information
  • NetBIOS shares
  • Communication Statistics
  • Server visibility status
  • Maximum Logged on users
  • Maximum open files per session
  • Idle session time
  • Current time at time server


    Security Hardening
  • Ctrl+Alt+Delete should be required to log-in (85% follow best practice)
  • The last logged-in username should not be displayed (1% follow best practice)
  • A legal notice should be displayed before log-in (68% follow best practice)
  • Users must log-in before they can shut down the computer (84% follow best practice)
  • NTLMv2 Authentication (implements 128bit encrypted keys and provides a method to eliminate LANMAN hash, which is easy to attack since it uses only upper-case letters and limit password length to 7 characters) (79% follow best practice)
  • Anonymous access to usernames (18% follow best practice)
  • Recovery Console security (0% follow best practice)
  • Clear page file at shutdown (3% follow best practice)
  • Prevent remote users from installing printer drivers (6% follow best practice)
  • Floppy access restrictions (94% follow best practice)
  • NTFS media (including hot-swappable drives) ejection (93% follow best practice)
  • CD-ROM access restrictions (94% follow best practice)
  • Password changes without logging in (16% follow best practice)


    Logging and Auditing
  • Access of global system objects
  • Backups and restores
  • Administrative activities
  • Logons
  • Directory Services
  • Process tracking (requires mechanism to purge logs)
  • Account changes
  • Security rule (policy) changes
  • system events
  • Will the server continue to operate without logging


    Server Access
  • Registry access from remote computers
  • Renamed Guest account
  • Renamed Administrator account
  • Guest account disabled
  • Administrator account disabled


    Automatic updates
  • are updates automatically downloaded and installed (indicates bad change and patch management unless controlled through other means)
  • automatic update server (if not default, may be used for patch management)


    Patch Management
  • Java Runtime Environment version 1.4.2 and 1.3.1 vulnerabilities (added in version 1.6.8.143)
  • Computer Associates CAM version 1.11 build 54_4 and earlier vulnerabilities (added in version 1.6.8.143)


    TCP/IP Filters (23% follow best practice)
  • Global TCP/IP filters
  • TCP/IP filters by network card
  • Restricted TCP and UDP ports by IP address
  • Restricted Protocols by IP address


    Default directories that should be removed
  • Adminscripts
  • IISsamples
  • InetSRV
  • default .dll and .asp files
  • InetAdmins
  • IISAdmin
  • IADMpwd


    Network activity
  • Active connections are translated by well-known port numbers
  • services listening for activity are translated by well-known port numbers


    Event Logs (added in version 1.4.4.92)
  • Check for retention and purging
  • Display log file sizes


    Trojans, Backdoors, and Worms (added in version 1.4.4.101 on Feb 6, 2007)
  • Back Orifice
  • Back Orifice 2000
  • Beast
  • Citrix ICA (also has legitimate uses)
  • Donald Dick
  • Masters Paradise
  • Netmeting Remote Desktop Control (also has legitimate uses)
  • Netbus
  • pcAnywhere (also has legitimate uses)
  • Reachout (also has legitimate uses)
  • Remotely Anywhere (also has legitimate uses)
  • Remote (also has legitimate uses)
  • Timbuktu (also has legitimate uses)
  • VNC (also has legitimate uses)


    Active Directory (added in version 1.4.4.91)
  • Users with passwords that don't expire
  • Users with accounts that don't require passwords
  • Users with accounts that don't expire and don't require passwords
  • Users who haven't logged in for over a year
  • Bad password attempts
  • Greatest length of inactivity for a user
  • Potential test, guest, and temporary accounts


    Windows Patches
  • Following every black Tuesday, the software is updated to reflect the lastest patches. I am still expanding this section to include historical critical updates.
  • Patches are only tested for Windows XP, 2000, 2003, and Vista
  • The Windows Security Analysis tool evaluates different patches based on the dump date and version of windows as follows. It only evaluates for the critical patches that impact most users of the applicable version of Windows. As such, the patch checker should be used to determine if a computer's patches are up-to-date; it should not be used to check for all patches.
    PatchWindows Version(s)Date
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution (929969): MS07-004Windows XP, 2000, 2003Jan. 9,2007
    Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689): MS06-078 Windows XP, 2000, 2003Dec. 12,2006
    Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121): MS06-077 Windows 2000Dec. 12,2006
    Vulnerability in Windows Could Allow Elevation of Privilege (926255): MS06-075 Windows XP, 2003Dec. 12,2006
    Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088): MS06-071 Windows XP, 2000, 2003Nov. 14,2006
    Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213): MS06-068 Windows XP, 2000, 2003Nov. 14,2006
    Vulnerability in Server Service Could Allow Denial of Service (923414): MS06-063 Windows XP, 2000, 2003Oct. 10,2006
    Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (924191): MS06-061 Windows XP, 2000, 2003Oct. 10,2006
    Vulnerability in Windows Explorer Could Allow Remote Execution (923191): MS06-057 Windows XP, 2000, 2003Oct. 10,2006
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486): MS06-055Windows XP, 2000, 2003Sept. 26,2006
    Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007): MS06-052Windows XP, 2000, 2003Sept. 12,2006
    Vulnerability in Server Service Could Allow Remote Code Execution (921883): MS06-040Windows XP, 2000, 2003Aug. 8,2006
    Vulnerabilities in DNS Resolution Could Allow Remote Code Execution (920683): MS06-041Windows XP, 2000, 2003Aug. 8,2006
    Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008): MS06-044Windows 2000Aug. 8,2006
    Vulnerability in HTML Help Could Allow Remote Code Execution (922616): MS06-046Windows XP, 2000, 2003Aug. 8,2006
    Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422): MS06-051Windows XP, 2000, 2003Aug. 8,2006
    Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388): MS06-036Windows XP, 2000, 2003July 11,2006
    Vulnerability in Server Service Could Allow Remote Code Execution (917159): MS06-035Windows XP, 2000, 2003July 11,2006
    Vulnerability in Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537): MS06-034 Windows XP Pro, 2000, 2003 with IISJuly 11,2006
    Vulnerability in ASP.NET Could Allow Information Disclosure (917283): MS06-033 Windows XP, 2000, 2003 with .net Framework 2.0July 11,2006
    Vulnerability in TCP/IP Could Allow Remote Code Execution (917953): MS06-032 Windows XP, 2000, 2003June 13,2006
    Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736): MS06-031 Windows 2000June 13,2006
    Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389): MS06-030 Windows XP, 2000, 2003June 13,2006
    Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280): MS06-025Windows XP, 2000, 2003June 13,2006
    Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344): MS06-023 Windows XP, 2000, 2003June 13,2006
    Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439): MS06-022 Windows XP, 2003 (windows 2000 only with IE6)June 13,2006
    Cumulative Security Update for Internet Explorer (916281): MS06-021 Windows XP, 2000, 2003 with IE6June 13,2006



    To Do
  • More explanations of findings
  • Links that describe how to fix problems
  • Display results based on computer type


    Sites that publish this tool

    through a little ego-Google™ing, I've discovered that the following sites now offer this tool:
    Download counts are as of September 21, 2008
  • Download.com (1,320 downloads)
  • Version Tracker (1,406 downloads)
  • Softpedia (609 downloads)
    In addition, 2676 visitors have downloaded the Windows Analyzer directly from this site.
    However, only 2204 users have downloaded the Windows Dump Script.
    Please contact me if you find any other sites that offer downloads of this tool.
  • New
    Active Directory Date Converter

    Unix Timestamp Date Converter

    Unix Security Analyzer

    Windows Security Analyzer

    NIST SP 800-63 password policy compliance checker

    Sponsors
    News: Schneier
    ERROR:-1072896680
    News: SecurityFocus
    ERROR:-1072896680
    News: CBC
    ERROR:-1072896680
    News: CNN
    'Foodini' machine lets you print edible burgers, pizza, chocolate

    Nintendo's working on new Wii

    Google's driverless car is adorable

    South Africa's race to space

    How we'll pay for things in the future

    Statistics

    © 2006, 2007, 2008 Christopher A. Nowell, BSc, CISSP, CISA, TCSP

    Mesothelioma Survival