Last year we developed an internal tool to review servers for security configuration issues. Microsoft offers several enterprise options for doing this such as Systems Center Configuration Manager but the requirements were for a lightweight stand-alone tool focused towards developers and testers who often developed in an unmanaged environment. The tools needed to help developers configure their local environments with security best practices and specifically target;
- Windows shares access control issues
- Windows services
- IIS settings such as authentication settings
- SSL settings
- virtual directory settings
- ASP.NET Web.Config settings
- SQL Server authentication
- extended stored procedures and database permissions
It will help developers to develop applications in secure de3velopment environments and ensure that their application works seamlessly in a similar secure production environment.
Quick summary of features included in WACA CTP.
- Around 100 IIS, ASP.NET and SQL Server settings based on the MS-IT security deployment review settings
- Scan a single machine locally or remotely for these settings
- View an HTML report of the results
- Export the results to Excel or to Visual Studio Team Foundation Server as work items
- Extensible configuration option for Team Foundation Server fields mapping
- Includes option to specify fixed scan credentials
Here is a screenshot of the landing screen for the tool.
This tool compliments the CAT.NET tool which performs static analysis of .NET code and infact both tools use the same configuration signature format for their configuration checks meaning you can now scan the code and check the configuration seamlessly. We are working on releasing a CTP next week which will be available on http://connect.microsoft.com (search for Information Security Tools and register).