Free and easy security scanner for IIS, ASP.Net, SQL, and Windows servers

Microsoft has just released version 2.0 of its Web Application Configuration Analyzer. A free download, the Web Application Configuration Analyzer scans IIS servers, hosted applications, and SQL Server instances for common security issues and misconfigurations. Version 2.0 contains 159 rules, each of which is a specific security check that generates a Passed, Failed, or Indeterminate outcome in the resulting report. Rules are broken down into three separate categories: General Applications, IIS Applications, and SQL Applications.

The rule checks were determined by Microsoft’s own Information Security & Risk Management review team, whose job it is to harden pre-production and production servers within Microsoft. These checks are now being shared with the public. It’s nice to know what Microsoft, one of the most attacked companies in the world, recommends doing on its own Web, application, and SQL servers to defeat hackers.

Each rule category can be expanded to reveal the underlying rule details.

For the most part, the rules are readily understandable by their titles alone, although more detailed explanations are provided in the resulting report, as well as how to remedy any failed tests. Each rule can be suppressed to prevent known false positives, and the rule suppressions are stored in a file for easy retrieval later.

You’ll need to have full administrator permissions and privileges on the computers you scan, along with SQL Server admin permissions to any SQL instances you want the tool to investigate. A local scan takes less than two minutes in most cases. Here’s an example of a Web Application Configuration Analyzer report summary:

Failed tests provide more detail and suggest remediation:

As with any generic configuration scanner, false positives are bound to show up. Many of the Failed (or Indeterminate) findings were not true security vulnerabilities but a factor of the requirements of particular applications. Some of the rules that returned an Indeterminate finding surprised me, because they were normal checks appropriately rated by other Microsoft tools (such as Resultant Set of Policy for GPRESULT.exe). I expect these bugs to be fixed as the Web Application Configuration Analyzer matures.

I was especially impressed by the application rule checks, which pointed out specific application and configuration issues that I otherwise would have missed. An example:

Scans can be run against multiple computers, and future and historical findings can be compared. Reports are shown in HTML, but they can be exported into Microsoft Excel, saved to the normal file types (HTML, text, and so on), printed, or exported to Team Foundation Server.

In my first few tests, the Web Application Configuration Analyzer noted many issues that were not discovered by the more comprehensive and cross-platform scans by the Tenable Nessus vulnerability scanner or the excellent open source Nikto Web server scanner. This makes sense, considering the Web Application Configuration Analyzer’s rules were created by the people who created and secure Microsoft’s server software products.

If you have IIS servers in your environment, you’ll find the Web Application Configuration Analyzer invaluable. You’ll not only discovery any misconfigurations you have, but you’ll probably learn more about securing your IIS servers in general. I’m a 15-year IIS security veteran, and even I learned a few things. Perhaps the issues were not all brand-new to me, but the Web Application Configuration Analyzer made it easy to discover them — and there’s no way I would have found them using my typical manual methods and other tools. Last but not least, it’s free.

This story, “Free and easy security scanner for IIS, ASP.Net, SQL, and Windows servers,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.