New free tool helps you meet stringent security hardening guidelines

From: fernando (fernando@PEDESTALSOFTWARE.COM)
Date: 04/30/02 

Date:         Tue, 30 Apr 2002 09:47:28 -0400
From: fernando <fernando@PEDESTALSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Summary: SecurityExpressions WebScan Free Edition is a free tool for
assessing how well computers comply with industry-standard security
hardening policies and guidelines.

URL: http://www.securityexpressions.com/webscan

Hardnening policies to choose from:
- Microsoft Security Guidelines for Windows NT
- National Security Administration (NSA) Guidelines for Windows 2000
- Hotfixes for Windows, Outlook, IIS, Internet Explorer and other
Microsoft Products
- Others to be added over time

Examples of misconfigurations uncovered:
- Incorrect registry permissions
- Lax file/directory permissions
- Unneeded services
- Lenient user rights
- Missing hotfixes

Requirements:
- Windows NT 4.0 or higher
- Internet Explorer 5 or higher
- Administrator account

How it works:
- Visit http://www.securityexpressions.com/webscan
- Select the policy
- Click "Begin Scan"
- IE will download the WebScan ActiveX object
- The ActiveX object will scan your local computer
- Output will be displayed in IE

Security implications of running WebScan:
- WebScan runs only on the local machine so that no sensitive
information is sent through the Internet.
- WebScan does not require any registration or other type of user
identification.
- WebScan provides an option that, if checked, sends back the results of
the scan so that we can collect aggregate statistics. These statistics
help us to improve the product.

The technology:
- WebScan is based on our SecurityExpressions product that is used by
organizations to ensure that their systems comply with custom policies.
- WebScan uses only documented, standard Windows API.
- A commercial version interfaces directly with SecurtyExpressions and
allows fixing of any problems discovered