Tuesday, September 21, 2010

WACA your Web Apps, the Microsoft Web Application Configuration Analyzer v1.0 that is…

Microsoft Downloads - Microsoft Web Application Configuration Analyzer v1.0

“Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.

File Name: WACAV10.msi

Size: 7.6MB

Version: 1.0

Date Published: 9/20/2010

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production servers. It can also be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx.

Here are some features of the tool:

  • Scan a server using more than 140 rules
  • Generate HTML based reports
  • Compare multiple scan results
  • Export results to Excel
  • Export results to Team Foundation Server

…”

Code Junkie - Web Application Configuration Analyzer v1.0 RTW is live!

“I am excited to announce the release of Web Application Configuration Analyzer v1.0 tool. The following is the quick overview of the tool and its features.

…  It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.

…You can view a demo of the tool in this channel9 screencast.”

Any help in securing our sites/properties/web apps sounds good to me. The GUI based UI makes it easy to run in an ad-hoc basis, but didn’t see a means to script it (i.e. using it to check a bunch of machines looks like a pretty manual process? Maybe I just didn’t catch that part in the video…).

Still I dig the idea of leveraging someone else’s experience in locking down and securing our web apps.

No comments: