Home / Products / Security Audit Analysis Tool for Windows Print Page Send Page
Latest Version
More details


The Security Analyzer for Windows® automatically completes over 100 thorough configuration tests. These include password, permission, security policy, patching, service, application, antivirus, Active Directory®, malicious software, and general security hardening tests.


Please Note:
This product analyzes Microsoft® Windows® configurations and runs on Microsoft® Windows®, but was not developed by Microsoft® and is not supported by Microsoft®.

Windows, Windows Vista, Window NT, and the Windows logo are registered trademarks of Microsoft Corporation.


  • Features
  • Instructions
  • F.A.Q.
  • Case Studies
In addition to the checks listed below, the tool also displays the following useful information:

  • The full "well-known" name of applications currently communicating over a network
  • The full "well-known" name of applications waiting for communication partners
  • Local and Domain groups
  • Members of built-in groups
  • Users with security-policy permissions

    The following is a list of the current checks:
    the percentage is the percent of analyzed computers that follow best practice based on:
  • 912 XP Computers,
  • 4161 Windows® 2003 computers,
  • 497 Windows® 2000 computers, and
  • 9 Windows® NT®4 computers.)
    That have submitted anonymous statistics.

    File Permissions Checked
  • boot.ini (99% follow best practice)
  • autoexec.bat (99% follow best practice)

    System Information
  • Version of Windows®
  • domain
  • DNS name
  • User Name
  • Computer Name / Host name
  • Computer Manufacturer and Model
  • Domain Name server
  • DHCP assigned name server
  • DHCP domain
  • IP address
  • Default gateway
    If you enable the "contribute anonymous statistics" feature, the program will send only the version of Windows® and computer manufacturer/model. IP, company, domain, and other identifying information will not be sent.

    Often Unneeded or Insecure Services
  • DHCP Client (usually shouldn't run on servers; unnecessary security risk) (0% follow best practice) . NOTE: Even if a server uses a static IP, if the organization does not manually register DNS entries and relies on the DHCP service to provide dynamic DNS updates, the DHCP Client service needs to run on the server.
  • Wireless Configuration (demonstrates inadequate updates/configuration processes) (75% follow best practice)
  • Messenger (often unneeded) (94% follow best practice)
  • Print Spooler(often unneeded; unnecessary security risk) (40% follow best practice)
  • IIS Admin service (often unneeded; unnecessary security risk) (72% follow best practice)
  • Microsoft® Exchange IMAP (unencrypted passwords when exchange mail can encrypt) (99% follow best practice)
  • Microsoft® Exchange POP3 (unencrypted passwords when exchange mail can encrypt) (100% follow best practice)
  • World Wide Web Publishing Service (sometimes unneeded) (71% follow best practice)
  • FTP (sends passwords without encryption) (89% follow best practice)
  • NNTP (often unneeded; unnecessary security risk; exposes organizations to unnecessary liability) (99% follow best practice)
  • SMB1 (the vulnerable service that led to the WannaCry Ransomware vulnerability) (1% follow best practice)
  • SMB2 (currently recommended to be enabled, but listed for future)
  • SNMP (often unneeded; unnecessary security risk) (53% follow best practice)

    Useful Services
  • Windows® Time (a time synchronization system should be used) (72% follow best practice)
  • SMS Agent (monitoring systems should be used appropriately) (9% follow best practice)
  • Compaq/HP Insight Manager (monitoring systems should be used appropriately) (24% follow best practice)
  • HTTP SSL (encrypted web pages) (27% follow best practice)

    Local and Domain Account Configurations
  • Local password restrictions
  • Domain-based password restrictions
  • NIST SP 800-63 password policy compliance
  • Password complexity requirements
  • Password encryption
  • Password lifespan

    Network Information
  • NetBIOS shares
  • Communication Statistics
  • Server visibility status
  • Maximum Logged on users
  • Maximum open files per session
  • Idle session time
  • Current time at time server

    Security Hardening
  • Ctrl+Alt+Delete should be required to log-in (79% follow best practice)
  • The last logged-in username should not be displayed (1% follow best practice)
  • A legal notice should be displayed before log-in (59% follow best practice)
  • Users must log-in before they can shut down the computer (78% follow best practice)
  • NTLMv2 Authentication (implements 128bit encrypted keys and provides a method to eliminate LANMAN hash, which is easy to attack since it uses only upper-case letters and limit password length to 7 characters) (69% follow best practice)
  • Anonymous access to usernames (14% follow best practice)
  • Recovery Console security (0% follow best practice)
  • Clear page file at shutdown (3% follow best practice)
  • Prevent remote users from installing printer drivers (5% follow best practice)
  • Floppy access restrictions (95% follow best practice)
  • NTFS media (including hot-swappable drives) ejection (95% follow best practice)
  • CD-ROM access restrictions (95% follow best practice)
  • Password changes without logging in (24% follow best practice)

    Logging and Auditing
  • Access of global system objects
  • Backups and restores
  • Administrative activities
  • Logons
  • Directory Services
  • Process tracking (requires mechanism to purge logs)
  • Account changes
  • Security rule (policy) changes
  • system events
  • Will the server continue to operate without logging

    Server Access
  • Registry access from remote computers
  • Renamed Guest account
  • Renamed Administrator account
  • Guest account disabled
  • Administrator account disabled

    Automatic updates
  • are updates automatically downloaded and installed (indicates bad change and patch management unless controlled through other means)
  • automatic update server (if not default, may be used for patch management)

    Patch Management
  • Java® Runtime Environment version 1.4.2 and 1.3.1 vulnerabilities (added in version
  • Computer Associates CAM version 1.11 build 54_4 and earlier vulnerabilities (added in version

    TCP/IP Filters (36% follow best practice)
  • Global TCP/IP filters
  • TCP/IP filters by network card
  • Restricted TCP and UDP ports by IP address
  • Restricted Protocols by IP address

    Default directories that should be removed
  • Adminscripts
  • IISsamples
  • InetSRV
  • default .dll and .asp files
  • InetAdmins
  • IISAdmin
  • IADMpwd

    Network activity
  • Active connections are translated by well-known port numbers
  • services listening for activity are translated by well-known port numbers

    Event Logs (added in version
  • Check for retention and purging
  • Display log file sizes

    Trojans, Backdoors, and Worms (added in version on Feb 6, 2007)
  • Back Orifice
  • Back Orifice 2000
  • Beast
  • Citrix ICA (also has legitimate uses)
  • Donald Dick
  • Masters Paradise
  • Netmeting Remote Desktop Control (also has legitimate uses)
  • Netbus
  • pcAnywhere (also has legitimate uses)
  • Reachout (also has legitimate uses)
  • Remotely Anywhere (also has legitimate uses)
  • Remote (also has legitimate uses)
  • Timbuktu (also has legitimate uses)
  • VNC (also has legitimate uses)

    Active Directory® (added in version
  • Users with passwords that don't expire
  • Users with accounts that don't require passwords
  • Users with accounts that don't expire and don't require passwords
  • Users who haven't logged in for over a year
  • Bad password attempts
  • Greatest length of inactivity for a user
  • Potential test, guest, and temporary accounts
    1. Download the Analyzer
    2. Open the Analyzer and click the Download Dump Script button to download the extract script
    3. Have the system administrator of the server in question copy the extract script into a new blank directory, review and run the script (the script is a plain batch file to assure administrators that it won't harm their production servers)
    4. Install/run the analyzer tool onto a separate workstation
    5. If you encounter an error while installing a new version of the application, do the following:
      1. Click Start
      2. Click Control Panel
      3. Click Add/Remove programs
      4. Scroll Down and Click Windows® Analyzer
      5. Select Remove the application from this computer and click OK
      6. Reinstall the analyzer by downloading it again
    6. once the script runs, copy the windump.txt (generated by the extract script) to the analysis workstation
    7. In the Analyzer, click the Browse button and select the appropriate windump.txt file
    8. The "Analyze" button will be pressed automatically after selecting an appropriate dump file (including renamed files with dump content) on analyzers released after January 2014. In previous versions, press the Analyze button to analyze the server configuration
    9. if you have multiple dump files in the same directory, select the directory by clicking the Browse & analyze all dumps in folder button. Results will be automatically saved in the same directory as html files and the summary tab will contain information for each analyzed machine.
      Note: this button will also show the number of remaining licenses, if applicable, if there are fewer than 100 licenses remaining. In such a case, the label may read Browse & Analyze 42 dumps in folder, for example, if 42 analyses remain in the license.
    How does the program send optional anonymous statistic contributions?
    The analyzer program sends the anonymous statistics through a 1024-bit SSL Connection. The statistics are sent to our servers without any information that could identify your servers or network. The statistics are stored with a one-way hash to prevent duplicate statistics.

    Why are some of the "critical" Windows® patches not listed?
    Some patches, such as those released on Sept. 12, 2006, were only required for some very specific conditions. If the evaluated system doesn't meet those conditions, the patches will not be listed as not installed.
    In 2007, a Fortune 50 conglomerate’s corporate Internal Audit department completed a value stream mapping analysis after replacing manual server review processes with the ThreeShield™ Security Analyzer Tool for Windows®. The analysis found that the ThreeShield™ tools automated 100% of the audit department’s data gathering (which previously took five days of lead time). The tools also reduced server testing by 86%, saving an average of 16 hours of work per domain plus 2.3 additional hours of testing per server.

    The study also found that manual server security analysis time is linear (i.e. if one server takes 2.3 hours to review, two servers take 4.6 hours). However, ThreeShield™ tools add efficiency with easy-to-follow reports, so two servers take almost as little time to review as one server.

    The month after the department implemented the ThreeShield™ tools, they were able to avoid trips from Connecticut to England and Chile. These avoided travel and entertainment expenses easily recovered the cost of a site license. The audit department also reported that they were able to identify far more control weaknesses than in the past – and report them a week earlier than was possible before implementing the tools!

    Windows, Windows Vista, Window NT, and the Windows logo are registered trademarks of Microsoft Corporation. HP-UX is a trademark of Hewlett-Packard Company. AIX is a trademark of the IBM Corporation. Sun, Java, Solaris, and logos that contain Sun, Solaris, or Java are trademarks or registered trademarks of Sun Microsystems, Inc. or its subsidiaries in the United States and other countries.

    HomeAbout ThreeShield | Products & Services | Support | Contact Us

    All text, graphics, and code on this website are Copyright © ThreeShield Information Security LLC