Microsoft's free Security Assessment Tool (MSAT) is designed to help organizations assess weaknesses in their IT security environment and provides guidance to strengthen areas identified during the assessment where risks and defences are not aligned. It follows the defense-in-depth concept -- layered defenses that include technical, organizational and operational controls -- and is based on accepted standards and best practices, such as ISO 27001 and NIST-800.x. The tool, essentially an application assessment questionnaire, is used to evaluate the effectiveness of your security strategy over four areas: people, processes, resources and technology.
Upon completion of the assessment, MSAT then provides recommendations and prescriptive guidance for managing the risks that have been highlighted for your particular environment, existing technology and current security posture. The Microsoft security assessment tool’s recommendations are designed to move your security policies, processes and controls towards recognized best practices. As the assessment is repeatable, it can be used to monitor improvements to your infrastructure’s ability to respond to security threats.
Be aware, however, that this tool does not perform a network scan looking for unpatched vulnerabilities or misconfigured devices. That task needs a tool like Microsoft's free Baseline Security Analyzer (MBSA), which scans both local and remote Microsoft systems for common security misconfigurations. It also identifies missing security updates and service packs available through various Microsoft Update technologies, helping to ensure all machines are patched correctly.
Like most good security scanners, MBSA reports include not only details about any failed tests, but also suggested corrective measures, often with specific guidance on how to fix the problem, such as links to service packs or Microsoft Security Bulletins. Even if you’re up to date with all your patches, you’ll be surprised at how many administrator errors MBSA can pick up.
If your organization is still using older versions of Microsoft products that aren’t supported by MBSA, such as Office 2000 and SQL Server 7.0 and 2000, you should check out the MBSA companion tool Shavlik NetChk Limited provided free by Shavlik Technologies, LLC. This utility analyzes the patch status of those Microsoft products not supported by current Microsoft patch technologies and outputs the results to an XML file that can be viewed via MBSA.
MBSA is an easy, straight-forward tool to use and makes a good companion tool to MSAT. There is plenty of supporting information if you need help; including a very good FAQ section and an on-demand webcast that shows you how to use MBSA in common scenarios to improve your security update management process.
This was first published in August 2011