Tip

Benchmarking tool scans weaknesses in servers



Category: Security benchmarking
Name of tool: Level One Security Scoring Tool
Company: Center for Internet Security
Price: Free for the downloading
URL: www.cisecurity.org
Platforms supported: Windows 2000 Professional and Server, separate tools available for Solaris servers and Cisco routers

Strom-meter:
*** = Hey, not bad -- one notch below very cool.

Key features:
Scans for security weaknesses in your servers and shows you how to correct them.

Pros:
Simple and easy to use
Good tutorial on how to patch and upgrade operating systems to increase security

Cons:
URLS for various hotfixes and service packs need to be typed in manually in a separate Web browser
Reports could incorporate information found in documentation for easier reading

Description:

Patching your servers' operating systems to make them more secure can be a full-time job, and one way to make it less demanding is to use a tool from the Center for Internet Security called Level One Scoring Tool. It is a simple piece of software that will scan your server's configuration and show you how to make it a more hardened system.

CIS makes several different versions of its tools, which by their very nature have to match the underlying server operating system. I tested the Windows 2000 version, and there are

    Requires Free Membership to View

versions for Solaris and for Cisco IOS available from the company's Web site for a free download, as well.

This tool gives you your choice of various security profiles. Plus, it will teach you what you need to do and be on the lookout for if you aren't completely comfortable tightening up your operating system or don't know all the places that you need to examine to close off potentially vulnerable spots.

Basically, the way this benchmark works is very simple: You decide on which security profile you wish to compare your server with. The tool comes with several, including ones that are based on the National Security Agency's recommendations (you would think they would know how to lock down their own systems, given the stakes involved if they are compromised). After you pick a profile, the tool scans your local hard disk and picks up on the changes that you need to make to your server to bring it up to the level of security specified in the profile. You get a score from zero to 10, with 10 being the most secure and zero being the score that I got when I initially scanned a few test machines.

First, I thought that something was wrong with the software -- a zero? Surely, my servers couldn't be that insecure? Well, they were. I had neglected to apply any of the numerous Microsoft hotfixes and service packs to these machines. Once I did, my scores started creeping up. All told, it took me the better part of an hour to read through the documentation, step through the patches from Microsoft and make the final alterations to my first server. Once I got the hang of it, I could save some time working through the process on other servers, although it can be time-consuming as you download and apply the patches and wait for your server to reboot before they can be applied.

Included with the tool are two manuals in Adobe Acrobat format. The first walks you through what you need to do on a very practical level to get a better score and how to specifically apply the various patches and changes to your machines. The second goes into more theory behind securing Windows servers.

There are a few quibbles that I have with the tool. It would be nice to have access to the URLs to apply the patches, service packs and hotfixes from directly within the reports themselves. Instead, you have to bring up the manuals and cut and paste this information from there. The reports are very terse and won't make much sense without reading the supplied documentation carefully.

If you are an experienced Windows server administrator and understand the various ins and outs of running your servers, this tool probably is too simplistic for you. But if you have a collection of Windows 2000 servers and want to learn more about how to make them less vulnerable to attack from Internet outsiders, then this tool will be a good learning experience, and you'll be able to profit from it quite nicely. The folks at CIS should be commended for taking a very difficult subject and making it very accessible to the average network administrator.

Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad -- one notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time, minimal real value.

About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at david@strom.com.


Related book

Administrating Web servers, security and maintenance, first edition
By Eric Larson & Brian Stephens
This user-friendly interactive text provides competency in three key skill areas: 1. Web-business management, from financial issues to project management and marketing; 2. content management, including user interface, authoring languages, multimedia and graphics; and 3. technical management involving administration, protocols, performance and security.


This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.