Not surprisingly, computer security has been the topic of this UPDATE commentary several times this year, and the recent release of the new Microsoft Baseline Security Analyzer (MBSA) has me thinking about security yet again. Whether you manage an entire enterprise, several workstations, or your broadband-connected home computer, security is more relevant now than ever before. Because greater minds than mine have studied and explained security concepts in detail elsewhere, I thought I'd provide a few pointers to information about the most recent security patches, updates, and information.
Microsoft Web Sites
Microsoft has a wealth of security-oriented content on its enormous Web site, although the information is spread across various areas of the site. Some of the better sources include the company's Security site and TechNet site.
Windows Update, Automatic Updates, and Office Product Updates
To help manage individual desktops, Microsoft offers several automated and manual product-updating tools, including Automatic Updates (Windows XP only), Windows Update ( Windows 98 to present, http://www.windowsupdate.com ), and Office Product Updates ( Office 2000 and XP, http://office.microsoft.com/productupdates ). These services are indispensable if you want your system to be as up to date as possible.
However, these services are less useful in medium-size to large organizations, where deploying product updates on individual desktops is difficult or impossible. Microsoft is working on various products to facilitate this process, and some of the configuration-management packages I've looked at recently have also automated this update capability. In the meantime, you can check out the beta version of Microsoft's Windows Update Corporate Site, which lets you preview an upcoming service for corporations. The Windows Update Corporate Site provides a comprehensive list of the product updates Microsoft has released for Windows 2000, Windows NT, Windows Me, and Win9x, including critical and security updates, management and deployment tools, service packs, and recommended updates and drivers. One of the best features is a package assembler, which lets you combine multiple updates into one package that you can deploy across your company. Windows Update Corporate isn't automated, but it does give you one place to search for all the product updates that the company has released in recent years.
Microsoft Security Toolkit
If you're looking for information specifically about securing your Windows environment, Microsoft has finally released its Security Toolkit, which the company promised last fall. The Microsoft Security Toolkit applies to Win2K Server, Win2K Advanced Server, Win2K Professional, NT 4.0 Server, NT 4.0 Workstation, and NT Server Terminal Server Edition. The toolkit includes best-practices data about securing Internet-connected Windows machines, high-severity security patches, and other tools and information. You can order the toolkit free of charge from the Microsoft Web site.
Microsoft Baseline Security Analyzer
A slightly more recent free security download is the MBSA, which provides an easy-to-use, XP-influenced UI. The MBSA checks your XP, Win2K, or NT machine for common security misconfigurations, such as weak or missing passwords, and can scan for security problems in Microsoft IIS 4.0 or greater and SQL Server 7.0 or greater. You can run the MBSA only on XP and Win2K machines, although you can check NT 4.0 machines remotely over a network.
Microsoft Windows 2000 Security Operations Guide
The Win2K Security Operations Guide is a 192-page document that provides a comprehensive, step-by-step approach to locking down Win2K systems while minimizing vulnerabilities and providing best practices for managing system patches, auditing, and intrusion detection. This must-read guide is available for free from the Microsoft Web site.
IIS Lockdown Wizard
Microsoft IIS administrators will want to look at the IIS Lockdown Wizard, which lets you secure IIS. Microsoft has updated this tool several times since its initial release, so make sure you have the most recent version, 2.1. This version adds server-role templates for IIS-dependent products such as Microsoft Exchange Server, Commerce Server, BizTalk Server, Small Business Server (SBS) 2000 and 4.5, SharePoint Portal Server, SharePoint Team Services, and FrontPage Server Extensions. The tool is integrated with the previously separate URLScan tool.
http://www.microsoft.com/technet/security/tools/tools/locktool.asp
Windows & .NET Magazine
And last, Windows & .NET Magazine (publisher of this email newsletter) provides what I consider to be the best security-oriented publications: Security Administrator, a monthly print newsletter, and Security UPDATE, a weekly email newsletter. For information about subscribing, visit the Security Administrator Web site, where you'll also find useful and timely security-related information.
The Future of Windows Security
Future Windows versions will be more secure out of the box, thanks to Microsoft's sudden (but welcome) move to security awareness. In the meantime, Microsoft is churning out security information, fixes, and products that remove some of the burden from IT administrators and end users, and I hope you find this list of resources helpful. If you know about other valuable security tools, from Microsoft or other sources, please let me know so I can pass along that information to UPDATE readers.
