- Using the Tool
- Assessing the Assessment Tool
- Assessment Reports
Assessing the Assessment Tool
I evaluated the new version of MSAT v2.0.37-US-C1003 that I downloaded from the Security Guidance web site. Microsoft makes it clear that this assessment is not a replacement for an audit by a professional security consultant. For obvious reasons, the disclaimer also points out that there is no guarantee when it comes to the accuracy, reliability, or the results of the assessment. All this is standard "use it at your own risk" notification to users, and should be expected from this or any other risk-assessment tool.
While I found some areas of the assessment tool useful, there were other areas that I felt definitely needed some improvement. Overall, the report is very intuitive and easy to use, although you may need additional clarification in some areas. For the most part, the questions are easy to comprehend, relevant, and focused on the best practices.
MSAT is useful in giving you the big picture. You’ll get a high-level view of your security environment, which will help you to prepare for a detailed assessment by a security expert and to develop an action plan. MSAT is also useful if you’re interested in a particular aspect of your security and want to explore further. For example, if physical security or application security is your main area of interest, you can take advantage of only that component of MSAT.
MSAT is rather general in nature and encompasses all kinds of networks. Because the focus is on commonly accepted best practices from Microsoft, Cisco, and other vendors, and the recommendations are based on industry standards such as ISO 17799 and NIST-800.x, you won’t feel this tool to be too Microsoft-centric. This is another reason why a lot of companies will find this tool useful in assessing their security risks.
I especially liked the Question and Answers appendix, where you’re presented with all the assessment questions and answers in a table format. This makes it easier for you to glance over the entire questionnaire to make sure that everything is in order.
Areas That Need Improvement
MSAT could use improvements in some areas. It would be nice to have more configuration options, for example; I’d like MSAT to allow me to customize my security assessment reports better so I can add my own hyperlinks and updated information, and make it a bit more personalized for my customer. Sure, I can make these adjustments after the fact, when the report is saved as an HTML file, but customization within the program would be much nicer.
Some sections contain outdated information. As we all know, a lot of tools need to be constantly updated, especially when it comes to security assessment. Otherwise, they become so outdated that they lose credibility and usefulness. Remember the Active Directory Sizer Tool for capacity planning? The capacity planning tests in the sizer tool were run on the old Dell POWEREDGE 6300 servers in April 2000. The recommendations offered by this tool, which was never updated, are so outdated today that they’re simply humorous. But security risk assessment is not a laughing matter.
While not as outdated as the Active Directory Sizer Tool, MSAT still makes references to some old documents. Since Windows NT 4.0 is no longer supported by Microsoft, and Microsoft’s "mainstream" support for all flavors of Windows 2000 Servers and Windows 2000 Professional expired on June 30, 2005, the assumption is that customers are running Windows Server 2003 networks. If so, the references to the SANS article about the 10 most commonly exploited services in Windows must ensure that they’re linked to the most recent version of the document. The problem is that the assessment report can give you recommendations that may not be pertinent to your network. For instance, there’s a recommendation in the report to use Windows NT 4.0 passfilt.dll to provide strong password support and administrative account lockout. The NT passfilt.dll doesn’t work in Windows Server 2003. It will work on Windows NT 4.0 and Windows 2000 Server, both of which are no longer fully supported by Microsoft. Such recommendations without clarification can cause confusion and may not serve their purpose. It would be helpful if MSAT would state that for Windows 2000 networks you should do this, for Windows 2003 do that, etc.
I only checked a few URLs listed in the final report and found several to be invalid. For example, the link to the Windows Server 2003 Security Guide was incorrect. This is due to the fact that Microsoft’s web site hyperlinks are often modified without any redirections, making it difficult for users to locate the documents. (Here’s the correct link for the Windows Server 2003 Security Guide.) The link to the National Security Agency (NSA) Security Recommendation Guide is also invalid. (Here’s the correct link to what are known as the Security Configuration Guides from NSA for all platforms.) Also, the link to passfilt.dll that points to Microsoft’s web site will give you a Page Cannot Be Found error. (You can download passfilt.dll from my web site here.) There are other links, such as the Cisco SAFE Blueprint for Small, Midsize, and Remote-User networks, that are also outdated.