In addition to the checks listed below, the tool also displays the following useful information:
The full "well-known" name of applications currently communicating over a network
The full "well-known" name of applications waiting for communication partners
Local and Domain groups
Members of built-in groups
Users with security-policy permissions
The following is a list of the current checks:
the percentage is the percent of analyzed computers that follow best practice based on:
912 XP Computers,
4161 Windows® 2003 computers,
497 Windows® 2000 computers, and
9 Windows® NT®4 computers.)
That have submitted anonymous statistics.
File Permissions Checked
boot.ini (99% follow best practice)
autoexec.bat (99% follow best practice)
System Information
Version of Windows®
domain
DNS name
User Name
Computer Name / Host name
Computer Manufacturer and Model
Domain Name server
DHCP assigned name server
DHCP domain
IP address
Default gateway
If you enable the "contribute anonymous statistics" feature, the program will send only the version of Windows® and computer manufacturer/model. IP, company, domain, and other identifying information will not be sent.
Often Unneeded or Insecure Services
DHCP Client (usually shouldn't run on servers; unnecessary security risk) (0% follow best practice) . NOTE: Even if a server uses a static IP, if the organization does not manually register DNS entries and relies on the DHCP service to provide dynamic DNS updates, the DHCP Client service needs to run on the server.
Wireless Configuration (demonstrates inadequate updates/configuration processes) (75% follow best practice)
Messenger (often unneeded) (94% follow best practice)
Print Spooler(often unneeded; unnecessary security risk) (40% follow best practice)
IIS Admin service (often unneeded; unnecessary security risk) (72% follow best practice)
Microsoft® Exchange IMAP (unencrypted passwords when exchange mail can encrypt) (99% follow best practice)
Microsoft® Exchange POP3 (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
World Wide Web Publishing Service (sometimes unneeded) (71% follow best practice)
FTP (sends passwords without encryption) (89% follow best practice)
NNTP (often unneeded; unnecessary security risk; exposes organizations to unnecessary liability) (99% follow best practice)
SMB1 (the vulnerable service that led to the WannaCry Ransomware vulnerability) (1% follow best practice)
SMB2 (currently recommended to be enabled, but listed for future)
SNMP (often unneeded; unnecessary security risk) (53% follow best practice)
Useful Services
Windows® Time (a time synchronization system should be used) (72% follow best practice)
SMS Agent (monitoring systems should be used appropriately) (9% follow best practice)
Compaq/HP Insight Manager (monitoring systems should be used appropriately) (24% follow best practice)
HTTP SSL (encrypted web pages) (27% follow best practice)
Local and Domain Account Configurations
Local password restrictions
Domain-based password restrictions
NIST SP 800-63 password policy compliance
Password complexity requirements
Password encryption
Password lifespan
Network Information
NetBIOS shares
Communication Statistics
Server visibility status
Maximum Logged on users
Maximum open files per session
Idle session time
Current time at time server
Security Hardening
Ctrl+Alt+Delete should be required to log-in (79% follow best practice)
The last logged-in username should not be displayed (1% follow best practice)
A legal notice should be displayed before log-in (59% follow best practice)
Users must log-in before they can shut down the computer (78% follow best practice)
NTLMv2 Authentication (implements 128bit encrypted keys and provides a method to eliminate LANMAN hash, which is easy to attack since it uses only upper-case letters and limit password length to 7 characters) (69% follow best practice)
Anonymous access to usernames (14% follow best practice)
Recovery Console security (0% follow best practice)
Clear page file at shutdown (3% follow best practice)
Prevent remote users from installing printer drivers (5% follow best practice)
Floppy access restrictions (95% follow best practice)
NTFS media (including hot-swappable drives) ejection (95% follow best practice)
CD-ROM access restrictions (95% follow best practice)
Password changes without logging in (24% follow best practice)
Logging and Auditing
Access of global system objects
Backups and restores
Administrative activities
Logons
Directory Services
Process tracking (requires mechanism to purge logs)
Account changes
Security rule (policy) changes
system events
Will the server continue to operate without logging
Server Access
Registry access from remote computers
Renamed Guest account
Renamed Administrator account
Guest account disabled
Administrator account disabled
Automatic updates
are updates automatically downloaded and installed (indicates bad change and patch management unless controlled through other means)
automatic update server (if not default, may be used for patch management)
Patch Management
Java® Runtime Environment version 1.4.2 and 1.3.1 vulnerabilities (added in version 1.6.8.143)
Computer Associates CAM version 1.11 build 54_4 and earlier vulnerabilities (added in version 1.6.8.143)
TCP/IP Filters (36% follow best practice)
Global TCP/IP filters
TCP/IP filters by network card
Restricted TCP and UDP ports by IP address
Restricted Protocols by IP address
Default directories that should be removed
Adminscripts
IISsamples
InetSRV
default .dll and .asp files
InetAdmins
IISAdmin
IADMpwd
Network activity
Active connections are translated by well-known port numbers
services listening for activity are translated by well-known port numbers
Event Logs (added in version 1.4.4.92)
Check for retention and purging
Display log file sizes
Trojans, Backdoors, and Worms (added in version 1.4.4.101 on Feb 6, 2007)
Back Orifice
Back Orifice 2000
Beast
Citrix ICA (also has legitimate uses)
Donald Dick
Masters Paradise
Netmeting Remote Desktop Control (also has legitimate uses)
Netbus
pcAnywhere (also has legitimate uses)
Reachout (also has legitimate uses)
Remotely Anywhere (also has legitimate uses)
Remote (also has legitimate uses)
Timbuktu (also has legitimate uses)
VNC (also has legitimate uses)
Active Directory® (added in version 1.4.4.91)
Users with passwords that don't expire
Users with accounts that don't require passwords
Users with accounts that don't expire and don't require passwords
Users who haven't logged in for over a year
Bad password attempts
Greatest length of inactivity for a user
Potential test, guest, and temporary accounts
- Download the Analyzer
- Open the Analyzer and click the Download Dump Script button to download the extract script
- Have the system administrator of the server in question copy the extract script into a new blank directory, review and run the script (the script is a plain batch file to assure administrators that it won't harm their production servers)
- Install/run the analyzer tool onto a separate workstation
- If you encounter an error while installing a new version of the application, do the following:
- Click Start
- Click Control Panel
- Click Add/Remove programs
- Scroll Down and Click Windows® Analyzer
- Select Remove the application from this computer and click OK
- Reinstall the analyzer by downloading it again
- once the script runs, copy the windump.txt (generated by the extract script) to the analysis workstation
- In the Analyzer, click the Browse button and select the appropriate windump.txt file
- The "Analyze" button will be pressed automatically after selecting an appropriate dump file (including renamed files with dump content) on analyzers released after January 2014. In previous versions, press the Analyze button to analyze the server configuration
- if you have multiple dump files in the same directory, select the directory by clicking the Browse & analyze all dumps in folder button. Results will be automatically saved in the same directory as html files and the summary tab will contain information for each analyzed machine.
Note: this button will also show the number of remaining licenses, if applicable, if there are fewer than 100 licenses remaining. In such a case, the label may read Browse & Analyze 42 dumps in folder, for example, if 42 analyses remain in the license.
How does the program send optional anonymous statistic contributions?
The analyzer program sends the anonymous statistics through a 1024-bit SSL Connection. The statistics are sent to our servers without any information that could identify your servers or network. The statistics are stored with a one-way hash to prevent duplicate statistics.
Why are some of the "critical" Windows® patches not listed?
Some patches, such as those released on Sept. 12, 2006, were only required for some very specific conditions. If the evaluated system doesn't meet those conditions, the patches will not be listed as not installed.
In 2007, a Fortune 50 conglomerate’s corporate Internal Audit department completed a value stream mapping analysis after replacing manual server review processes with the ThreeShield™ Security Analyzer Tool for Windows®. The analysis found that the ThreeShield™ tools automated 100% of the audit department’s data gathering (which previously took five days of lead time). The tools also reduced server testing by 86%, saving an average of 16 hours of work per domain plus 2.3 additional hours of testing per server.
The study also found that manual server security analysis time is linear (i.e. if one server takes 2.3 hours to review, two servers take 4.6 hours). However, ThreeShield™ tools add efficiency with easy-to-follow reports, so two servers take almost as little time to review as one server.
The month after the department implemented the ThreeShield™ tools, they were able to avoid trips from Connecticut to England and Chile. These avoided travel and entertainment expenses easily recovered the cost of a site license. The audit department also reported that they were able to identify far more control weaknesses than in the past – and report them a week earlier than was possible before implementing the tools!