Microsoft's latest claim about bettering the security of its products came last week in a supposedly leaked email from Microsoft Chairman and Chief Software Architect Bill Gates to employees, where Gates said, "When we face a choice between adding features and resolving security issues, we need to choose security." You can read the full text of the email—it's linked in the SECURITY ROUNDUP section of this newsletter.
Do you know that Microsoft has updated its HFNetChk scanning tool? HFNetChk 3.3 scans systems to determine which hotfixes you have or haven't installed, and compares the system-information scans to an XML database. Shavlik Technologies developed the tool for Microsoft. You can use the tool to scan local and remote systems for patches related to Windows XP, Windows 2000, Windows NT 4.0, Internet Information Services (IIS) 5.0 and Internet Information Server (IIS) 4.0, Internet Explorer (IE) 5.01 and later, SQL Server 2000, and SQL Server 7.0. HFNetChk also identifies .NET and IIS 6.0 servers, but the XML database doesn't contain information to scan those systems yet.
HFNetChk 3.3 has several new features, including the ability to scan systems that have disabled Server service. The 3.3 version lets users specify a username and password for scanning remote systems, write output to a specified filename, and scan systems based on files containing lists of IP addresses or NetBIOS machine names.
You can learn more about HFNetChk in Microsoft article Q303215, and the article contains links to two other Microsoft articles (Q305385 and Q306460) that contain further information. You can download a copy of the tool at Microsoft's Web site. Be sure to view the readme.txt included with the program to learn about all the latest changes to the new version.
Another updated tool you can download is Application Security's AppDetective. Formerly available only for Oracle and Lotus Domino servers, AppDetective for Microsoft SQL Server is now available in beta as a free download. The tool performs database discovery and penetration testing, attack simulation, and indepth security audits. AppDetective checks for Denial of Service (DoS) conditions and server misconfigurations and also tests password strength. You can download a beta version at the company's Web site.