Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Complete Report
This report contains the following sections:
Executive Summary o o o o o o o Introduction Background: Assessment Process and Scope Situation Analysis Scorecard Security Initiatives Areas of Analysis Assessment Analysis Appendices o o o Questions and Answers Glossary Interpreting the Graphs Infrastructure Applications Operations People

Assessment in Detail

Prioritized Action List

A Microsoft partner can review this report with you and help with developing a detailed action plan for implementing the recommendations. If you do not have an existing relationship with a Microsoft partner, you may wish to view a list of Microsoft Partners for Security Solutions at https://solutionfinder.microsoft.com/.

The Microsoft Security Assessment Tool is designed to help you determine the level of risk your computing infrastructure faces and the steps you have taken to mitigate that risk, and to offer suggestions of additional steps you can take to help further reduce your level of risk. It is not a replacement for an audit by a professional security consultant. Use of the Microsoft Security Assessment Tool is governed by the terms of the End-User License Agreement (EULA) which accompanied the software, and this report is subject to the exclusions, disclaimers, and limitations of liability contained in the EULA. This report is for informational purposes only. Neither Microsoft Corporation, its suppliers, or partners make any representation or warranty of any kind, whether express or implied, concerning the Security Assessment Tool, or the use, accuracy, or reliability of the results of the Assessment and information contained in this report.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Executive Summary
Introduction
This Microsoft Security Assessment Tool is designed to assist you with identifying and addressing security risks in your computing environment. The tool employs a holistic approach to measuring security strategy by covering topics across people, process, and technology. Findings are coupled with recommended mitigation efforts, including links to more information for additional guidance if needed. These resources may assist you in learning more about the specific tools and methods that can help increase the security of your environment. This summary section is intended to give IT and senior managers a snapshot of the company's overall security posture. Detailed findings and recommendations can be found in the detailed report following.

Background: Assessment Process and Scope

The assessment is designed to identify the business risk of your organization and the security measures deployed to mitigate risk. Focusing on common issues in this market segment, the questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that support the business. Beginning with a series of questions about your company's business model, the tool builds a Business Risk Profile (BRP), measuring the risk of doing business your company must face due to the industry and business model chosen. A second series of questions are posed to compile a listing of the security measures your company has deployed over time. Together, these security measures form layers of defense, providing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the areas of analysis (AoAs)infrastructure, applications, operations, and people. In addition to measuring the alignment of security risk and defenses, this tool also measures the security maturity of your organization. Security maturity refers to the evolution of strong security and maintainable practices. At the low end, few security defenses are employed and actions are reactive. At the high end, established and proven processes allow a company to be more proactive, and respond more efficiently and consistently when needed. Risk management recommendations are suggested for your environment by taking into consideration existing technology deployment, current security posture, and defense-in-depth strategies. Suggestions are designed to move you along a path toward recognized best practices. This assessmentincluding the questions, measures, and recommendationsis designed for midsize organizations that have between 50 and 500 desktops in their environment. It is meant to broadly cover areas of potential risk across your environment, rather than provide an in-depth analysis of a particular technology or process. As a result, the tool cannot measure the effectiveness of the security measures employed. To that end, this report should be used as a preliminary guide to help you focus on specific areas that require more rigorous attention, and should not replace a focused assessment by trained third-party assessment teams.

Situation Analysis
This section graphically represents the concepts described above for your organization, based on the answers you provided. As a reminder: BRP is a measure of the risk related to the industry and business model of the company DiDI is a measure of the security defenses used across people, process, and technology to help mitigate identified risks to the business

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Security Maturity is a measure of the organization's ability to effectively use the tools available to create a maintainable security level across many disciplines [See Appendices for additional information on these terms and how to interpret the graphs.]

Results:
Areas of Analysis
Infrastructure Applications Operations People Risk-Defense Distribution Security Maturity

Risk-Defense Distribution
This chart indicates differences in the Defense-in-Depth score, organized by Area of Analysis.

60 50 40 30 20 10 0 Infrastructure -10
In general, it is best to have a DiDI rating on par with the BRP rating for the same category. An imbalance either within a category or across categoriesin either directionmay indicate the need to realign your IT investments.

BRP DiDI

Applications

Operations

People

Security Maturity
Security maturity is inclusive of controls (both physical and technical), the technical acumen of IT resources, policy, process, and maintainable practices. Security maturity can be measured only through the organization's ability to effectively use the tools available to create a maintainable security level across many disciplines. A baseline of security maturity should be established and used to define areas of focus for the organization's security programs. Not all organizations should strive to reach the optimized level, but all should assess where they are and determine where they should be, in light of the business risk they face. For example, a company with a low-risk environment may never need to advance beyond the upper range of the Baseline level or the lower range of the Standardized level. A

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

company with a high-risk environment will likely push well into the Optimized level. Your Business Risk Profile scores help you gauge your risk.

Security Maturity

Baseline Standardized Optimized

A measure of a company's practices against industry best practices for maintainable security. Each company should strive to align its maturity level, and associated security strategy, relative to the risks taken in doing business: Some proactive security measures deployed as first-line defenses; operations and incident response still very reactive Multiple layers of defense deployed in support of a defined strategy Effectively protecting the right things the right way and ensuring ongoing utilization of best practices

Scorecard
Based on your answers to the risk assessment, the following ratings have been applied to your defensive measures. The Assessment Detail and Prioritized Action List sections of this report include further detail for each, including the findings, best practices, and recommendations. Legend: Meets best practice Needs improvement Severely lacking

Infrastructure
Perimeter Defense Firewall Rules and Filters Anti-virus Anti-virus - Desktops Anti-virus - Servers Remote Access Segmentation Intrusion-Detection System (IDS) Wireless Authentication Administrative Users Internal Users Remote-Access Users Password Policies Password Policies - Administrator Account Password Policies - User Account Password Policies - Remote-Access Account Inactive Accounts Management and Monitoring Incident Reporting & Response Secure Build Physical Security

Operations

Environment Management Host Management Host - Servers Management Host - Network Devices Security Policy Data Classification Data Disposal Protocols & Services Acceptable Use User Account Management Governance Security Policies Patch & Update Management Network Documentation Application Data Flow Patch Management Change Management and Configuration Backup and Recovery Log Files Disaster Recovery & Business Resumption Planning Backup Backup Media

Applications

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Deployment and Use Load-Balancing Clustering Application & Data Recovery Third-party independent software vendor (ISV) Internally Developed Vulnerabilities Application Design Authentication Password Policies Authorization & Access Control Logging Input Validation Software Security Development Methodologies Data Storage & Communications Encryption Encryption - Algorithm

Backup & Restore

People
Requirements & Assessments Security Requirements Security Assessments Policy & Procedures Background Checks Human Resources Policy Third-Party Relationships Training & Awareness Security Awareness Security Training

Security Initiatives
The following areas fall short of best practices and should be addressed to increase the security of your environment. The Assessment Detail and Prioritized Action List sections of this report include further detail for each, including the findings, best practices, and recommendations.

High Priority Third-party independent software vendor (ISV) Remote Access Third-Party Relationships Application & Data Recovery Remote-Access Users

Medium Priority Segmentation Wireless Firewall Rules and Filters Log Files Internally Developed

Low Priority Management Host Servers Management Host Network Devices Backup Anti-virus - Desktops Anti-virus - Servers

Assessment in Detail
This section of the report provides the detailed findings for each category, as well as best practices, recommendations, and references for additional information. Recommendations are prioritized in the following section.

Areas of Analysis
The following table lists the areas that were included for high-level analysis in this security risk assessment and describes each area's relevance to security. The Assessment Detail section of this document describes your organization's security posture (based on answers you gave during the assessment) in each of these areas and provides industry-recognized best practices and recommendations for achieving those practices. Category Importance to security

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Business Risk Profile Business Risk Profile Understanding how the nature of your business affects risk is important in determining where to apply resources in order to help mitigate those risks. Recognizing critical areas of business risk will help you to optimize allocation of your security budget.

Infrastructure Perimeter Defense Perimeter defense addresses security at network borders, where your internal network connects to the outside world. This constitutes your first line of defense against intruders. Rigorous authentication procedures for users, administrators, and remote users help to ensure that outsiders do not gain unauthorized access to the network through the use of local or remote attacks. Management, monitoring, and proper logging are critical to maintaining and analyzing IT environments. These tools are even more important after an attack has occurred and incident analysis is required.

Authentication

Management & Monitoring

Applications Deployment & Use When business-critical applications are deployed in production, the security and availability of those applications and servers must be ensured. Continued maintenance is essential to help ensure that security bugs are patched and that new vulnerabilities are not introduced into the environment. Design that does not properly address security mechanisms such as authentication, authorization, and data validation can allow attackers to exploit security vulnerabilities and thereby gain access to sensitive information. Integrity and confidentiality of data is one of the greatest concerns for any business. Data loss or theft can hurt an organization's revenue as well as reputation. It is important to understand how applications handle business critical data and how that data is protected.

Application Design

Data Storage & Communications

Operations Environment The security of an organization is dependent on the operational procedures, processes and guidelines that are applied to the environment. They can enhance the security of an organization by including more than just technology defenses. Accurate environment documentation and guidelines are critical to the operation team's ability to support and maintain the security of the environment. Corporate security policy refers to individual policies and guidelines that exist to govern the secure and appropriate use of technology and processes within the organization. This area covers policies to address all types of security, such as user, system, and data. Good management of patches and updates is important to securing an organization's IT environment. The timely application of patches and updates is necessary to help protect against known and exploitable vulnerabilities. Data backup and recovery is essential to maintaining business continuity in the event of a disaster or hardware/software failure. Lack of appropriate backup and recovery procedures could lead to significant loss of data and productivity.

Security Policy

Patch & Update Management

Backup and Recovery

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

People Requirements & Assessments Security requirements should be understood by all decision-makers so that both their technical and business decisions enhance security rather than conflict with it. Regular assessments by a third party can help a company review, evaluate, and identify areas for improvement. Clear, practical procedures for managing relationships with vendors and partners can help limit your company's exposure to risk. Procedures covering employee hiring and termination can help protect your company from unscrupulous or disgruntled employees. Employees should be trained and made aware of how security applies to their daily job activities so that they do not inadvertently expose their company to greater risks.

Policies and Procedures

Training & Awareness

Assessment Analysis
This section is divided into the four major areas of analysisInfrastructure, Applications, Operations, and People.

Infrastructure
Infrastructure security focuses on how the network should function, what business processes (internal or external) it must support, how hosts are built and deployed, and how the network will be managed and maintained. Effective infrastructure security can help provide significant improvements in the areas of network defense, incident response, network availability, and fault analysis. By establishing a sound infrastructure design that is understood and followed, an organization can identify areas of risk and can design methods of threat mitigation. The assessment reviews highlevel procedures that an organization can follow to help mitigate infrastructure risk by focusing on the following areas of infrastructure security:

Perimeter Defense Firewalls, Anti-virus, Remote Access, Segmentation, Intrusion Detection Systems, Wireless Security Authentication Administrative, Internal & Remote Users, Password Policies, Inactive Accounts Management & Monitoring Incident Reporting & Response, Secure Build, Physical Security

Perimeter Defense Subcategory Firewall Rules and Filters Best Practices Firewalls are a first-line defense mechanism and should be placed at all network border locations. Rules implemented on firewalls should be highly restrictive and set on a host-by-host and service-by-service basis. When creating firewall rules and router ACLs (Access Control Lists), focus on first protecting access control devices and the network from attack.

+ Enforce data flow by use of network ACLs and firewall rules. + Test firewall rules and router ACLs to determine whether or not existing rules contribute to Denial of Service (DoS) attacks. + Deploy one or more DMZs as part of a systematic and formal firewall development. + Place all Internet accessible servers there. Restrict connectivity to and from the DMZs.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Firewall Rules and Filters

Findings Your answers indicate that not only have you deployed firewalls at network borders, you have also taken an extra precaution by creating one or more DMZ segments to protect Internetaccessible resources.

Recommendations Review firewall policies regularly and prune old or improper rules. Implement rules for controlling inbound and outbound access and consider implementing egress filtering to prevent unnecessary outbound connections. Limit internal users' direct access to DMZ segments as it is not likely they would work with the host computers that reside in the DMZ on a regular basis. Limit access from the core network into the DMZ segment to only specific hosts or administrative networks.

Firewall Rules and Filters

You have indicated that firewalls are not deployed at each office location.

Firewall Rules and Filters

You have indicated that hostbased firewall software is not used to protect servers.

Firewall Rules and Filters

You have indicated that the firewall is not tested regularly to ensure proper performance.

Immediately deploy firewalls or other network-level access controls at each office location, and frequently test and verify that all firewalls are working properly. As an extra layer of defense, consider installing host-based firewalls on all servers, and consider extending this software to all desktops and laptops in the organization also. Institute regular testing of your firewall. Ensure that functionality is working as expected not only from external traffic, but that the firewall is also behaving as expected towards internal traffic.

Subcategory Anti-virus

Best Practices Deploy anti-virus solutions throughout the environment on both the server and desktop levels. Deploy specialized anti-virus solutions for specific tasks such as file server scanners, content screening tools, and data upload and download scanners. Configure anti-virus solutions to scan for viruses both entering and leaving the environment. Anti-virus solutions should be implemented first on critical file servers and then extended to mail, database, and Web servers. For desktops and laptops an anti-virus solution should be included in the default build environment. If you are using Microsoft Exchange, use the additional anti-virus and

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM content filtering-capabilities it offers at the mailbox level.

Subcategory Anti-virus - Desktops Anti-virus - Desktops

Best Practices Findings Your answer indicates that antivirus solutions have been deployed at the desktop level. Recommendations Continue the practice. Implement a policy that requires users to regularly update virus signatures. Consider adding the anti-virus client in the default workstation build environment.

Subcategory Anti-virus - Servers Anti-virus - Servers

Best Practices Findings Your answer indicates that you have deployed anti-virus solutions at the server level. Recommendations Continue the practice. Consider actively managing anti-virus clients on the servers from a centralized management console for configuration and signature deployment. If you are using Microsoft Exchange, consider using the additional anti-virus and content filtering capabilities at the mailbox level.

Subcategory Remote Access

Best Practices Workstations are a critical factor in the defense of any environment, especially if there are remote and roaming users that connect to the environment. Tools such as personal firewalls, anti-virus, and remote-access software should be present and properly configured on all workstations. Implement a policy which requires periodic review of these tools to make sure their configurations reflect changes in applications and services being used, but at the same time still keep the workstation resistant to attacks.

Remote Access

Findings You have indicated that the VPN is not capable of limiting connectivity to a quarantine until all necessary security checks have been passed.

Recommendations Treating your wireless network as untrusted and requiring users to use VPN or similar technologies to connect to corporate resources is the best solution to maintain data integrity, but does not prevent unauthorized users from connecting. Consider using WPA

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM authentication and MAC address restrictions in order to limit access to authorized users. Consider deploying multifactor authentication for remote users connecting over the Internet to corporate resources. Regularly audit the access list for all the users on the VPN device.

Remote Access

Subcategory Segmentation

Your answers indicate that employees and/or partners remotely connect to the internal network and that you have taken the important step of implementing VPN for this access, but you have not incorporated multifactor authentication as a second line of defense. Best Practices Use segmentation to separate specific extranets from vendor, partner, and customer access. Each external network segment should allow only specific application traffic to be routed to the specific application hosts and ports that are used to supply services to customers. Ensure that network controls are in place to restrict access to only what is required for each third-party connection. Restrict access to and from the network services being provided, and restrict access between network segments.

Segmentation

Findings Your response indicates that Internet-facing services are hosted on your organization's network

Segmentation

You have indicated that the network has more than one segment.

Segmentation

Your answer indicates that you have already implemented network segmentation in your environment.

Segmentation

You have indicated that hosts are not grouped into network segments based on providing only the necessary services for the users that connect. Best Practices

Recommendations Ensure that firewalls, segmentation and intrusiondetection systems are in place in order to protect the company's infrastructure from Internetbased attacks. Continue using network segmentation in order to better manage network traffic and limit access to resources based on user requirements. Continue to enhance the network based on listed best practices. Each extranet should be in its own segment, with restricted access between the network segments and internal corporate resources. The network should be designed so that only machines that need to connect to each other are able to, and segmented by function and service to allow for easier tracing of attacks.

Subcategory

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Intrusion-Detection System Both network- and host-based intrusion-detection systems should be (IDS) deployed to detect and notify of attacks against corporate systems. Findings Recommendations Intrusion-Detection System You have indicated that you are Consider deploying either host(IDS) not using intrusion-detection or network-based intrusionhardware or software. detection systems. Subcategory Best Practices Wireless Best practice for wireless implementation should include ensuring that the network does not broadcast its SSID; that WPA encryption is used; that the network is fundamentally treated as untrustworthy. Findings Recommendations Wireless You have indicated that wireless In order to minimize the risk connectivity to the network is associated with wireless available networks, the implementation should include non-broadcast of SSID, WPA encryption, and treating the network as untrusted. Wireless Your response is that you have Changing the default SSID is the changed the SSID on the access first step in securing your point from the default. wireless network. However, this needs to be combined with further best practices in order to minimize risk. These include non-broadcast of SSID, WPA encryption, and treating the network as untrusted. Wireless You have indicated that you have Disabling SSID broadcast is part disabled broadcasting of the of the best practice for securing SSID on the access point. wireless, but needs to be combined with WPA encryption, and treating the network as untrusted. Wireless You have indicated that you are If you are currently using no not using WEP encryption in your encryption, consider using WPA wireless environment. to prevent wireless network traffic from being 'sniffed' and read as clear text. Wireless You have indicated that you are WPA is currently the most secure using WPA encryption in your encryption standard, but it can wireless environment. still be broken. Consider using additional encryption (such as VPN) to further secure data. Wireless You have indicated that you are Consider using WPA not using MAC restrictions in authentication in addition to MAC your wireless environment. filtering in order to prevent unauthorized computers from connecting to the network. Wireless You have indicated that the Consider migrating your wireless wireless network is not treated as network to an untrusted network untrusted. segment and requiring the use of VPN or similar technologies in

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM order to better preserve data integrity.

Perimeter Defense - Resources

Windows Server 2008 Windows Server 2008 is the most secure Windows Server yet. The operating system has been hardened to help protect against failure and several new technologies help prevent unauthorized connections to your networks, servers, data, and user accounts. Network Access Protection (NAP) helps ensure that computers that try to connect to your network comply with your organization's security policy. Technology integration and several enhancements make Active Directory services a potent unified and integrated Identity and Access (IDA) solution and Read-Only Domain Controller (RODC) and BitLocker Drive Encryption allow you to more securely deploy your AD database at branch office locations. Internet Security and Acceleration (ISA) Server 2006 is the integrated edge security gateway that helps protect IT environments from Internetbased threats while providing users with fast and secure remote access to applications and data.Deploy ISA Server 2006 for Secure Remote Access, Branch Office Security, and Internet Access Protection. Microsoft's Intelligent Application Gateway (IAG) 2007 is the comprehensive, secure remote access gateway that provides secure socket layer (SSL)based application access and protection with endpoint security management. IAG 2007 enables granular access control, authorization, and deep content inspection from a broad range of devices and locations to a wide variety of line-of-business, intranet, and client/server resources. Network Access Protection (NAP) is a new platform and solution that controls access to network resources based on a client computer identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level http://www.microsoft.com/wi ndowsserver2008/en/us/over view.aspx

Internet Security and Acceleration Server

http://www.microsoft.com/for efront/edgesecurity/default.m spx

Intelligent Application Gateway

http://www.microsoft.com/for efront/edgesecurity/iag/defau lt.mspx

Network Access Protection

http://technet.microsoft.com/ enus/network/bb545879.aspx

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

of network access.

Authentication Subcategory Administrative Users Best Practices For administrative accounts, implement a strict policy that requires the use of complex passwords that meet the following criteria: + Alphanumeric + Upper and lower case + At least one special character + Minimum length of 14 characters To further mitigate the risk of a password attack, implement the following controls: + Password expiration + Account lockout after 7 to 10 failed login attempts + System logging In addition to implementing complex passwords, consider implementing multifactor authentication. Implement advanced controls around account management (do not allow account sharing) and account-access logging.

Administrative Users

Findings You have indicated that users have been granted administrative access to their workstations. You have indicated that separate logins are not used for secure administration of systems and devices within the environment.

Administrative Users

Recommendations Consider removing administrative access for users, in order to limit the ability to modify the secure build. Consider requiring separate accounts for administrative/management activity, and ensure that administrative credentials are changed frequently.

Subcategory Internal Users

Best Practices For user accounts, implement a policy that requires the use of complex passwords that meet the following criteria: + Alphanumeric + Upper and lower case + At least one special character + Minimum length of 8 characters To further mitigate the risk of a password attack implement the following controls:

+ Password expiration + Account lockout after at least 10 failed login attempts

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM + System logging In addition to complex passwords, consider implementing multifactor authentication. Implement advanced controls around account management (do not allow sharing of accounts) and account-access logging.

Subcategory Remote-Access Users

Best Practices Implement complex password controls for all users of remote access, whether this access is granted through the use of dial-up or VPN technologies. A password is considered to be complex if it meets the following criteria: + Alphanumeric + Upper and lower case + At least one special character + Minimum length of 8 characters Implement an additional factor of authentication for accounts that are granted remote access. Also consider implementing advanced controls around account management (do not allow sharing of accounts) and account access logging. In the case of remote access, it is especially important to protect the environment through the use of strong account management practices, sound logging practices, and incident detection capabilities. To further mitigate the risks of brute-force password attacks, consider implementing the following controls:

+ Password expiration + Account lockout after 7 to 10 failed login attempts + System logging Remote-access services should also take into account systems that will be used to access the network or hosts. Also consider implementing controls around hosts that are allowed to access the network via remote access.

Remote-Access Users

Findings You have indicated that employees are able to remotely connect to the network.

Remote-Access Users

You have indicated that contractors are not able to remotely connect to the network.

Recommendations If you have not already done so, consider using a multifactor authentication system for remote access, and limit access to only those employees that have a business need for remote connectivity. By not allowing remote access, you reduce your overall risk. However if remote access is planned or implemented in the

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM future, be sure to follow best practice when deploying the remote-access solution in order to minimize the risk associated with that access. By not allowing remote access, you reduce your overall risk. However if remote access is planned or implemented in the future, be sure to follow best practice when deploying the remote-access solution in order to minimize the risk associated with that access.

Remote-Access Users

You have indicated that third parties are not able to remotely connect to the network.

Subcategory Password Policies

Best Practices The use of complex passwords for all accounts is a basic element of Defense-in-Depth. Complex passwords should be 8 to 14 characters in length, with alphanumeric and special characters. Minimum length, history maintenance, lifetime, and pre-expiration of passwords should all be set to provide additional defenses. In general, password expiration should be set to the following: + Maximum length 90 days + New accounts must change password at login + Password history of 8 passwords (8 days minimum) In addition to complex passwords, multifactor authentication is important, especially for administrative and remote user accounts. Account lockout, after 10 failed login attempts, should be enabled on all user accounts. The controls around account lockout can vary from simply being focused on blocking brute-force password attacks to requiring administrator intervention to unlock. It is considered a best practice to enable lockout for administrative accounts, at least for network access. This would not allow the account to be locked out at the console, only from across a network. This may not be appropriate for all organizations, especially those with remote locations. For remote-access accounts, it is best to require an administrator to unlock the account, as attacks could remain undetected for a significant amount of time if other means are not being used to track authentication failures. Consider the following guidelines when implementing controls around account lockout:

+ Lockout after 7 to 10 failed login attempts for administrative and remote-access accounts + Lockout after at least 10 failed login attempts for regular user accounts + Require administrative access to re-enable for administrator and remote-access accounts and automatically re-enable regular user accounts after 5 minutes

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Password Policies

Typically the restrictions around creating passwords for administrators should be greater than those for normal accounts. On Windows systems, administrative accounts (and service accounts) should be set with passwords that are 14 characters in length and use alphanumeric and special characters.

Password Policies

Findings Your answer indicates the absence of formal controls to enforce password policies on all accounts.

Recommendations Consider implementing complex passwords based on listed best practices for all types of accounts. Consider implementing password expiration for all account types based on the listed best practices.

Subcategory Password Policies Administrator Account Subcategory Password Policies - User Account Subcategory Password Policies - RemoteAccess Account Subcategory Inactive Accounts Inactive Accounts

Best Practices

Best Practices

Best Practices

Inactive Accounts

Inactive Accounts

Best Practices Continue to monitor and manage inactive accounts. Institute a process to include an immediate notification procedure to all system administrators for terminated staff members to ensure their accounts are disabled immediately, especially their remote access accounts. Consider implementing a process to review the current accounts of staff that transfer to another department within the organization. Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information. Regularly monitor relevant vendors' sites for virus signature updates and download updates to a quarantined area for testing in a lab environment. Verify that the updates do not cause any conflicts with deployed operating systems or applications before rolling out to production. Auto-update features for anti-virus solutions should be disabled on all systems to prevent potentially damaging files from being deployed before they are tested. For anti-virus applications, consider deploying a central console that will facilitate reporting on which systems are out-of-date or have software features disabled. In the case of remote users who do not regularly connect to the

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM corporate network, consider using an auto update feature.

Inactive Accounts

Inactive Accounts

Terminated staff accounts should be disabled in a timely manner, to ensure that the terminated users or other users could use the account to gain unauthorized access. If system administrators are not aware of changes in the status of a user due to transfer, they will not change or remove system or physical accesses. This could lead to unauthorized or excessive access by transferred users. Findings Recommendations You have indicated that you do Review this open item with your not know the answer to this IT staff or a security partner. question Input the most appropriate answer to this question in the MSAT for further information.

Authentication - Resources
Windows Server 2008 Windows Server 2008 is the most secure Windows Server yet. The operating system has been hardened to help protect against failure and several new technologies help prevent unauthorized connections to your networks, servers, data, and user accounts. Network Access Protection (NAP) helps ensure that computers that try to connect to your network comply with your organization's security policy. Technology integration and several enhancements make Active Directory services a potent unified and integrated Identity and Access (IDA) solution and Read-Only Domain Controller (RODC) and BitLocker Drive Encryption allow you to more securely deploy your AD database at branch office locations. A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment. Windows Server Active Directory is already used by companies around the world to gain unified management of identities and resources across the enterprise network. Active Directory enables organizations to centrally manage and track information about users and their privileges. In addition, Active Directory Lightweight Directory Services (ADLDS), an LDAP directory service, provides organizations with flexible support for directory-enabled applications. Integration with Microsoft Federated Identity, Strong Authentication, Information Protection and http://www.microsoft.com/wi ndowsserver2008/en/us/over view.aspx

Windows Server Active Directory

http://www.microsoft.com/wi ndowsserver2003/technologie s/directory/activedirectory/de fault.mspx http://www.microsoft.com/wi ndowsserver2003/technologie s/idm/DirectoryServices.mspx

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Identity Lifecycle Management solutions, makes Active Directory an ideal foundation for building a comprehensive identity and access solution. Windows Server Group Policy Group Policy provides an infrastructure for centralized configuation management for the operating system and applications that run oh the operating system. Group Policy is supported in both Windows Server 2003 and has advanced features in Windows Server 2008 to extend the current configuration capabilites. Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2003. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. In Windows Server 2008, IAS has been replaced with Network Policy Server (NPS). Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dialin User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP). Microsoft Public Key Infrastructure (PKI) for Windows Server 2003 provides an integrated public key infrastructure that enables you to secure and exchange information with strong security and easy administration across the Internet, extranets, intranets, and applications. Windows Certificate Services (CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, CS provides customizable services for issuing and managing the certificates used in software security systems employing public key http://technet2.microsoft.com /windowsserver2008/en/librar y/3b4568bc-9d3c-4477-807d2ea149ff06491033.mspx?mfr =true

Windows Server 2003 Internet Authenication Services (IAS)

http://technet.microsoft.com/ enus/network/bb643123.aspx

Windows Server 2008 Network Policy Server (NPS)

http://www.microsoft.com/wi ndows/products/windowsvist a/enterprise/benefits/operatin gsystem.mspx?tab=Improve% 20Security%20and%20Compli ance

Public Key Infrastructure

http://www.microsoft.com/wi ndowsserver2003/technologie s/pki/default.mspx

Certificates

http://www.microsoft.com/wi ndowsserver2003/technologie s/idm/StrongAuthentication. mspx

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

technologies. Microsoft Identity Lifecycle Manager Microsoft Identity Lifecycle Manager 2007 (ILM 2007) provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. It provides identity synchronization, certificate and password management, and user provisioning in a single solution that works across Microsoft Windows and other organizational systems. As a result, IT organizations can define and automate the processes used to manage identities from creation to retirement. http://www.microsoft.com/wi ndowsserver2003/technologie s/idm/ILM.mspx

Management and Monitoring Subcategory Incident Reporting & Response Incident Reporting & Response Best Practices Continue to have and follow formal incident response and reporting procedures. Institute procedures for the reporting of and response to security incidents, issues, and concerns. Designate an emergency response team that includes representatives from several disciplines including technology, human resources, and legal for responding to all security incidents and issues. Consider implementing a full incident response program that includes incident response teams, containment management, event correlation and analysis, and incident response procedures. Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information. Maintain a build process with all vendor patches and recommended lockdown configuration. Test this process regularly. Use host-hardening procedures to patch and properly configure services and applications on each host. Disable all nonessential services and applications. Workstations should be hardened by installing recommended patches, removing all unnecessary services and packages, and auditing file permissions. Incorporate host-hardening steps into standard workstation build procedures.

Incident Reporting & Response Incident Reporting & Response

Incident Reporting & Response

Incident Reporting &

It is important to follow documented incident reporting and response process to ensure that all issues and incidents are reviewed and assessed in a consistent manner. It is important for all users to understand their responsibility to report any security issues or incidents and for them to have a clearly defined process for reporting these issues. Findings Recommendations Your answers indicate that there Create a secure build for each

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Response is no formal image or documentation used in building workstations. Subcategory Secure Build Secure Build Best Practices Findings You have indicated that personal firewalls have been installed on all workstations in the environment. You have indicated that the build processes for infrastructure devices have been documented.

type of workstation. Update these regularly with the latest service packs, hot fixes, and other hardening techniques.

Secure Build

Secure Build

You have indicated that your system builds do not include host-hardening procedures. You have indicated that there is no client-side remote access software installed on workstations that remotely connect to corporate resources.

Secure Build

Secure Build

You have indicated that the build processes for servers have been documented. You have indicated that diskencryption software is not used in the environment. You have indicated that the build processes for workstations and laptops have been documented.

Secure Build

Secure Build

Secure Build

Secure Build

You have indicated that remote control/management software is not used in the environment. You have indicated that a password-protected screen saver is used in the environment. You have indicated that modems are not used in the environment.

Secure Build

Recommendations Consider deploying personal firewalls initially on all mobile desktops. By default, block all access to the workstation from the outside. Implement a documented build process for infrastructure devices, and ensure that the build is kept current as new patches are released. All systems should be built following SANS, NIST, NSA, or other standard procedures for host-hardening. Consider deploying remote access client software on all individual workstations, if remote connectivity is required. Configure the client software to match the remote access server policy. Implement a documented build process for servers, and ensure that the build is kept current as new patches are released. Consider using disk encryption software in order to prevent data compromise in the event of machine theft. Implement a documented build process for workstations and laptops, and ensure that the build is kept current as new patches are released. Continue the practice of not using remote control/management software. Continue the practice of requiring all users to have a passwordprotected screen saver with a short time-out period. Continue disabling modem and dial-up access in order to reduce the risk of having machines able to be directly dialed into.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Subcategory Best Practices Physical Security Continue to implement physical security access controls. Physical Security Institute physical access controls to guard against unauthorized persons gaining access to the building and to sensitive information. Consider reassessing all physical access controls to ensure they are adequate and are being complied with. Increase staff awareness of the personnel access control policy and encourage the challenging of unrecognized individuals. Physical Security All computer systems should be secured to prevent easy theft. Servers and networking equipment should be secured in locked cabinets in locked rooms with controlled access. Physical Security Physical access should be stringently controlled, preventing unauthorized individuals access buildings, sensitive data and systems. With such access they could alter system configurations, introduce vulnerabilities into the network, or even destroy or steal equipment. Findings Recommendations Physical Security Your response indicated that Continue use of physical physical security controls have controls, and consider extending been deployed to secure your them to all computer equipment, organization's assets. if that has not already been done. Physical Security You have indicated that an alarm Consider installing an alarm system has not been installed to system in order to detect and detect and report break-ins report break-ins. Physical Security Your response indicates that all Continue to implement physical or some of the following are security access controls. implemented. (employee and visitor badges, visitor escorts, visitor logs, entrance controls) Physical Security You have indicated that Continue the practice of securing networking equipment is in a network equipment in a locked locked room with restricted room, and ensure access is access. limited only to those who have a business need. Physical Security Your response indicates that all Continue to implement physical or some of the following are security access controls. implemented. (employee and visitor badges, visitor escorts, visitor logs, entrance controls) Physical Security You have indicated that network Having network equipment in a equipment is also in a lockable lockable cabinet/rack further cabinet or rack. protects against unauthorized tampering. Ensure that access to keys/combinations is limited to only those who have a business need. Physical Security Your response indicates that all Continue to implement physical or some of the following are security access controls. implemented. (employee and visitor badges, visitor escorts, visitor logs, entrance controls)

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Physical Security You have indicated that servers are in a locked room with restricted access.

Physical Security

Physical Security

Your response indicates that all or some of the following are implemented. (employee and visitor badges, visitor escorts, visitor logs, entrance controls) You have indicated that servers are also in a lockable cabinet or rack.

Continue the practice of securing servers in a locked room, and ensure access is limited only to those who have a business need. Continue to implement physical security access controls.

Physical Security

Physical Security

You have indicated that workstations are not secured with cable locks You have indicated that laptops are not secured with cable locks You have indicated that sensitive printed materials are not stored in locked file cabinets.

Physical Security

Having servers in a lockable cabinet/rack further protects against unauthorized tampering. Ensure that access to keys/combinations is limited to only those who have a business need. In order to prevent theft, consider securing workstations with cable locks. In order to prevent theft, consider securing laptops with cable locks. Sensitive documents should be kept in locked cabinets in order to prevent theft and disclosure of sensitive information.

Management and Monitoring - Resources

Windows Server 2008 Windows Server 2008 is the most secure Windows Server yet. The operating system has been hardened to help protect against failure and several new technologies help prevent unauthorized connections to your networks, servers, data, and user accounts. Network Access Protection (NAP) helps ensure that computers that try to connect to your network comply with your organization's security policy. Technology integration and several enhancements make Active Directory services a potent unified and integrated Identity and Access (IDA) solution and Read-Only Domain Controller (RODC) and BitLocker Drive Encryption allow you to more securely deploy your AD database at branch office locations. A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment. http://www.microsoft.com/wi ndowsserver2008/en/us/over view.aspx

Windows Server Active Directory

http://www.microsoft.com/wi ndowsserver2003/technologie s/directory/activedirectory/de fault.mspx http://www.microsoft.com/wi

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Windows Server Active Directory is already used by companies around the world to gain unified management of identities and resources across the enterprise network. Active Directory enables organizations to centrally manage and track information about users and their privileges. In addition, Active Directory Lightweight Directory Services (ADLDS), an LDAP directory service, provides organizations with flexible support for directory-enabled applications. Integration with Microsoft Federated Identity, Strong Authentication, Information Protection and Identity Lifecycle Management solutions, makes Active Directory an ideal foundation for building a comprehensive identity and access solution. Public Key Infrastructure Microsoft Public Key Infrastructure (PKI) for Windows Server 2003 provides an integrated public key infrastructure that enables you to secure and exchange information with strong security and easy administration across the Internet, extranets, intranets, and applications. Windows Certificate Services (CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies. Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as traditional threats, such as viruses, worms, and Trojan horses. By delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities, Forefront Client Security helps you protect your business with confidence and efficiency. Forefront Client Security integrates with your existing infrastructure software, such as Microsoft Active Directory, and complements other Microsoft security technologies for enhanced protection and greater control. Bitlocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ulitmate editions and in Windows Server 2008. Bitlocker enhances data protection by bringing together drive encription and integrity checking of early boot components. Encrypting File System (EFS) is a data protection feature in the Business, Enterprise and Ultimate ndowsserver2003/technologie s/idm/DirectoryServices.mspx

http://www.microsoft.com/wi ndowsserver2003/technologie s/pki/default.mspx

Certificates

http://www.microsoft.com/wi ndowsserver2003/technologie s/idm/StrongAuthentication. mspx

Forefront Client Security

http://www.microsoft.com/for efront/clientsecurity/en/us/ov erview.aspx

Windows Vista - BitLocker Drive Encryption

http://www.microsoft.com/wi ndows/products/windowsvist a/features/details/bitlocker.m spx

Windows Vista - Encrypted File System (EFS)

http://www.microsoft.com/wi ndows/products/windowsvist

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

editions of Windows Vista. If is userful for userlevel file and folder encryption. a/features/details/encryptingf ilesystem.mspx

Windows Vista and XPsp2 Windows Defender

Windows Defender works with Internet Explorer 7 to help make conscious choices installing software on your PS by providing always-on protection and monitoring of key system locations watching for changes that signal the installation and presence of spyware. Windows Firewall is a critiacal first line of defense to protect your computer against many types of malicious software. It can help stop malware before it infects your computer. Windows Firewall comes with Windows Vista and is turned on by default to protect your system as soon as windows starts. Windows Security Center alers you when your security software is out of date or when your security settings should be strengthened. It displays your firewall settings and tells you whether your PC is set up to receive automatic updates from Microsoft. Protect, maintain, and manage your computer with Windows Live OneCare, the always-on PCcare service from Microsoft. Working quietly in the background on your computer, OneCare protects against viruses, spyware, hackers, and other unwanted intruders. New features allow for multi-PC management to form a circle of protection, printer sharing support, and centralized backup of up to three PCs covered under the same OneCare subscription. Internet Security and Acceleration (ISA) Server 2006 is the integrated edge security gateway that helps protect IT environments from Internetbased threats while providing users with fast and secure remote access to applications and data.Deploy ISA Server 2006 for Secure Remote Access, Branch Office Security, and Internet Access Protection.

http://www.microsoft.com/wi ndows/products/windowsvist a/features/details/defender.m spx

Windows Firewall

http://www.microsoft.com/wi ndows/products/windowsvist a/features/details/firewall.ms px

Windows Security Center

http://www.microsoft.com/wi ndows/products/windowsvist a/features/details/securitycen ter.mspx

Windows Live One Care

http://onecare.live.com/stand ard/en-us/default.htm

ISA Server

http://www.microsoft.com/for efront/edgesecurity/iap.mspx http://www.microsoft.com/for efront/edgesecurity/sra.mspx http://www.microsoft.com/for efront/edgesecurity/bos.mspx

ADFS

Microsoft Active Directory Federation Services (ADFS) provides the interoperability required to simplify the broad, federated sharing of digital identities and policies across organizational boundaries. Seamless yet secure, customers, partners, suppliers, and mobile employees can all securely gain access to the information they need,

http://www.microsoft.com/wi ndowsserver2003/technologie s/idm/federatedidentity.mspx

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

when they need it. ADFS Boost crossorganizational efficiency and collaboration with secure data access across companies and Improves operational efficiency with streamlined federation systems and simplified management of IDs and passwords. It boost visibility into crossboundary processes with transparent, auditable information rights and roles and improves security with ADFS claim mapping, SAML tokens, and Kerberos authentication. ADFS helps to reduce operations costs by taking advantage of existing investments in Active Directory and security systems and eliminates the complexity of managing federation by using Active Directory as the main identity repository. (IPV6) Direct Connect IPv6 is designed to solve many of the problems of the current version of IP (known as IPv4) such as address depletion, security, autoconfiguration, and extensibility. Its use will also expand the capabilities of the Internet to enable a variety of valuable and exciting scenarios, including peer-topeer and mobile applications. Support for Internet Protocol version 6 (IPv6), a new suite of standard protocols for the Network layer of the Internet, is built into the latest versions of Microsoft Windows, which include Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP with Service Pack 2, Windows XP with Service Pack 1, Windows XP Embedded SP1, and Windows CE .NET. Internet Protocol security (IPsec) is a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group. IPsec is supported by the Microsoft Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000 operating systems and is integrated with the Active Directory directory service. IPsec policies can be assigned through Group Policy, which allows IPsec settings to be configured at the domain, site, or organizational unit level. The IEEE 802.1X standard for wired networks provides authentication and authorization protection at the network edge where a host attaches to the network. IPsec provides peer http://technet.microsoft.com/ enus/network/bb530961.aspx

IPSec

http://technet.microsoft.com/ enus/network/bb531150.aspx

802.1

http://technet2.microsoft.com /windowsserver/en/library/90 8d13e8-c4aa-4d62-840186d7da0eab481033.mspx?mfr

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

authentication and cryptographic protection of IP traffic from end-to-end. This white paper describes the security and capabilities of 802.1X for wired networks and IPsec based on industry standards and their support in Windows Server 2003, Windows Server 2008, Windows XP and Windows Vista and provides comparison information when evaluating deployment of these security technologies. =true

Applications
A thorough understanding of application security requires in-depth knowledge of the basic underlying application architecture as well as a solid understanding of the application's user base. Only then can you begin identifying the potential threat vectors. Given the limited scope of this self assessment, a complete analysis of application architecture and thorough understanding of the user base is not possible. This assessment is meant to help you review applications within your organization and assess them from a security and availability standpoint. It examines technologies used within the environment to help enhance Defense-in-Depth. The assessment reviews the high level procedures an organization can follow to help mitigate application risk by focusing on the following areas of application security:

Deployment & Use Load-Balancing, Clustering, Application & Data Recovery, Third Party Independent Software Vendor, Internally Developed, Vulnerabilities Application Design Authentication, Password Policies, Authorization & Access Control, Logging, and Input Validation Data Storage & Communications Encryption

Deployment and Use Subcategory Load-Balancing Load-Balancing Best Practices Findings You have indicated that load balancers are currently deployed in the environment. Recommendations Periodically audit the configuration of your load balancers and run diagnostics on a regular basis to make sure they are functioning properly.

Subcategory Clustering Clustering

Best Practices Findings Your response indicates that clustering is deployed in your environment. Best Practices Findings You have indicated that your Recommendations Implement a formal policy which requires periodic testing of the cluster failover mechanisms.

Subcategory Application & Data Recovery Application & Data Recovery

Recommendations Any Line of Business

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM organization has line of business applications applications should be periodically evaluated for security, backed up regularly, fully documented, and have contingencies in place in case they fail. Perform full backups regularly. Perform regular tests of the backup and recovery mechanism that permits restoration of the application to a normal operating state.

Application & Data Recovery

Your response indicates that regular testing of application and data recovery is not performed.

Subcategory Third-party independent software vendor (ISV)

Best Practices The third-party independent software vendor (ISV) should regularly provide patches and upgrades for their application, and they should explain the purpose of patches and any impact you may expect in terms of the functionality, configuration, or security of the application being patched. The third-party ISV should clearly identify critical patches so that they can quickly be applied. The third-party ISV should explain all of the application's security mechanisms and provide up-to-date documentation. The organization should be aware of any configuration requirements necessary to ensure the highest level of security.

Third-party independent software vendor (ISV)

Findings You have indicated that third party vendors have developed one or more of the key applications in your environment.

Third-party independent software vendor (ISV)

Your responses indicate that your third-party ISV provides you with regular software upgrades and security patches for applications developed by them.

Recommendations Ensure that the third party who has developed your key software will continue to support that software, provide updates in a timely manner, and can provide you with source code in the event that the third party can no longer support the application. Continue to work with the third party application vendor to address all application and security issues in the deployed applications. When a patch is made available, thoroughly test the patch in a lab environment before deploying it into production. Obtain the application hardening documentation from the ISV if it exists, and audit the applications configuration settings.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Third-party independent You have indicated that you do software vendor (ISV) not know the answer to this question

Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information.

Subcategory Internally Developed

Best Practices The in-house development team should regularly provide patches and upgrades for their application, and they should explain the purpose of patches and any impact you may expect in terms of the functionality, configuration, or security of the application being patched The development team should clearly identify critical patches so that the organization can quickly apply them. The development team should explain all of the application's security mechanisms and provide up-to-date documentation. The organization should be aware of any configuration requirements necessary to ensure the highest level of security. Consider contracting with an independent third party to review the application's architecture and deployment and identify any security issues of concern.

Internally Developed

Findings You have indicated that your organization does not use custom macros for office applications.

Recommendations Continue to not use custom Office macros, because using custom macros requires that the security settings in Office are downgraded, exposing your office applications to malicious documents.

Subcategory Vulnerabilities

Best Practices All known security vulnerabilities should be identified and patched. Regularly monitor vendor and third-party security sites for new vulnerability information and available patches. If there are any known security vulnerabilities that do not have available patches, determine when a patch will be available and develop an interim mitigation plan to address that vulnerability. Consider using a third party to conduct periodic assessments to evaluate the application's security design. A third-party assessment may also turn up areas where additional security mechanisms are beneficial.

Vulnerabilities

Findings Your response indicates that there are currently no known security vulnerabilities in any of the applications being used in your environment.

Recommendations Regularly monitor the vendor site and other security sites for vulnerabilities relevant to the application. Give thought to conducting an

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM independent assessment so that a third party can evaluate the application's security design and identify areas where additional security mechanisms may be needed.

Deployment and Use - Resources

2007 Office Security Guide As risks from malicious attack have increased, desktop application security mechanisms have evolved. The new security model in the 2007 Microsoft Office release provides new mechanisms, settings, and features that allow your organization to achieve an effective balance between protection and productivity while minimizing user disruption. You might think that such risks come from outside your organization, and can therefore be stopped by effective network security mechanisms such as firewalls, proxy servers, and intrusion detection systems. However, many of these business risks can come from internal users and unsecured systems that are at the heart of your organization. Unless securely configured, the desktop applications that your information workers rely on to send e-mail, write documents, create presentations, and analyze data can be critical pathways for attack by malicious software (malware), including spyware, Trojan horses, viruses, and worms. Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 is information protection technology that works with RMSenabled applications to help safeguard digital information from unauthorized useboth online and offline, inside and outside of the firewall. RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it goes. Organizations can use RMS to help prevent sensitive informationsuch as financial reports, product specifications, customer data, and confidential e-mail messagesfrom intentionally or accidentally getting into the wrong hands. This services is built into Windows Server 2008 as Active Directory Rights Management Services (ADRMS) Windows Server 2008 - Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMShttp://www.microsoft.com/tec hnet/security/guidance/client security/2007office/default.m spx

Microsoft Rights Management Services for Windows Server 2003

http://www.microsoft.com/wi ndowsserver2003/technologie s/rightsmgmt/default.mspx

Windows Server 2008 - Active Directory Rights Management Services

http://technet2.microsoft.com /windowsserver2008/en/librar y/37c240d3-8928-4267-867b-

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

enabled applications (Office 2007) to help safegaurd digital information from unauthorized use. Content owners can define who can open, modify, print, forward or take other actions with the information. Windows Server 2008 Clustering Failover clustering in Windows Server 2008 can help you build redundancy into your network and eliminate single points of failure. The improvements to failover clusters (formerly known as server clusters) in Windows Server 2008 are aimed at simplifying clusters, making them more secure, and enhancing cluster stability. All of which helps reduce downtime, guard against data loss, and reduce your total cost of ownership. Because they are included in the enhancedcapability editions of Windows Server 2008, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, Windows Server 2008 failover clusters are much less expensive than comparable systems, which can cost thousands of dollars. Ease of deployment and affordability make Windows Server 2008 an ideal highavailability solution for organizations of all sizes. Trustworthy Computing is a Microsoft initiative for ensuring the production of secure code. A key element of the Trustworthy Computing initiative is the Microsoft Security Development Lifecycle (SDL). The SDL is an engineering practice that is used in conjunction with standard engineering processes to facilitate the delivery of secure code. The SDL consists of ten phases that combine best practices with formalization, measurability, and additional structure, including: security design analysis, tool-based quality checks, penetration testing, final security review, post release product security management. This methodology is also available in book form through Microsoft Press. 4c005b72cca21033.mspx?mfr =true

http://www.microsoft.com/wi ndowsserver2008/en/us/clust ering-home.aspx

Microsoft Security Development Lifecycle

http://msdn.microsoft.com/en -us/library/aa969774.aspx

Application Design Subcategory Authentication Best Practices The application should implement an authentication mechanism whose strength is commensurate with requirements governing security of data or access to functionality. Applications that rely on passwords should provide for password complexity constraints that include character mix (alpha, numeric, and symbols), minimum length, history maintenance, enforced lifetime, pre-expiration, and dictionary checking. The application should log failed login attempts, excluding the password. Each component that provides access to data or functionality should verify the existence of proper authentication

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM credentials. Administrative access to systems should be protected with the strongest forms of authentication available. Typically the restrictions around password creation for administrators should be greater than those for normal accounts. In addition to strong passwords with good password policies, for added security multifactor authentication should be considered.

Subcategory Password Policies

Best Practices The use of strong passwords is a basic element of Defense-in-Depth. Strong passwords should be 8 to 14 characters in length, with alphanumeric and special characters. Minimum length, history maintenance, lifetime, and pre-expiration of passwords should all be set to provide additional defenses to password strength. In general, password expiration should be set to the following: + Maximum length 90 days + New accounts must change password at login + Password history of 8 passwords (8 days minimum) Administrative access to systems should be protected with the strongest forms of authentication available. Typically, the restrictions around password creation for administrators should be greater than those for normal accountsif normal accounts require a password length of 8 characters, then administrative accounts should have 14character passwords. Account lockout, after 10 failed login attempts, should be enabled on all user accounts. The controls around account lockout can vary from simply being focused on blocking brute-force password attacks to as complex as requiring administrator intervention to unlock. Consider the following guidelines when implementing controls around account lockout: + Account lockout after at least 10 failed login attempts for user accounts + Require administrative access to re-enable accounts for critical applications and automatically re-enable regular user accounts after 5 minutes for other applications + 30-minute length to cache failures for regular user accounts

Password Policies

Findings Your response indicates that no password controls are implemented for key applications.

Recommendations It is important to implement a policy for password controls. All external applications and critical internal applications that handle sensitive data should have password policies. Consider implementing a policy that requires complex passwords, password expiration,

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM and account lockout after at least 10 failed login attempts.

Subcategory Authorization & Access Control

Best Practices Applications should implement an authorization mechanism that provides access to sensitive data and functionality only to suitably permitted users or clients. Role-based access controls should be enforced at the database level as well as at the application interface. This will protect the database in the event that the client application is exploited. Authorization checks should require prior successful authentication to have occurred. All attempts to obtain access without proper authorization should be logged. Conduct regular testing of key applications that process sensitive data and of the interfaces available to users from the Internet. Include both "black box" and "informed" testing against the application. Determine if users can gain access to data from other accounts.

Authorization & Access Control

Findings Your response indicates that key applications do not restrict access to sensitive data and functionality based on privileges assigned to the account.

Recommendations Work with the application vendor (ISV or in-house development team) to implement authorization and access control mechanisms within the application, initially for critical external applications and then internal applications. Authorization functionality enables administrators to group users into roles, and define specific permissions for each role. Based on verification of credentials users are allowed to access data based on assigned privileges.

Subcategory Logging

Best Practices Logging should be enabled across all applications in the environment. Log file data is important for incident and trend analysis as well as for auditing purposes. The applications should log failed and successful authentication attempts, changes to application data including user accounts, severe application errors, and failed and successful access to resources. When writing log data, the application should avoid writing sensitive data to log files.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Logging

Findings Your answers indicate that there are currently no logs created by applications in the environment.

Recommendations Work with the application vendor (ISV or in-house development team) to implement logging for key applications. When writing log data, the application should avoid writing sensitive data. Critical events, such as those mentioned in the Best Practices section, should be logged.

Subcategory Input Validation

Best Practices The application may accept input at multiple points from external sources, such as users, client applications, and data feeds. It should perform validation checks of the syntactic and semantic validity of the input. It should also check that input data does not violate limitations of underlying or dependent components, particularly string length and character set. All user-supplied fields should be validated at the server side.

Input Validation

Findings Your answers indicate that there are no mechanisms deployed for input data validation in applications being used in the environment.

Recommendations Work with the application vendor (ISV or internal development team) to implement mechanisms to validate incoming data to prevent malicious or malformed data from being processed by the applications. These modules should initially be implemented for external applications. The validation constraints to input data should accept data that is syntactically and semantically correct and should not rely solely on screening of input for invalid characters.

Subcategory Software Security Development Methodologies Software Security Development Methodologies Software Security Development Methodologies

Best Practices Continue to use software security development methodologies. Institute to use of software security development methodologies to increase the security of your applications. When using consultants or vendors in any phase of your development cycle, ensure that they are trained on the software security development methodology your organization uses or one your organization recommends.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Software Security Your organization's full development staff should be trained on the Development Methodologies software security development methodology your organization has chosen. This includes Development Managers, Developers, Testers and Quality Assurance Staff. Software Security With the evolving security threat landscape, it is important to update Development Methodologies your software security development methodology training and threat modeling training on an annual basis. Your development staff would be required to take updated security development training each year. Software Security The use of security software testing tools improves your team's ability Development Methodologies to write secure code more effectively. Output from the use of your testing tools should be incorporated into your required annual training. Findings Recommendations Software Security Your response indicates that Institute a software security Development Methodologies your organization does not development methodology provide software security training program to improve your methodology training for your staff's ability to develop secure development staff. code. Software Security Your response indicates that Institute to use of security Development Methodologies your organization is not using software testing tools as an security software testing tools as instrumental part of all your a part of their security security development plans. development process.

Data Storage & Communications Subcategory Encryption Best Practices Sensitive data should be encrypted or hashed in the database and file system. The application should differentiate between data that is sensitive to disclosure and must be encrypted, data that is sensitive only to tampering and for which a keyed hash value (HMAC) must be generated, and data that can be irreversibly transformed (hashed) without loss of functionality (such as passwords). The application should store keys used for decryption separately from the encrypted data. Sensitive data should be encrypted prior to transmission to other components. Verify that intermediate components that handle the data in clear-text form, prior to transmission or subsequent to receipt, do not present an undue threat to the data. The application should take advantage of authentication features available within the transport security mechanism. Examples of widely accepted strong ciphers are 3DES, AES, RSA, RC4, and Blowfish. Use 128-bit keys (1024 bits for RSA) at a minimum.

Encryption

Findings Your responses indicate that your applications do not currently encrypt data while in storage or in transmission.

Recommendations For applications processing sensitive data, consider encryption using an industrystandard encryption algorithm

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM both during data transmission and in data storage. Subcategory Encryption - Algorithm Best Practices The application should use industry-standard cryptographic algorithms with keys of appropriate sizes and cryptographic modes appropriate to the need. Industry recognized strong ciphers include 3DES, AES, RSA, Blowfish, and RC4. A minimum key size of 128 bits (1024 bits for RSA) should be used.

Operations
This area of analysis examines the operational practices, procedures, and guidelines followed by the organization to help enhance Defense-in-Depth. This assessment examines policies and procedures that govern system builds, network documentation, and the use of technology within the environment. It also includes supporting activities required to manage the information and procedures used by the administrators and operations staff within the environment. By establishing operational practices, procedures, and guidelines that are understood and followed, an organization can potentially enhance its Defense-in-Depth posture. The assessment reviews high level procedures an organization can follow to help mitigate operations risk by focusing on the following areas of operations security:

Environment Firewall Rules & Filters, Administrative Users, Management Host, Disaster Recovery & Business RP, Third Party Relationships Security Policy Data Classification & Disposal, Protocols & Services, Acceptable Use, User Account Management, Governance, Security Policies Patch & Update Management Network Documentation, Application Data Flow, Patch & Change Management Backup & Recovery Log Files, Backup, and Restore

Environment Subcategory Management Host Best Practices When management packages are used, the administrative consoles should be hardened and physically secured. Harden the management workstations used to manage the network servers and devices. Use SSH or VPN connections to protect clear-text protocols. Management workstations should be dedicated to specific network and host administrators. Test all management systems that utilize SNMP to ensure that they are patched to the latest version and do not use default community strings. Shared systems do not store any management-specific data. Shared workstations are not used to administer network devices or hosts.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Subcategory Management Host - Servers Management Host - Servers Best Practices Findings Your answers indicate that a dedicated management computer exists for servers. Best Practices Recommendations Consider using SSH or VPN for securing clear text management protocols.

Subcategory Management Host - Network Devices Management Host - Network Devices

Findings You indicated that a dedicated management computer for administering network devices has been deployed.

Recommendations Test all management systems that utilize SNMP to ensure that they are patched to the latest version and do not use default community settings.

Environment - Resources
Windows Vista - User Account Controls User Account Controls in Windows Vista improves the safety and securty of your computer by preventing dangerous software form making changes to your computer withue your explicit consent. This also helps in prohibiting users from installing rougue programs, changing system settings and performing other tasks that are the province administrators. Data Classification and protection deals with how to apply security classifications levels to the data either on a system or in transmission. http://www.microsoft.com/wi ndows/products/windowsvist a/features/details/useraccoun tcontrol.mspx

Data Classification and Protection Whitepaper

http://www.microsoft.com/tec hnet/security/guidance/comp lianceandpolicies/compliance /rcguide/4-1100.mspx?mfr=true

Security Policy Subcategory Data Classification Data Classification Best Practices Continue to implement data classification with corresponding protection guidelines. Define a corporate data classification scheme and provide all staff with appropriate training and guidance regarding data classification. Define useable handling and protection requirements corresponding to data classification levels. Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information. It is important to have a data classification scheme with corresponding data protection guidelines. Insufficient information

Data Classification

Data Classification

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM classification and segregation can allow staff, business partners, or the public access to information that is sensitive or that they do not have a need-to-know. This could lead to loss of brand image or corporate embarrassment owing to unauthorized disclosure of sensitive information. Scarce resources used to secure information may also be misallocated without proper information classification. Without the staff knowing what company sensitive information is and how to protect this data, there is a high likelihood that this information may be exposed to unauthorized persons. Findings Recommendations You have indicated that you do Review this open item with your not know the answer to this IT staff or a security partner. question Input the most appropriate answer to this question in the MSAT for further information. Best Practices Continue to implement data disposal processes. Define and implement procedures for the management and disposal of information in both hard copy and electronic form, such as that contained on floppy disks and harddrives. Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information. Formal procedures should exist so that all users know the proper practices for disposing of electronic and hardcopy information. By not providing guidance and processes for securely destroying information, the confidentiality of information could be compromised. Findings Recommendations You have indicated that you do Review this open item with your not know the answer to this IT staff or a security partner. question Input the most appropriate answer to this question in the MSAT for further information. Best Practices Clearly document the standards and practices regarding which protocols and services are allowed by the organization. Accesscontrol lists should be verified to ensure that all services allowed have a business need for the level of access granted. Identify specific IP addresses/ranges wherever possible. Servers should have their services limited to only those required by the business need. Specifics for protocol version and minimum encryption strength should also be stated in these guidelines. Enforce accepted protocol usage through the use of perimeter devices (routers, gateways, firewalls, etc.), strong authentication, and encrypted communications. Findings Recommendations Your response indicates that you Audit the documentation for have documented guidelines that allowed protocols and services govern which protocols and and check that it conforms to the services are allowed on the configured ACLs and firewall corporate network. rules on the respective devices. Publish this information on the corporate intranet, and

Data Classification

Subcategory Data Disposal Data Disposal

Data Disposal

Data Disposal

Data Disposal

Subcategory Protocols & Services

Protocols & Services

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM implement policies that govern making changes to the guidelines.

Subcategory Acceptable Use

Subcategory User Account Management

Subcategory Governance

Governance

Subcategory Security Policies

Best Practices An Acceptable Use policy exists to govern the appropriate use of corporate networks, applications, data, and systems. The policy should also cover digital media, printed media, and other intellectual property. Best Practices Individual user accounts should be created for all persons needing access to IT resources. Accounts should not be shared among users. By default, accounts should be created with the minimum required privileges enabled. Network and server administrators should have privileged (administrator) as well unprivileged accounts. Password strength should be enforced and regularly audited and all account modifications should be logged. As an individual's role changes, all account privileges should be reviewed and modified as necessary. When employment is terminated, all accounts should be disabled or removed. Best Practices Third-party audits should be performed regularly to ensure compliance with all current legal and civil governance requirements (e.g., HIPAA for healthcare; Sarbanes-Oxley for SEC-regulated firms). Findings Recommendations You have indicated that your Policies are rules and practices organization does not have that specify how the computing policies to govern the computing environment can be properly environment. used. Without any policies, there is no mechanism to define or enforce controls in the environment. Immediately plan to develop the necessary policies in accordance with applicable standards and company management. Best Practices Security policies should be defined with input from management, IT, and HR; empowered by the corporate executives; and frequently updated to reflect current best practice (such as CoBIT).

Patch & Update Management Subcategory Network Documentation Best Practices Current and accurate physical and logical diagrams of the external and internal networks should always be available. Any changes made to the environment should be reflected in the corresponding diagrams in a timely manner.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Access to the latest diagrams should be restricted to the IT operations team.

Network Documentation

Findings Your answer indicates that logical network diagrams exist for your environment and they are kept up-to-date.

Recommendations Review the policy that governs updates to the network diagrams. If change control policy exists for the environment, include updates to the diagram as a formal step in the change control policy. Make certain the latest diagrams are only available to restricted personnel, primarily the IT operations and security team.

Subcategory Application Data Flow

Best Practices Application architecture diagrams should depict major components and data flows that map the flow of critical data through the environment, including the systems through which the data passes and how the data is manipulated. As changes are made to the application or the environment that hosts the application, the diagrams should be updated in a timely manner.

Application Data Flow

Findings Your response indicates that application architecture and dataflow diagrams exist for both the internal and external applications in your environment.

Recommendations Review the policy that governs updates to the application diagrams. If change control policy exists for the environment, include updates to the diagram as a formal step in the change control policy.

Subcategory Patch Management

Best Practices Security patches and configuration changes should be deployed in a timely fashion (defined by corporate security policy) from when they become available. Whether developed internally or supplied by a third-party, patches and updates should be thoroughly tested in a lab environment before being rolled into production. Additionally, each system should be tested after the patch has been applied to identify conflicts which are unique to that system and may require rollback of the patch. Systems should be categorized to allow for scheduling based on groupingscritical systems and those exposed to higher traffic should be patched first.

Patch Management

Findings Your response indicates that no

Recommendations Develop a patch update policy

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM policies currently exist which govern patch & update management for operating systems and applications. for operating systems and applications based on the listed best practices. Patch external and Internet systems first, critical internal systems next, and then noncritical systems. Develop a policy to notify remote users when patches are available, so that their systems get updated as well.

Subcategory Change Management and Configuration

Change Management and Configuration

Best Practices Any changes to the production environment should first be tested for security and compatibility before being released into production, and full documentation should be kept of the configuration of all production systems. Findings Recommendations You have indicated that your Consider implementing a formal organization does not have a change and configuration change and configuration management process to test and management process. document all updates before deployment.

Patch & Update Management - Resources

Microsoft Update Microsoft provides an automatic way for you to get the latest product updates and security patchs on regular basis through our Microsoft Update service. Microsoft Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. System Center Configuration Manager 2007 is the solution to comprehensively assess, deploy, and update your servers, clients, and devices across physical, virtual, distributed, and mobile environments. Optimized for Windows and extensible beyond, it is the best choice for gaining enhanced insight into and control over your IT systems. http://www.update.microsoft. com/microsoftupdate/v6/vist adefault.aspx?ln=en-us

Microsoft Windows Server Update Services

http://technet.microsoft.com/ en-us/wsus/default.aspx

Systems Center Configuration Manager

http://www.microsoft.com/sys temcenter/configurationmana ger/en/us/default.aspx

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Backup and Recovery Subcategory Log Files Best Practices Log files are configured to allow for recording all planned activity without overwriting entries. An automated process should be set up to rotate log files on a daily basis and offload the logs to a secure server within the management network. Access to log files and configuration settings should be restricted to prevent modification and deletion. Log files should be reviewed regularly to ensure that suspicious or anomalous activity is identified. Review should include systems operation, maintenance, and security. Event correlation software and trend analysis should be used to enhance review capability.

Log Files

Findings You have indicated that log files are not rotated in your environment.

Log Files

You have indicated that log files are reviewed regularly in your environment.

Log Files

You have indicated that access to log files is not protected in your environment.

Log Files

You have indicated that logs are not written to a centralized log server.

Recommendations Set up an automated process that rotates log files on a daily basis and offloads the logs to a secure server within the management network. Consider storing the log files in a database so that the security team can perform trend analysis and have access to protected logs in the event an incident occurs. Consider having the log files from the DMZ and core network servers monitored by MOM (Microsoft Operations Manager). In the event of critical log-file entries being generated, MOM will send alerts to the appropriate members of the team. Consider protecting all operating system log files and application log files on the servers in the DMZ and core networks by limiting file access permissions. Consider logging to a centralized log server in order to preserve data in case a production server is compromised.

Subcategory Disaster Recovery & Business Resumption Planning Disaster Recovery & Business Resumption Planning

Disaster Recovery & Business Resumption Planning

Best Practices Continue to maintain and test disaster recovery / business resumption plans. Require disaster recovery plans to be developed, documented, implemented, and subjected to periodic reviews, tests, and updates. Develop Business Continuity Plans that include staff, locations, as well as systems and other technology issues. Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Disaster Recovery & Business Resumption Planning information. Disaster Recovery and Business Resumption plans should be well documented and up-to-date, to ensure recovery in an acceptable timeframe. Plans (including restore from backup for applications) should be regularly tested to validate correctness and completeness. Business Continuity Plans should focus on the entire environment; physical, technological, and staff. Findings Recommendations You have indicated that log files The security team should review are not reviewed regularly in your the log files every day to look for environment. suspicious or anomalous activities. Consider having the log files from the DMZ and core network servers monitored by MOM (Microsoft Operations Manager). In the event of critical log-file entries being generated, MOM will send alerts to the appropriate members of the team. You have indicated that you do Review this open item with your not know the answer to this IT staff or a security partner. question Input the most appropriate answer to this question in the MSAT for further information. Best Practices Full backups should be performed at regular intervals. If feasible, partial intermediary backups should be made between full backups. The backup strategy should address the worst-case scenario of a complete system and application restore. For critical applications, the restore process should result in a fully functioning application in minimal time. Findings Recommendations Your answer indicates that Audit the backup mechanisms critical assets in your and ensure that all critical assets environment are being backed are being backed up regularly. up on a regular basis. Periodically test the restore functionality to verify recoverability from the backup media. Best Practices Detailed policies should exist to govern the storage and handling of backup media. These policies should address issues such as:+ Onsite/Offsite Storage + Media Rotation + Security Controls + Personnel Access Controls Removable backup media should be stored in locked, fire-proof cabinets and only authorized personnel should have access to these cabinets. Offsite storage locations should be used to offer greater

Disaster Recovery & Business Resumption Planning

Disaster Recovery & Business Resumption Planning

Subcategory Backup

Backup

Subcategory Backup Media

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM recoverability in the event of disaster.

Backup Media

Findings Your response indicates that no policies exist to address the storage and handling of backup media.

Recommendations Develop policies and procedures for storage and handling of backup media based on the listed best practices. These policies should initially address data for critical systems that are required for business continuity.

Subcategory Backup & Restore

Best Practices Backup and restore procedures should be tested regularly to identify faulty media and improve the chance of a successful restore in the event of an outage. Detailed procedures for restoring different systems, including applications, should be well-documented. Audit all the backup and restore documents to ensure all the critical systems necessary for business continuity are covered.

Backup & Restore

Findings Your answer indicates no policies exist for the regular testing of backup & restore procedures.

Recommendations Develop a policy that calls for regular testing of backup and restore procedures. This process should be well documented so that in the event of a disaster, responsible personnel from the IT department can perform restore operations. Backup & restore procedures should be developed initially for the critical systems required for business continuity and then for other less critical systems and data.

People
Security efforts in an organization often overlook organizational aspects that are critical to helping the organization maintain overall security. This section of the assessment reviews those processes within the enterprise governing corporate security policies, Human Resources processes, and employee security awareness and training. The People Area of Analysis also focuses on dealing with security as it relates to day-to-day operational assignments and role definitions. The assessment reviews high- level procedures an organization can follow to help mitigate people risk by focusing on the following areas of people security:

Requirements and Assessments Security Requirements & Assessments Policy and Procedures Background Checks, HR Policy, Third-Party Relationships

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM Training and Awareness Security Awareness & Training Requirements & Assessments Subcategory Security Requirements Best Practices The organization identifies individuals with subject-matter expertise in security to be involved in all security-related discussions and decisions. The organization identifies what it needs to protect based on the value of the asset, as well as the level of security needed to protect it. All threat vectors are included in the analysis. The resulting strategy balances cost and benefit of the protections, and may include transfer or acceptance of risk as an option. Security requirements, derived from both business and technical representatives, are documented and published for all parties to review and address in future designs. Differences between classes of applications and data may result in different end requirements being identified. Findings Recommendations You have indicated that your Assigning criticality levels to organization does not have a each component of the model for assigning criticality computing infrastructure allows levels to each component of the for the most resources to be computing environment. applied to those determined to be most critical, with those less critical systems receiving less resources. Consequently scarce security resources are most efficiently applied to those systems that need them the most. Best Practices Third-party assessments should be conducted to gain a valuable and objective view of an organization's security posture. Third-party assessments might also prove beneficial in meeting regulatory, customer, partner, and vendor requirements. Assessments should cover infrastructure, applications, policies, and audit procedures. These assessments should focus not solely on identifying vulnerabilities, but also on auditing for non-secure configurations and extraneous access privileges. Security policies and procedures should be reviewed and evaluated for gaps.

Security Requirements

Subcategory Security Assessments

Security Assessments

Findings You have responded that no independent security assessments are performed by third parties.

Recommendations Start by performing selfassessments on critical network and application infrastructure. Consider developing a plan that calls for regularly scheduled third-party assessments for critical network and application infrastructure. Incorporate results from the

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM assessments into improvement projects.

Security Assessments

You have indicated that security assessments for your organization are not performed by internal staff

Consider performing frequent security audits by internal staff, but augment these audits with input from a trusted third party.

Policy & Procedures Subcategory Background Checks Best Practices Background checks should be performed to identify any potential issues, thus reducing the risk exposure to the organization and to other employees. This step also helps identify any potential issues and gaps in the candidate's resume. The hiring process should include a review of the candidate's employment and legal history. A candidate's skills should be evaluated against detailed job descriptions and task requirements to understand strengths and weaknesses.

Background Checks

Findings Your answer indicates that your organization does not currently conduct background checks as a regular component of the hiring process.

Recommendations Initiate a policy that requires background and credit checks for all new critical position hires. Eventually, extend this policy to include all new hires, regardless of position.

Subcategory Human Resources Policy

Best Practices Formal exit procedures ensure that all the necessary steps are undertaken when an employment contract is terminated. These procedures should exist to handle both friendly and unfriendly employee exits. These procedures should include: + Notification to all departmentsHuman Resources, IT, Physical Security, Help Desk, Finance, etc. + Escorting the employee from the premises + Termination of all accounts and network access + Collection of company propertylaptop, PDA, electronic media, confidential documents, etc.

Human Resources Policy

Findings Your response indicates that no formal employee exit policy exists within your organization.

Recommendations Immediately begin work with the HR department to develop a formal employee exit policy.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM There should be separate policies for friendly and unfriendly terminations. The most critical component of this policy is to ensure termination of all physical access and IT privileges for the employee.

Subcategory Third-Party Relationships

Best Practices To help reduce the risk of exposure, formal policies and procedures should exist to govern relationships with third parties. These policies and procedures help to identify security issues and the responsibilities of each party in mitigating them. These policies should include: + Level of connectivity and access + Data presentation and manipulation + Roles and responsibilities (including authority) of each party + Management of the relationshipsetup, ongoing, and termination.

Third-Party Relationships

Findings You have indicated that systems are configured by internal staff. You have indicated that your organization manages the computing environment itself.

Third-Party Relationships

Third-Party Relationships

Your answer indicates that no policy exists to govern third-party relationships.

Recommendations Systems should be configured by internal staff following a tested build image. Based on business needs, either self management or outsourcing can be viable solutions. If the management is outsourced, security requirements should be addressed in the contract, and service-level agreements (SLAs) used to enforce compliance with those requirements. Formal policies and procedures for all different types of the thirdparty relationships should be developed and agreed upon across the organization. Involve the various business teams responsible for the relationships while framing these policies. Well-developed policies will reduce the organization's risk of exposure.

Training & Awareness Subcategory Security Awareness Best Practices A security awareness program helps employees contribute to a

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM company's overall security posture by keeping them up-to-date on security risks. Knowledgeable employees are your best source for reporting security issues. An effective awareness program should take into account all aspects of securityincluding application, network, and physicalwhile providing clear guidelines for what employees should do if they witness things that appear to jeopardize the security of any of these elements. Implement policies that regulate employee usage of company resources. Awareness programs should be a part of new employee orientation. Updates and refresher courses should be conducted regularly to ensure all employees are aware of the most current practices and risks. Periodic testing should be implemented to ensure employees have absorbed the material.

Security Awareness

Findings You have indicated that you do not have an individual or group responsibility for security at your organization.

Security Awareness

Your response indicates that no security awareness program exists at your organization.

Recommendations Designate a person or group with expertise in security to be responsible for security for the company, and require that this individual/team is consulted before changes are made to the computing environment. Consider implementing a formal security awareness program to keep employees informed about IT related security risks. Implement policies that regulate employee usage of company resources and technology and include security awareness as part of new employee orientation. Knowledgeable employees are your best source for reporting security issues.

Subcategory Security Training

Best Practices Work with business owners to determine the acceptable downtime for critical applications. Based on those findings take appropriate measures to meet or even surpass those requirements. Availability and performance of Web-based applications is improved by deploying load balancers in front of the Web servers. To balance server load, a load balancer distributes requests to different nodes within a server cluster with the goal of optimizing system performance. If one Web server in a server cluster fails, then the request is directed to another server to handle the request, providing

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM high availability. Determine acceptable downtime for critical file shares and databases from business owners. Test the failover mechanisms for the applications, and determine if the amount of downtime is acceptable. To minimize downtime, a clustering mechanism should be deployed. Each instance of the clustered application participates in the same security domain, i.e., shares a common user and group database. Management operations within the cluster of machines and within the application instances take effect both in the individual instance and across its peers. Applications that rely on special knowledge of the clustering environment--such as through interactions with load balancers--recognize and handle all foreseeable exception conditions. Appropriate responses include alerting operations staff and effecting a smooth failover. The backup strategy should address worst-case scenarios of a complete system and application restore. For critical applications, the restore process should result in a fully functioning application in minimal time. Perform regular tests of the backup/recovery mechanism that permits restoration of the application to a normal operating state.

Security Training

Findings Your answer indicates that your organization does not currently offer subject matter related training to employees.

Recommendations Develop a plan initially for the IT team and development engineers as needed based on your business model to attend appropriate security related training. Jumpstart the plan by having the team attend external training in the form of seminars and topic-specific security training. Draft plan to include some basic level of training for all employees in future.

Training & Awareness - Resources

Microsoft Security Certifications The MCSE: Security for Windows Server2003 certification provides you the skill set to secure a Windows Server environment. http://www.microsoft.com/lea rning/mcp/mcse/security/win dowsserver2003.mspx

Industry Security Certifications

(ISC)2 - CISSP, SSCP Certifications ISACA - CISM, CISA Certifications CompTIA - Security+

http://www.isc2.org http://www.isaca.org http://www.comptia.org

Microsoft Security Awareness

Microsoft recognizes that information security

http://technet.microsoft.com/

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Toolkit awareness and training is critical to any organization's information security strategy and supporting security operations. People are in many cases the last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. Therefore, people need to be educated on what your organization considers appropriate security-conscious behavior, and also what security best practices they need to incorporate in their daily business activities. This kit was created to provide guidance, samples, and templates for creating your own security awareness program. en-us/security/cc165442.aspx

Prioritized Action List

The following list prioritizes the recommendations made above in the Assessment Detailsection. For more information on any of these items, refer to the matching entry in that section. A Microsoft security partner can help with building a security program that encompasses these actions.Assessment Detailsection. For more information on any of these items, refer to the matching entry in that section. Prioritized Action List Analysis Topic High Priority Applications > Deployment and Use > Thirdparty independent software vendor (ISV) Review this open item with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information. Recommendation

Infrastructure > Perimeter Defense > Remote Access

Treating your wireless network as untrusted and requiring users to use VPN or similar technologies to connect to corporate resources is the best solution to maintain data integrity, but does not prevent unauthorized users from connecting. Consider using WPA authentication and MAC address restrictions in order to limit access to authorized users.

People > Policy & Procedures > Third-Party Relationships

Systems should be configured by internal staff following a tested build image.

Applications > Deployment and Use > Application & Data Recovery

Any Line of Business applications should be periodically evaluated for security, backed up regularly, fully documented, and have contingencies in place in case they fail.

Infrastructure > Authentication > RemoteAccess Users

If you have not already done so, consider using a multifactor authentication system for remote access, and limit access to only those employees that have a business need for remote connectivity.

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Medium Priority Infrastructure > Perimeter Defense > Segmentation Ensure that firewalls, segmentation and intrusion-detection systems are in place in order to protect the company's infrastructure from Internet-based attacks.

Infrastructure > Perimeter Defense > Wireless

In order to minimize the risk associated with wireless networks, the implementation should include non-broadcast of SSID, WPA encryption, and treating the network as untrusted.

Infrastructure > Perimeter Defense > Firewall Rules and Filters

Immediately deploy firewalls or other network-level access controls at each office location, and frequently test and verify that all firewalls are working properly.

Consider having the log files from the DMZ and core network servers monitored by MOM (Microsoft Operations Manager). In the event of critical log-file entries being generated, MOM will send alerts to the Operations > Backup and Recovery > Log Files appropriate members of the team.

Continue to not use custom Office macros, because using custom macros requires that the security settings in Office are downgraded, Applications > Deployment and Use > Internally exposing your office applications to malicious documents. Developed Low Priority Consider using SSH or VPN for securing clear text management Operations > Environment > Management Host protocols. - Servers Test all management systems that utilize SNMP to ensure that they are patched to the latest version and do not use default community Operations > Environment > Management Host settings. - Network Devices Audit the backup mechanisms and ensure that all critical assets are being backed up regularly. Periodically test the restore functionality to verify recoverability from the backup media.

Operations > Backup and Recovery > Backup

Continue the practice. Implement a policy that requires users to regularly update virus signatures. Consider adding the anti-virus Infrastructure > Perimeter Defense > Anti-virus client in the default workstation build environment. - Desktops Infrastructure > Perimeter Defense > Anti-virus Continue the practice. Consider actively managing anti-virus clients - Servers on the servers from a centralized management console for

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

configuration and signature deployment. If you are using Microsoft Exchange, consider using the additional anti-virus and content filtering capabilities at the mailbox level.

Appendices
Questions and Answers
The following answers were provided for input into this assessment. Assessment Question Business Risk Profile Number of desktops and laptops in use at your company: Number of servers in use at your company: Does your company maintain a full-time connection to the Internet? Do customers and vendors access your network or internal systems via the Internet? Does your company host application services, such as a portal or a Web site, for external customers or partners? Does your organization deploy services that are used by both external and internal clients in the same network segment? Do external partners or customers connect directly to your company's internal, back-end systems for the purposes of data access, record updates, or other information manipulation? Has your organization deployed the same back-end infrastructure components, such as databases, to support both external applications and internal corporate services? Does your organization allow employees or contractors to connect remotely to the internal corporate network? Does your organization allow employees to deploy nonproduction systems, such as personal Web servers or computers housing "pet projects," on the general corporate network? Aside from backup tapes/media, does your organization allow confidential or proprietary data off-site for processing? Would a compromised system's security significantly impact your company's ability to conduct business? Does your company share office space with other More than 500 More than 25 servers Yes Yes Yes Yes Your Answer

No

Yes

Yes No

Yes

Yes No

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

organizations? Does your company develop applications? Does your organization allow software developers to connect remotely to corporate development resources or remotely develop application code? Does your company develop and market software products for customers, partners, or a broad market? Does your organization allow developers to run development or test systems in remote or unprotected locations? Does your IT staff act as the custodian (as opposed to developer) of line of business applications? Do your business processes require data that is stored, processed, or distributed by a third party? Does your company store or process customer data in an environment that is shared with corporate resources? Do you rely on third-party software development partners to support business-service offerings? Does your company generate revenue based on service offerings that require data processing or data mining? Does your organization consider the data processed by your company's application services sensitive or critical to your customers' business operations? Does your company make its critical business applications available through Internet-based connections? Who are the target users of the key applications within your environment? How is access to key applications made available to users? Does your corporate network connect to customer, partner, or third-party networks via network links, whether public or private? Does your company generate revenue from services based on the storage or electronic distribution of data, such as media files or documentation? Has your organization gone through a "rip and replace" change of any major technology component in the last 6 months? Does your company rely on receiving data feeds or processed data from partners, vendors, or other third parties? Would an incident that affected customer applications or infrastructure, such as a site outage or a hardware or application failure, impact revenue? Does your company store sensitive or critical customer Yes No

No No

Yes No Yes No No No

Yes

Both internal employees and external customers, vendors, and partners Both from within the internal network and remotely No

No

Yes

I don't know

Yes

Yes

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

data? Do customer infrastructure components or applications rely on access to resources within your environment? Does your company share infrastructure and application components among multiple customers? Do you consider information technology to be a requirement for your company? Do all of the employees in your company use computers for business? Does your company outsource maintenance or ownership of any portion of its infrastructure? Does your company have a mid- or long-term plan for the selection and deployment of new technology components? Do you consider your organization to be an early adopter of new technology? Does your organization select and deploy new technologies based on existing partnerships and licensing agreements? Does your organization limit technology choices to technologies known by the current IT staff? Does your company expand its network through acquisition of new companies and their existing environments? Does your organization allow employees to download sensitive customer or corporate data to their workstations? Does your organization restrict access to information by users based on their role? Does your organization deploy new services or applications before assessing them for possible security issues? Does your organization change credentials for privileged accounts on a regular basis? Does your organization change credentials for privileged accounts after termination of personnel with privileged access? Choose the option that best describes your company's industry segment: Choose the size of your organization: Does your company have more than one location? Is your company in a highly competitive or researchfocused industry in which intellectual property theft or espionage is a significant concern? Are the technologists in your company subject to high turnover or attrition? Yes Yes Yes Yes No Yes

Yes Yes

No No

No

Yes I don't know

Yes Yes

IT Services 50 to 149 employees Yes No

No

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Does your company have significant product or brand recognition? Does your company use down version or legacy software (software that is no longer supported by the vendor)? Does your organization acquire software from a reputable vendor or source? Infrastructure Does your organization use firewalls or other networklevel access controls at network borders to protect corporate resources? Does your organization deploy these controls at each office location? Does your organization use a neutral zone (commonly referred to as a demilitarized zone or DMZ) that separates internal and external networks to host services? Does your organization host Internet-facing services on the company's network? Does the organization use host-based firewall software to help protect servers? Does your organization use intrusion-detection hardware or software to help identify attacks? Are anti-virus solutions implemented in the environment? Please select the systems that have anti-virus solutions deployed: Yes No No Yes

No Yes

Yes No No Yes E-mail servers Perimeter hosts (gateways, proxies, relays, etc.) Desktops Servers

Is remote access to the company's network available? Select who is able to connect remotely to the network: Is virtual private network (VPN) technology being used to provide secure connectivity to corporate resources for these remote users? Is the VPN capable of limiting connectivity to a quarantine network until the client has passed all necessary security checks? Is multi-factor authentication (tokens, smart cards, etc.) required for remote users? Does the network have more than one segment? Is network segmentation used to separate external customer and extranet services from corporate resources?

Yes Employees Yes

No

No Yes Yes

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Does your organization group hosts into network segments based on similar roles or services provided? Does your organization group hosts into network segments based on providing only the services necessary for the users that connect? Has a plan been created and documented to govern the allocation of TCP/IP addresses for systems based on the segments needed? Is wireless connectivity to the network available? Which of the following security controls are used to regulate connections to the wireless network? Yes No

Yes

Yes Changing the default/preset network name (also known as Service Set Identifier, or SSID) on the access point Disabling broadcast of the SSID Enabling Wi-Fi Protected Access (WPA)

Do controls exist to enforce password policies on various types of accounts? Does your organization have processes for reviewing inactive administrative, internal use, vendor and remote user accounts? Does your company configure its systems itself or is this done by the hardware supplier/reseller? Which of the following are built based on either an image or a formal documented configuration?

No No

Configured by internal staff Workstations and laptops Servers No Password-protected screen saver No Yes Networking equipment (switches, cabling, Internet connection) is in a locked room with restricted access Networking equipment is also in a lockable cabinet/rack Servers are in locked room with restricted access Servers are also in lockable cabinets/racks

Does this configuration include 'host hardening' procedures? Which of the following solutions have been installed on employee workstations and laptops? Does your organization have formal incident response procedures? Have physical security controls been deployed to secure the company's assets? Which of the following security controls are used?

Which of the following physical access controls are used?

Employee and visitor badges Visitor escorts Visitor logs

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Entrance controls Applications Does your company have line of business (LOB) applications? Do you use custom macros for Office applications (such as Word, Excel, or Access)? What mechanisms are in place to ensure high availability of applications? Select all the mechanisms that are deployed from the list below: Has an in-house team developed any of the key applications deployed in your environment? Have third-party consultants/vendors developed any of the key applications deployed in your environment? What phase of development are you using consultants/vendors? (Select all that apply) Yes No Load balancing Clustering No Yes Design Code Development Yes

Does the third-party vendor provide regular software upgrades, security patches, and documentation on security mechanisms? (is it still supported) What software security development methodologies are practiced at your company? (Select all that apply) Does your organization know of security vulnerabilities that currently exist in any of the applications being used in the environment? Does your company provide security training for your development and testing staff? Does your company rely on software tools as part of the test and audit process for secure software development? Do controls exist to enforce password policies in key applications? Do key applications in your environment have mechanisms enabled to restrict access to sensitive data and functionality? Do key applications in your environment record messages in log files for analysis and auditing purposes? Is input data validated by the deployed applications? Do key applications encrypt sensitive and business critical data that they process? Operations Does the company manage the environment itself, or outsource? Does the organization use dedicated management hosts for secure administration of systems and devices within

None No

No Yes, for some projects No No

No No No

The company manages the environment Yes

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

the environment? Select the systems for which dedicated management hosts exist: Network devices Servers No Yes No No No No None

Are separate login accounts used for normal activity vs. administrative/management activity? Does the organization grant users administrative access to their workstations and/or laptops? Is the firewall tested regularly to ensure it performs as expected? Does your organization maintain Disaster Recovery and Business Resumption Plans? Does a model exist for assigning criticality levels to each component of the computing environment? Do policies exist to govern the computing environment? Does a documented process exist for host builds? If yes, which types? (For what host types does a documented build process exist?) Do documented guidelines exist that govern which protocols and services are allowed on the corporate network? Select the option that applies. Does your organization have a formal, well-documented process for the disposal of data on electronic media and hardcopy form? Does your organization have a data classification scheme with associated data protection guidelines? Does a change and configuration management process exist? Does an established patch and update policy and process exist? Does an established policy exist to govern the updating of signature-based detection products? Do accurate logical diagrams and supporting configuration documentation exist for the network infrastructure and hosts? Do accurate application architecture and data flow diagrams exist for key applications? For which types of applications do diagrams exist: Is logging enabled in the environment to record events on hosts and devices? Does the organization take measures to protect the information contained within logs? Does the organization review log files regularly?

Guidelines exist and they are documented

No

No No No None Yes

Yes Both internal and external applications Yes Log files are rotated frequently to ensure sufficient space is available No

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Is critical and sensitive data backed up on a regular basis? Do policies and procedures exist for storage and handling of backup media? Do policies exist for regular testing of backup and restore procedures? Are these policies documented? People Do you have an individual or group in your company that is responsible for security? Does your organization perform security assessments of the environment through independent third-parties? Does your organization perform security assessments of the environment internally? Does the organization perform background checks as a component of the hiring process? Does a formal employee exit process exist? Does a formal policy exist to govern third-party relationships? Does a security awareness program exist at your company? Is subject-matter-related training offered to employees based on their roles in the organization? No No No No No No No No Yes No No

Glossary
The glossary addresses standard security industry terms and concepts included in this report. Additional terms outside of this report may also be included. Term AoAs Applications Definition Areas of Analysis which are infrastructure, applications, operations, and people. A software program that provides functionality to an end user. Requires an operating system to run. Examples include word processor, spreadsheet, and database programs. Software and hardware technologies that protect the computing environment from malicious software. A measurement of the risk to which an organization is exposed, based on the business environment and industry in which it competes. A measurement of the security defenses used across people, process, and technology to help mitigate the risks identified for a business. A portion of the network that is separated from the internal network by a firewall and also connected to the

Anti-virus (AV) Business Risk Profile (BRP)

Defense-in-Depth Index (DiDI)

Demilitarized Zone (DMZ)

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Internet via another firewall. Firewall Infrastructure A hardware or software device that provides protection to hosts from unauthorized access over the network. The network functionality and how it is managed and maintained to support network defense, incident response, network availability, and fault analysis. Including the support of internal and external business processes and how hosts are built and deployed. Authentication that requires a combination of at least two of the following: something you know; something you have; or something you are. For example, the debit card from your bank is two-factor authentication: It requires something you have (the card itself) and something you know (the PIN number). Requiring someone to type in multiple passwords for authentication is only single-factor authentication, because it is merely 'something you know.' Generally, the more factors, the more secure the authentication. Thus, a system that requires an ID card (something you have), a PIN (something you know), and a fingerprint scanner (something you are) is more secure than one that requires only a username/password (single factor) or ID card and PIN. The policies, processes, procedures, and practices related to the protection The members of the organization and the policies, processes, procedures, and practices related to protecting them and the organization. An integrated set of technologies that are required to provide Public Key encryption and digital signatures. Uses a combination of public- and private-key encryption to provide key management, data integrity, and data confidentiality. A documented series of sequential tasks used to perform a business function.

Multifactor authentication

Operations People

Public Key Infrastructure (PKI)

Process

Microsoft Security Assessment Tool ITC Services Completed: 17-Sep-11 12:52 PM

Interpreting the Graphs

BRP ranges from 0 to 100, where a higher score implies a greater amount of potential business risk for that specific AoA. It is important to note that a score of zero is not possible here; conducting business in itself implies some level of risk. It is also important to understand that there are some aspects of running a business that have no direct mitigation strategy. DiDI also ranges from 0 to 100. A high score indicates an environment where a greater number of measures have been taken to deploy defense-in-depth strategies in a particular AoA. The DiDI score does not reflect overall security efficacy or even resources spent on security, rather it is a reflection of the overall strategy used to defend the environment. Intuitively, it may seem that a low BRP score and a high DiDI score are a good outcome, but this is not always the case. The scope of this self-assessment does not allow for all factors to be taken into consideration. Significant disparity between BRP and DiDI scores in a particular AoA suggests that further examination of this AoA is recommended. When analyzing your results it is important to consider the individual scores, both BRP and DiDI, in relation to one another. A stable environment will probably be represented by relatively equal scores across all areas. Disparities between DiDI scores are a strong indicator that overall security strategy is focused on a single mitigation technique. If the security strategy does not balance people, process and technology aspects, the environment will probably be more vulnerable to attack.