Category: Security benchmarking
Name of tool: Level One Security Scoring Tool
Company: Center for Internet Security
Price: Free for the downloading
Platforms supported: Windows 2000 Professional and Server, separate tools available for Solaris servers and Cisco routers
*** = Hey, not bad -- one notch below very cool. Key features:
Scans for security weaknesses in your servers and shows you how to correct them. Pros:
Simple and easy to use
Good tutorial on how to patch and upgrade operating systems to increase security Cons:
URLS for various hotfixes and service packs need to be typed in manually in a separate Web browser
Reports could incorporate information found in documentation for easier reading Description:
Patching your servers' operating systems to make them more secure can be a full-time job, and one way to make it less demanding is to use a tool from the Center for Internet Security called Level One Scoring Tool. It is a simple piece of software that will scan your server's configuration and show you how to make it a more hardened system.
CIS makes several different versions of its tools, which by their very nature have to match the underlying server operating system. I tested the Windows 2000 version, and there are versions for Solaris and for Cisco IOS available from the company's Web site for a free download, as well.
This tool gives you your choice of various security profiles. Plus, it will teach you what you need to do and be on the lookout for if you aren't completely comfortable tightening up your operating system or don't know all the places that you need to examine to close off potentially vulnerable spots.
Basically, the way this benchmark works is very simple: You decide on which security profile you wish to compare your server with. The tool comes with several, including ones that are based on the National Security Agency's recommendations (you would think they would know how to lock down their own systems, given the stakes involved if they are compromised). After you pick a profile, the tool scans your local hard disk and picks up on the changes that you need to make to your server to bring it up to the level of security specified in the profile. You get a score from zero to 10, with 10 being the most secure and zero being the score that I got when I initially scanned a few test machines.
First, I thought that something was wrong with the software -- a zero? Surely, my servers couldn't be that insecure? Well, they were. I had neglected to apply any of the numerous Microsoft hotfixes and service packs to these machines. Once I did, my scores started creeping up. All told, it took me the better part of an hour to read through the documentation, step through the patches from Microsoft and make the final alterations to my first server. Once I got the hang of it, I could save some time working through the process on other servers, although it can be time-consuming as you download and apply the patches and wait for your server to reboot before they can be applied.
Included with the tool are two manuals in Adobe Acrobat format. The first walks you through what you need to do on a very practical level to get a better score and how to specifically apply the various patches and changes to your machines. The second goes into more theory behind securing Windows servers.
There are a few quibbles that I have with the tool. It would be nice to have access to the URLs to apply the patches, service packs and hotfixes from directly within the reports themselves. Instead, you have to bring up the manuals and cut and paste this information from there. The reports are very terse and won't make much sense without reading the supplied documentation carefully.
If you are an experienced Windows server administrator and understand the various ins and outs of running your servers, this tool probably is too simplistic for you. But if you have a collection of Windows 2000 servers and want to learn more about how to make them less vulnerable to attack from Internet outsiders, then this tool will be a good learning experience, and you'll be able to profit from it quite nicely. The folks at CIS should be commended for taking a very difficult subject and making it very accessible to the average network administrator.Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad -- one notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time, minimal real value. About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at email@example.com.
Related book Administrating Web servers, security and maintenance, first edition
By Eric Larson & Brian Stephens
This user-friendly interactive text provides competency in three key skill areas: 1. Web-business management, from financial issues to project management and marketing; 2. content management, including user interface, authoring languages, multimedia and graphics; and 3. technical management involving administration, protocols, performance and security.
Dig Deeper on Web Server Threats and Countermeasures