Overall, MSAT serves the purpose of helping customers take an initial look at the risk level of their security infrastructure. It can also help in bringing extra business for Microsoft partners, security vendors, and Microsoft training education centers. Security is an integral part of any organization today, and this tool definitely addresses some crucial areas and lists security best practices, which will aid in the security awareness aspect of the assessment goal.
As I’ve pointed out throughout this article, however, several aspects of MSAT need polishing. If Microsoft decides not to update this tool on a regular basis, as is the case with the Active Directory Sizer Tool, this tool won’t be very effective. Changes occur in the technology field at a very rapid pace. There’s a chance of customers getting a false sense of security by assessing their own networks with this tool in the future if the contents, URLs, and references to older, outdated technologies are not kept up to date. Hopefully, regular updates will be offered for this free utility; the Tools menu has an option to check for updates manually, or you can configure the Preferences option on the Tools menu to automatically check for updates whenever you run the tool. However, I’ve already pointed out that invalid URLs and outdated information exist in the MSAT reports, even in the latest update of the tool at the time this article was written.
The final assessment report could be cleaned up, as discussed earlier, but the report is well laid out, readable, and fairly comprehensive. It’s a daunting task to encompass every possible scenario for each organization. With that fact in mind, the assessment tool does a decent job in covering several critical areas. Although Microsoft says that the assessment tool can be used by the customers on their own, I definitely believe it’s meant to be used with the aid of a security expert or a consultant, such as a Microsoft Certified Partner.
By evaluating this tool, I discovered that the main purpose of this utility is to point out some best practices for your environment, address some weaknesses in your security, and raise the level of your security awareness to the point where you’ll be inclined to take appropriate measures to protect your network. You can also use the assessment report for other reasons. For example, you can use it as an aid to get security budget approvals from management, because the Scorecard not only lists areas that need improvement, it points out areas that severely lack security. In addition, vendors can use it as a sales/marketing tool by offering free assessment reports to their customers, in the hope that the customers will buy products or training packages from them.
Microsoft MVP and security expert Zubair Alexander is the author of Microsoft ISA Server 2000 (Sams, 2001, ISBN 0672321009). He specializes in design, implementation, and engineering of enterprise network services. For more information on all of his publications, visit his web site at http://www.techgalaxy.net.