Date: Dec 9, 2005
The Microsoft Security Assessment Tool (MSAT) claims to analyze whether your existing network security architecture meets some of the common industry best practices. Zubair Alexander assesses the assessor, reporting on the strengths and weaknesses in this free utility.
We all want our networks to be secure, but sometimes it’s difficult to figure out how to even get started. Microsoft is promoting a free utility called Microsoft Security Assessment Tool (MSAT), which claims to analyze whether your existing network security architecture meets some of the common industry best practices. In this article, I’ll review how MSAT works and discuss whether it’s a useful tool for evaluating the potential risks to your network security.
Previously called Security Risk Self-Assessment Tool, the Microsoft Security Assessment Tool (downloadable from Microsoft’s Security Guidance site) is a .NET application and requires .NET Framework 1.1. A lot of questions about the assessment tool are answered on the tool’s FAQ page.
MSAT is designed to assess weaknesses in an organization’s security environment. The assessment can either be done by the organizations themselves, or it can be facilitated by a Microsoft Certified Partner. The security assessment is based on a series of questions on various security topics. The question session is expected to last somewhere 60–90 minutes. Upon completion of the assessment, customers receive a comprehensive report that contains recommendations specific to their business issues, based on the answers they provided during the assessment.
The assessment tool is designed for companies that have fewer than 1,000 employees. The assessment report will tell you that the assessment is designed for midsize organizations that have 50–500 desktop workstations. While you may be wondering how a company with 50–500 workstations can be considered a midsize company, what Microsoft is trying to convey here is that the tool is ideal for small organizations.
Microsoft developed MSAT with the help of Symantec and Ziff Davis Media to give it some credibility, so people won’t feel that the only purpose of the tool is to sell Microsoft products. Symantec was responsible for writing the questions, the answers, and the scoring of the tool. Ziff Davis Media was responsible for programming the tool, and currently hosts it on Security Guidance web site for Microsoft.
Although not positioned as such, MSAT can be used as a sales and marketing tool that encourages organizations to contact Microsoft Certified Partners that specialize in security-related matters. According to Microsoft, the goal of this tool is "to help customers gain a holistic understanding of security risks and gaps, develop a road map to becoming more secure, and develop recurring opportunities to offer relevant Microsoft products and partner solutions."
Using the Tool
With MSAT, you can create multiple Business Risk Profiles (BRPs) and Assessments from the main menu. First, you create a profile by answering a few basic questions about your organization. Then you perform a Defense-in-Depth (DiD) assessment. DiD refers to the concept of layered defenses, which include operational, technical, and organizational aspects of your environment. The scores for the assessment you perform make up what is known as a Defense-in-Depth index.
Once you complete your assessment, it can be uploaded anonymously to a secure MSAT web server, which will allow you to view a full report. In addition to viewing the full report, uploading gives you access to the Compare function. To keep track of your progress over a period of time, you can use the Compare function to compare two of your own assessments. You can also compare your results with those of other companies that have uploaded their assessment reports anonymously. The only identifiable information collected by the report is your company name, which shows up on the assessment report. If you would rather keep your company name private, simply use a fictitious name.
The tool itself is simple to use and covers the major security areas that you might be interested in evaluating. The questions are related to the following major profile categories, as shown in Figure 1.
- Basic information
- Infrastructure security
- Applications security
- Operations security
- People security
Figure 1 Major profile categories.
At the end of the assessment, you can save a comprehensive report as an HTML file. You can easily modify your business risk profile, or change the answers to your questions and then save the report.
From the Tools menu, you can choose Glossary, as shown in Figure 2. The glossary is helpful when you start the assessment and are unclear on certain terms or acronyms. The glossary is also included at the end of the detailed printed report, but you can’t peek at any information in the report until you’ve completed all the answers to all the questions. That’s why the glossary is accessible through the menu.
Figure 2 MSAT glossary.
Assessing the Assessment Tool
I evaluated the new version of MSAT v2.0.37-US-C1003 that I downloaded from the Security Guidance web site. Microsoft makes it clear that this assessment is not a replacement for an audit by a professional security consultant. For obvious reasons, the disclaimer also points out that there is no guarantee when it comes to the accuracy, reliability, or the results of the assessment. All this is standard "use it at your own risk" notification to users, and should be expected from this or any other risk-assessment tool.
While I found some areas of the assessment tool useful, there were other areas that I felt definitely needed some improvement. Overall, the report is very intuitive and easy to use, although you may need additional clarification in some areas. For the most part, the questions are easy to comprehend, relevant, and focused on the best practices.
MSAT is useful in giving you the big picture. You’ll get a high-level view of your security environment, which will help you to prepare for a detailed assessment by a security expert and to develop an action plan. MSAT is also useful if you’re interested in a particular aspect of your security and want to explore further. For example, if physical security or application security is your main area of interest, you can take advantage of only that component of MSAT.
MSAT is rather general in nature and encompasses all kinds of networks. Because the focus is on commonly accepted best practices from Microsoft, Cisco, and other vendors, and the recommendations are based on industry standards such as ISO 17799 and NIST-800.x, you won’t feel this tool to be too Microsoft-centric. This is another reason why a lot of companies will find this tool useful in assessing their security risks.
I especially liked the Question and Answers appendix, where you’re presented with all the assessment questions and answers in a table format. This makes it easier for you to glance over the entire questionnaire to make sure that everything is in order.
Areas That Need Improvement
MSAT could use improvements in some areas. It would be nice to have more configuration options, for example; I’d like MSAT to allow me to customize my security assessment reports better so I can add my own hyperlinks and updated information, and make it a bit more personalized for my customer. Sure, I can make these adjustments after the fact, when the report is saved as an HTML file, but customization within the program would be much nicer.
Some sections contain outdated information. As we all know, a lot of tools need to be constantly updated, especially when it comes to security assessment. Otherwise, they become so outdated that they lose credibility and usefulness. Remember the Active Directory Sizer Tool for capacity planning? The capacity planning tests in the sizer tool were run on the old Dell POWEREDGE 6300 servers in April 2000. The recommendations offered by this tool, which was never updated, are so outdated today that they’re simply humorous. But security risk assessment is not a laughing matter.
While not as outdated as the Active Directory Sizer Tool, MSAT still makes references to some old documents. Since Windows NT 4.0 is no longer supported by Microsoft, and Microsoft’s "mainstream" support for all flavors of Windows 2000 Servers and Windows 2000 Professional expired on June 30, 2005, the assumption is that customers are running Windows Server 2003 networks. If so, the references to the SANS article about the 10 most commonly exploited services in Windows must ensure that they’re linked to the most recent version of the document. The problem is that the assessment report can give you recommendations that may not be pertinent to your network. For instance, there’s a recommendation in the report to use Windows NT 4.0 passfilt.dll to provide strong password support and administrative account lockout. The NT passfilt.dll doesn’t work in Windows Server 2003. It will work on Windows NT 4.0 and Windows 2000 Server, both of which are no longer fully supported by Microsoft. Such recommendations without clarification can cause confusion and may not serve their purpose. It would be helpful if MSAT would state that for Windows 2000 networks you should do this, for Windows 2003 do that, etc.
I only checked a few URLs listed in the final report and found several to be invalid. For example, the link to the Windows Server 2003 Security Guide was incorrect. This is due to the fact that Microsoft’s web site hyperlinks are often modified without any redirections, making it difficult for users to locate the documents. (Here’s the correct link for the Windows Server 2003 Security Guide.) The link to the National Security Agency (NSA) Security Recommendation Guide is also invalid. (Here’s the correct link to what are known as the Security Configuration Guides from NSA for all platforms.) Also, the link to passfilt.dll that points to Microsoft’s web site will give you a Page Cannot Be Found error. (You can download passfilt.dll from my web site here.) There are other links, such as the Cisco SAFE Blueprint for Small, Midsize, and Remote-User networks, that are also outdated.
The comprehensive assessment report is the final outcome that you expect after answering all the assessment questions. I performed an assessment of a small organization with about 50 employees. Interestingly, even if you run an assessment for a company with 10 employees and only one server, the MSAT report is titled Microsoft Security Assessment Tool For Midsize Organizations. This is because the application is designed for organizations with 50–500 workstations and/or 100–1,000 employees.
At the completion of the assessment, I uploaded the information to the MSAT secure web site and got a 60-page assessment report. Due to the "canned" nature of the report, many recommendations were repeated over and over for various findings. That was expected due to the nature of the tool.
The scorecard section of the report had a legend with three bullet items:
- Meets best practice (green bullet)
- Needs improvement (yellow bullet)
- Severely lacking (red bullet)
When I printed out the report on my black-and-white printer, the green and the red bullets looked identical (black), making it impossible for me to tell which categories met the best practices and which were severely lacking. The yellow bullet was light gray, so I was able to easily distinguish it. Perhaps the report assumes that you will only print the 60-page report in color, or look at the results on your computer screen, which shows the bullets in color. Whichever the case, the Scorecard section of the report, which gives you a nice overview of the assessment at a glance, will be completely useless for people who print the report.
The minimum password-length recommendation of 14 characters is mentioned numerous times throughout the report. A better recommendation would be a minimum length of 15 characters, so that Windows will use the more secure NTLM hash to store passwords, instead of the less secure LAN Manager hash, as discussed in detail in my article "How Secure Is Your Password?"
Some of the references and recommendations are very general in nature. For example, the report suggests that you consider converting your wireless network from WEP to WPA, but there’s no mention of WPA2, or any more details, as this topic is apparently left to Microsoft partners to address. However, this is appropriate, because the report is pointing out weaknesses at a relatively high level.
Although the tool can be used by the customers themselves, it seems that customers will be better off working with a Microsoft Certified Partner or a consultant, because a few portions of the report can be somewhat confusing. For example, the report suggests that if remote connectivity to a corporate network is required, you should consider deploying remote-access client software on all individual workstations. Does that mean that virtual private networks (VPNs) are being discouraged?
Some recommendations may seem too excessive, or not quite practical. For example, the recommendation for all companies to lock every workstation in the organization with cable locks may be a good practice to prevent theft, but most customers may not find it very practical; not only can it be cost-prohibitive, but it makes it more difficult for support personnel to move computers around. The recommendation for locking laptops with cable locks is much more reasonable because it’s much easier for someone to walk out with a small laptop under their arm, compared to a large desktop computer.
The recommendations for logging are also too excessive. Again, this is where a Microsoft Certified Partner can help the customer.
Some suggestions have no clear alternatives. For example, the report recommends that you remove administrative access for users, in order to limit the ability to modify the secure build. However, there’s no suggestion as to how users will continue to do their jobs if you take away their administrative privileges.
Microsoft recommends that you require a background and credit checks for all new critical-position hires. Background checks make sense, but I’m not sure why it’s important to do a credit check on every single critical hire. If an employee doesn’t pay his VISA bill on time, would you consider him a security risk?
Overall, MSAT serves the purpose of helping customers take an initial look at the risk level of their security infrastructure. It can also help in bringing extra business for Microsoft partners, security vendors, and Microsoft training education centers. Security is an integral part of any organization today, and this tool definitely addresses some crucial areas and lists security best practices, which will aid in the security awareness aspect of the assessment goal.
As I’ve pointed out throughout this article, however, several aspects of MSAT need polishing. If Microsoft decides not to update this tool on a regular basis, as is the case with the Active Directory Sizer Tool, this tool won’t be very effective. Changes occur in the technology field at a very rapid pace. There’s a chance of customers getting a false sense of security by assessing their own networks with this tool in the future if the contents, URLs, and references to older, outdated technologies are not kept up to date. Hopefully, regular updates will be offered for this free utility; the Tools menu has an option to check for updates manually, or you can configure the Preferences option on the Tools menu to automatically check for updates whenever you run the tool. However, I’ve already pointed out that invalid URLs and outdated information exist in the MSAT reports, even in the latest update of the tool at the time this article was written.
The final assessment report could be cleaned up, as discussed earlier, but the report is well laid out, readable, and fairly comprehensive. It’s a daunting task to encompass every possible scenario for each organization. With that fact in mind, the assessment tool does a decent job in covering several critical areas. Although Microsoft says that the assessment tool can be used by the customers on their own, I definitely believe it’s meant to be used with the aid of a security expert or a consultant, such as a Microsoft Certified Partner.
By evaluating this tool, I discovered that the main purpose of this utility is to point out some best practices for your environment, address some weaknesses in your security, and raise the level of your security awareness to the point where you’ll be inclined to take appropriate measures to protect your network. You can also use the assessment report for other reasons. For example, you can use it as an aid to get security budget approvals from management, because the Scorecard not only lists areas that need improvement, it points out areas that severely lack security. In addition, vendors can use it as a sales/marketing tool by offering free assessment reports to their customers, in the hope that the customers will buy products or training packages from them.
Microsoft MVP and security expert Zubair Alexander is the author of Microsoft ISA Server 2000 (Sams, 2001, ISBN 0672321009). He specializes in design, implementation, and engineering of enterprise network services. For more information on all of his publications, visit his web site at http://www.techgalaxy.net.