Put Microsoft's Security Sleuth to Work

Users of Windows NT, 2000, and XP can make their machines far more secure by downloading and running this nifty, and free, utility

By Stephen H. Wildstrom

If you're serious about computer security, you have to be a little bit paranoid. The obvious threats are easy enough to deal with. It's the ones that you don't think about that will get you. And if, like the overwhelming majority of computer users, your operating system is some flavor of Windows, you're almost certainly running a system that features some inviting vulnerabilities.

Perhaps in partial atonement for the sin of distributing operating systems whose default setups are full of holes, Microsoft offers a solid tool for detecting and fixing the problems. It's not as sophisticated as some of the security software professional system administrators use, but the Microsoft Baseline Security Analyzer is easy to install and run, and, best of all, it's a free download from microsoft.com.

The security analyzer runs on Windows NT, 2000, and XP. (Security analysis on Windows 95, 98, and Me is a waste of time because these older versions are insecure by design, and no amount of tightening settings and installing patches is going to fix them.) The download is less than 3 megabytes.


  Don't be alarmed if your antivirus software pops up and objects when you run the security analyzer. To perform its job, it has to do things, such as scan the security settings of other programs and the operating system itself that properly look very suspicious. Just tell the antivirus program to relax and let you run the scan.

If you have a network, you can install the analyzer on just one computer and use it to scan all the systems on the net. After a couple of minutes, it produces a report showing all the potential vulnerabilities on the system, with those ranked most severe listed first. Typically, the worst issues will be accounts with weak or no passwords and critical security updates that have not been installed.

Among the items the analyzer looks for are hard drives that use the old file allocation table (FAT) system of storing files instead of the much more secure NT File System (NTFS). As it does for most vulnerabilities, the analyzer offers a clickable link to a suggestion on how to deal with the problem -- in this case, a built-in Windows file-system conversion utility.


  Another important check is for Windows features, or "services," that are turned on but not needed. For example, many Windows 2000 and XP systems may have Internet Information Server -- a built-in Web server with many security issues -- turned on unnecessarily.

It's a good idea to print out the analyzer's report, which contains more information than can be shown on the screen. You may learn about accounts installed on the computer that you didn't even know were there. You'll also get information on every file, folder, printer, or other resource that has been shared, and who is authorized to use it over a network.

It's annoying that Microsoft has produced operating systems that have nasty security problems in their default configuration. At least it has supplied us with a good tool to clean up that mess.

Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only on BusinessWeek Online

Before it's here, it's on the Bloomberg Terminal. LEARN MORE