Since the announcement of its Trustworthy Computing initiative, Microsoft has released a plethora of utilities designed to help administrators keep their Windows systems secure. Keeping track of everything that has been released as well as keeping up with regular updating and patching of Windows systems can be a major challenge. Fortunately, Microsoft has made it easier with the release of the Microsoft Security Resource Kit, a CD-ROM containing nearly all of the security utilities the company has released. The kit is free, and you can order it from Microsoft.
I'm going to show you what it includes and how it can help you lock down Windows servers.
What's in there?
The kit is divided into four sections:
- Security Resources
- Security Tools
- Desktop Security
Figure A provides a look at the welcome screen.
|Microsoft Security Resource Kit main screen|
The Security Resources section includes PDF documents with detailed explanations for securing Microsoft servers, as well as links to security information on Microsoft’s Web site.
The Security Tools section contains items such as the Security Update Server, the IIS Lockdown Tool 2.1, QChain.exe, the Microsoft Network Security Hotfix Checker (hfnetchk.exe), and the most recent Windows 2000 security rollup package. Table A lists the software components included with the kit.
|Security Update Server||Allows administrators to automatically apply updates to their Windows servers. Make sure that you carefully go over and understand any licensing and end user license agreements (EULA) that come with the Security Update Server, as well as the packages it installs. Certain provisions in recent Microsoft recent EULAs—especially those with Windows XP SP1 and Windows 2000 SP3—essentially allow Microsoft access to your systems.|
|Microsoft Baseline Security Analyzer||This utility looks at Windows servers, including SQL Server and Exchange, in an effort to identify potential security misconfigurations.|
|IIS Lockdown Tool 2.1||This tool secures the ever-vulnerable IIS Web server.|
|QChain.exe||This one allows you to install multiple hotfixes with a single command.|
|Microsoft Network Security Hotfix Checker||This utility identifies the hotfixes that have not been applied to your servers.|
White papers in the Infrastructure section
The kit excels in providing detailed security information. Dozens of white papers on products including Windows, IIS, Exchange, ISA Server, and SMS are included. The topics are all security related and provide excellent information on best practices for deploying those systems and their components.
The Exchange section contains information on protecting an Exchange server from viruses and an overview of the product's security features.
The Windows 2000 section is an invaluable resource for administrators who are serious about security and includes information on PKI, cryptography, Kerberos, IPSec, the Encrypting File System (EFS), and distributed security servers, as well as on how these services are related to and deployed in Windows environments. Having all of these white papers in one place makes life easier for administrators. You'll also find white papers on additional topics, such as smart cards, single sign-on, and certificate services.
The ISA Server section offers white papers and case studies on deploying that firewall and caching product, including a how-to on using ISA to protect against the Code Red and Nimda worms. The IIS and SMS sections contain best practices white papers for those products.
Obviously, white papers alone will not protect your environment from threats. But you can glean some great tips and security practices that will help you to keep security tight and controlled.
It’s convenient to have all of these white papers in one place, especially since, at times, I have found it difficult and frustrating to find these types of resources on Microsoft’s Web site.
A demo is worth a thousand words
Also included in the kit are a number of demos and animations depicting how certain services function. Call me simple, but I like these kinds of demonstrations, especially when I need to explain to the CEO what it is that some of these services do. Figure B shows a screen shot from the Software Update Services animation.
|Software Update Services at work|
Secure the desktop
This toolkit doesn't focus only on server security. One section is devoted to security on the desktop, and on Windows XP and Office XP in particular. You'll find a number of white papers and demos on how to best secure these potential weak points of infrastructure security.
The Microsoft Security Resource Kit is essential for almost any Windows administrator because it provides an abundance of security-related information in one place and across all of Microsoft’s commonly deployed products.
I especially like the inclusion of nearly every security utility available, along with the selection of white papers that offer security tips and best practices. Most of all, having all of this stuff in one place is bound to save a lot of time for administrators, who would otherwise have to search the Internet, follow various links, and download each of these tools and documents individually.
I would have liked to see other servers, such as SQL Server, covered a little more thoroughly in this kit. Nevertheless, this is an excellent resource that will help you plug some of the holes that continually arise in Microsoft products.
Your can order the kit here. Again, it is free. Even shipping is included, unless you want the kit rushed, in which case shipping is $5.95.