Microsoft freeware checks for Windows security holes

Microsoft Corp. this week made available a freeware vulnerability-assessment tool for Windows desktops and servers.

The tool, called Baseline Security Analyzer, runs locally on a PC and allows network administrators to determine whether their NT 4.0, Windows 2000 or XP desktops and servers are missing software patches for security holes or are improperly configured.

Baseline Security Analyzer is a read-only tool that doesn't automatically locate and apply software patches, as other tools on the market do. Microsoft signaled its growing interest in developing such software to automate this process, however.

To date, Microsoft has relied on Shavlik Technologies LLC, a St. Paul, Minn.-based company that specializes in test tools, to produce the freeware available from Microsoft. But the company has long-term goals to improve the software-patching process for its customers that may entail Microsoft striking out on its own in the test-tool area.

"We need to find an automated way to do this," said Craig Mundie, Microsoft's vice president and chief technology officer, in his keynote at the RSA Security conference. The numerous vulnerabilities discovered over time in Microsoft operating system and application software has made any unpatched Microsoft server and browser a popular target for hackers and computer worms, such as Nimda and Code Red.

Microsoft is working on a patch-rating system to define discovered software holes on a scale of high to low risk. While Microsoft is making a concerted effort to prevent coding errors that lead to problems such as buffer-overflow vulnerabilities, Mundie said that the company's long-term goal is to create the means to automate the discovery of holes and the patching process.

"If we depend on people to do this, we'll be swamped," he said. "In fact, we are swamped."

The release of the Baseline Security Analyzer is but a first step, said Lara Soskonsky, a Microsoft security program manager who was demonstrating the freeware tool at Microsoft's pavilion at the RSA conference.

"We don't push out the patches, but we may add that feature as an option in Version 2.0. In future versions, we'll also add more applications, such as Internet Information Server 4.0, 5.0, SQL 7, Internet Explorer 5.0 and up, Office 97 and Office 2000, among others," Soskonsky said. "And we'll add .Net [support] to Version 2.0."

The second version may be out in just a few months, she said.

Whether Microsoft will continue its reliance on Shavlik Technologies to build the freeware is under review. "We haven't decided whether or not to go out on our own," said Soskonsky. But it's possible Microsoft may be inching toward its own suite of commercial test-tool products.

Should that happen, Shavlik Technologies could see its symbiotic relationship with Microsoft undergo a disruptive change. Currently, Shavlik can advertise its more robust and full-featured vulnerability-assessment tools on Microsoft's Web site, next to the freeware it built for Microsoft.

Shavlik's first project for Microsoft was a Web-based vulnerability-assessment service created last fall after the outbreak of the Nimda worm in August. The second project, the Baseline Security Analyzer, is a stripped-down version of Shavlik's own HFNetChk Pro AdminSuite 3.6, which can push out software patches and remotely install them in a scheduled fashion. It can check for weak passwords and weak administrative accounts. The latest version of Shavlik's tool, which costs $1,500 for 50 users, also became available this week.

For larger enterprises that want to do detailed analysis across machines, Shavlik shipped Shavlik EnterpriseInspector, priced at $3,000 and up. This version also checks to make sure antivirus software is installed on machines.

"We have over 3 million people using our products," said company CEO Mark Shavlik. The Shavlik commercial tools require their own console and don't share information with the Microsoft SMS management console without extensive coding to enable that, he said.

Shavlik said he hopes to continue the freeware relationship with Microsoft that has benefited his firm. "It's been a way for people to learn about our products at the Microsoft Web site," he said.

Related stories:

This story, "Microsoft freeware checks for Windows security holes" was originally published by Network World.

Copyright © 2002 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon