Last fall, Microsoft shipped the Security Readiness Kit (SRK) 4.1 on CD-ROM to Microsoft TechNet subscribers and mirrored the entire SRK online at http://www.microsoft.com/technet/security/readiness/default.mspx for everyone else. As with previous versions, the SRK 4.1 provides documentation, tools, patches, and service packs in a central location to help you assess, deploy, and secure your Windows platforms.
The SRK 4.1 provides additional tools and improves accessibility through an easy-to-use hypertext application (HTA) front end that's similar to the SRK Web-based interface. If you haven't used the SRK before, check it out—it can be a useful compendium of information and a valuable addition to your security library or toolbox.
Using the SRK
No installation is necessary to use the SRK; you simply use your Web browser to open the default.hta file and access the SRK portal, which Figure 1 shows. The portal serves as the starting point for accessing data from the CD-ROM. The HTA loads an srk.xml file that contains information and an index about all the data stored in the SRK. The SRK interface provides three menu options for accessing the SRK information: Products And Technologies, I Want To, and List All Contents. Each menu option offers several submenus that cross-reference most of the data on the CD-ROM.
Whereas most of the SRK documentation and tools are on the CD-ROM, you must download most of the patches directly from Microsoft. To expedite finding the patches you need, the SRK provides links to the patches and the Microsoft Security Bulletins. Most users will prefer to use the HTA portal to navigate the SRK, but you can still manually navigate through the CD-ROM folder hierarchy to find content directly. The SRK doesn't include a feature that lets you search the SRK for specific content by keyword. However, the amount of content isn't overwhelming, and finding the information you're looking for is usually straightforward.
If you get the SRK on CD-ROM, make sure your copy is up-to-date as of February 2004. You can choose to manually check for updates or set the SRK to automatically check for updates. When you check for updates, the HTA connects to a TechNet Web site and downloads the latest version of the srk.xml file to the My Documents folder of the currently logged- on user. When browsing the SRK after checking for updates, the tool highlights any updated content, as Figure 2 shows.
Microsoft continues to refine its security service offerings, and this SRK will be the last to contain patches, tools, and documentation. Moving ahead, Microsoft will issue patch CD-ROMs that are separate from its guidance and tool CD-ROMs. The company plans to release version 1.0 of this new Security Guidance Kit CD-ROM in spring 2004 and make the patch CD-ROMs available to TechNet subscribers.
Products And Technologies
The Products And Technologies section of the SRK organizes documentation and tools by the following Microsoft products and product groups: Microsoft SQL Server, IIS, Exchange Server, Software Update Services (SUS), Systems Management Server (SMS), Internet Security and Acceleration (ISA) Server, and the Windows server and client OSs. So, for example, if you're deploying SQL Server, you can review the Products And Technologies section to determine whether a white paper is available that describes the best practices for securing SQL Server 2000. Unlike other sections of the SRK, the Products And Technologies section doesn't include any patches.
I Want To
The I Want To section describes how to use the SRK to accomplish specific security-related tasks. Most sections describe how to deploy or secure a common platform. For example, the Deploy and Operate A More Secure Exchange Environment Including Outlook Web Access option links to the current service pack, critical patches, white papers, and documentation guides for how to secure and publish Exchange. This documentation set includes a .pdf file of the Security Operations Guide for Exchange 2000 Server, a Web link to a Windows Media Player (WMP) presentation about how to publish your Exchange server, a Microsoft Word document about how to use ISA Server to Web-publish a Microsoft Outlook Web Access (OWA) computer, and a step-by-step guide for setting up VPN-based remote access in a test lab. Although most of these documents are available elsewhere (such as directly from TechNet), the SRK increases the convenience by providing security-based and task-focused content from one location.
The I Want To section also includes tools to help you perform a particular task. Continuing with the previous example, one of the white papers recommends running the IIS Lockdown tool as a step toward securely publishing OWA. The SRK includes the IIS Lockdown tool on the CD-ROM and links to it directly from the I Want To section.
The I Want To section provides guides and solutions for the following tasks:
- Deploy and Operate Windows Clients and Servers More Securely
- Deploy and Operate A More Secure Exchange Environment Including Outlook Web Access
- Deploy and Operate A More Secure Web Server With IIS
- Deploy and Operate A More Secure SQL Server Environment
- Deploy and Operate A More Secure Wireless LAN
- Enable More Secure Remote Access To My Network With VPN
- Enable Authentication Using Windows Certificate Services (CA) and PKI
- Establish A More Secure Network Perimeter With ISA Server Firewall
- Find and Deploy The Latest Software Updates Across My Network
Even if you don't currently use some of the technologies described, you'll find that the I Want To section contains useful and educational information about new, evolving, and popular technologies. Specifically, the sections about patch management, wireless LAN (WLAN), and public key infrastructure (PKI) provide good security overviews about these hot topics.
List All Contents
The List All Contents section presents an easy way to review the entire contents of the SRK. Three subsections list all the documentation, service packs and security updates, and tools contained in the SRK.
Documentation. The Documentation subsection lists all the documents in the SRK by platform and provides another method for finding the data you're looking for, especially if you want to browse only the documents and aren't trying to accomplish a particular task. Documentation consists of .pdf files and Word documents stored on the CD-ROM as well as links to white papers and other guides on the Microsoft Web site.
Service Packs and Security Updates. The Service Packs and Security Updates subsection provides an easy-to-review matrix of all patches by service pack for each product in one location. For example, if you've deployed Windows 2000 Server with Service Pack 4 (SP4), you can scroll down and see its patches, as Figure 3 shows. Clicking the underlined hyperlink downloads the patch from the Microsoft Web site, and clicking the question mark (?) icon takes you to the security bulletin for that particular patch. This patch-by-product matrix becomes even more useful when combined with the SRK automatic update feature. Together, these features provide you with a locally managed and current copy of links to all Microsoft patches and security bulletins, which can be less time-consuming than searching the Microsoft Web site for a particular patch.
Most administrators will favor using automated patch-management services such as SUS or SMS Feature Pack 1 that make installing patches easier and provide some reporting capabilities, but the SRK's listing of all patches by product name makes finding that one particular patch that you want to deploy independently of any managed services (e.g., sending patches to a remote office or telecommuter) a snap. The SRK includes not only security updates but also service packs for Windows products, SQL Server, ISA Server 2000, Exchange, and IIS. Notably absent are Microsoft Office patches and service packs. The SRK misleadingly lists the most current service pack for Office XP and Office 2000 as Gold (which means an early release), whereas in reality Microsoft has released several service packs for these Office versions. Also, the updates listed for Office products are limited to Microsoft FrontPage Server Extensions 2002 and FrontPage Server Extensions 2000 patches.
Tools. The SRK provides a subset of Microsoft's freely available security tools. Most of the tools included in the SRK help you manage patches and updates or lock down services or platforms. Unfortunately, the SRK includes only Microsoft's main security tools and leaves out many smaller or hard-to-find tools (e.g., tools for ISA Server and Exchange). The tools included in the SRK are
- Web-based Password Change Functionality, Change Password Package for IIS 5.0 (Win2K), and Change Password Package for IIS 4.0 (Windows NT 4.0)—The Web-based Password Change Functionality, Change Password Package for IIS 5.0, and Change Password Package for IIS 4.0 change how Microsoft IIS handles Web-based password functionality. When installed, these tools move the password functionality from an Internet Server API (ISAPI) extension to more secure Active Server Pages (ASP), similar to the functionality in Internet Information Services (IIS) 6.0 and IIS 5.1.
- Group Policy Management Console (GPMC)—GPMC provides a Microsoft Management Console (MMC) snap-in to manage Group Policy from one tool. This tool improves on the MMC Active Directory Users and Computers snap-in's individual Group Policy management configuration features. With GPMC, you can see at a glance the scope, delegation, and inheritance of a policy so that you know which sites, domains, and OUs are affected. Also, if you have at least one Windows Server 2003 domain controller (DC), you can use GPMC to link a Group Policy Object (GPO) to a Windows Management Instrumentation (WMI) filter. The GPMC displays only changed Group Policy settings, which makes viewing the settings easy. Additionally, the tool offers Group Policy modeling to simulate a policy deployment for planning or testing.
- IIS Lockdown tool—The IIS Lockdown tool reconfigures your preIIS 6.0 settings to make your Web server less vulnerable to attack. (By default, IIS 6.0 is installed in a locked-down state.) The tool asks you to classify the role of your server by selecting a server template, then lets you view the template settings to see the changes that the tool will make given your selection. Next, the tool asks you whether it should install URLScan to parse all incoming URLs before your Web application accesses them so that you can stop possible malicious traffic.
- Microsoft Baseline Security Analyzer (MBSA) 1.1.1—You can use MBSA to scan local and remote computers for common vulnerabilities and installed or missing patches. MBSA extends the patch- scanning functionality that Microsoft introduced with the HFNetChk tool. (The latest version, MBSA 1.2, is available at http://www.microsoft.com/mbsa.)
- Outlook 2000 Service Release 1 (SR1) Update: Extended E-Mail Security—Microsoft Office Outlook 2003 and Outlook 2002 include new built-in functionality to prevent the spread of email-based worms. This upgrade brings these security features to legacy Outlook 2000 deployments.
- SUS 1.0—SUS provides a centralized approval and deployment service for Microsoft security updates. SUS leverages the client-side Automatic Updates service, which is similar to Microsoft's Windows Update site. SUS provides a free, basic patch-management service for organizations that don't need the more sophisticated and capable SMS.
- SQL Server Critical Update Kit—The SQL Server Critical Update Kit includes tools that scan for and patch SQL Server 2000 and Microsoft Data Engine (MSDE) 2000 systems that are vulnerable to the SQL Slammer worm.
- SMS Feature Pack—The SMS Feature Pack is a set of SMS patch-management add-ons that let you target patch scans and deployments to SMS computer groups. Additionally, you can report on your patch status through an extended SMS Web report interface.
- IPSecTools and KB824146Scan—IPSecTools provides a set of IP Security (IPSec) policies for blocking ports that Distributed COM (DCOM) and remote procedure calls (RPCs) use. This tool helps prevent the spread of DCOM worms but can also reduce system functionality because many legitimate services and tools use DCOM and RPC. However, the tool is granular and illustrates how you can use IPSec filters to quickly bolster your defenses against a rampant attack. KB824146Scan provides a command-line network-scanning tool for detecting systems vulnerable to DCOM and RPC exploits.
These tools are provided on the SRK CD-ROM, which makes distribution to servers without an Internet connection faster and more convenient. When you click a tool hyperlink from within the SRK, the SRK launches the executable to install the tool. Many more tools are available at the Microsoft Security Tools Web site (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/default.asp).
Another Brick in the Wall
Although dwarfed in scope by TechNet or Microsoft Developer Network (MSDN), the SRK provides convenient access to many of Microsoft's security-focused documentation and tools. Whether you have the TechNet subscription CD-ROM or choose to access the SRK directly from the Internet, you'll find it a great source for articles, white papers, how-to guides, and tools. In addition, it's yet another resource you can use to find updates and service packs to help secure your Microsoft infrastructure.