I recently had two fully patched Win Server 2008 R2 servers that were failing PCI scans using the McAffee Secure online service. IIS Crypto made short work out of what would’ve been a longer after hours change. It even has a PCI button that you can just click and it configs the server for compliance. Saved me a ton of work. Microsoft needs to start turning this off by default though and maybe even ask if you want it turned on, just a thought for the guys at Redmond.

In a unique twist, even after verifying the registry keys were correct after running the tool, McAffee still complained about the problem after a post-change scan. Qualy’s SSL Site Analyzer, a nifty and free online tool, actually passed it with flying colors. Another interesting venture of theirs is the HTTP Client Fingerprinting Using SSL Handshake Analysis project, which produced a mod for Apache and some other interesting reads at the bottom of the page, enjoy.

Port scanning
Vulnerability scanning
Some kind of patch level detection
Wrap everything up into reporting that can show all the results by machine.
Doesn’t cost an arm, leg, and your first born.

With little to no budget, my auditing tools are varied and I have to cut and paste most of their results into a single report by hand. I’ve gotten pretty nifty with the report formats using color coded Excel sheets, and I get to flex my writing skills but the manual work involved really is frustrating. However, using a combo of the usual free tools (Nessus, Nmap, Microsoft Baseline Security Analyzer, Metaspolit, etc.), I’ve managed to audit a small network of 100+ IPs and 5 subnets in around four to five days, complete with the reports. This also includes external auditing of our two public networks. I still wish I had a free or inexpensive tool that does a lot of what I’m already doing manually, especially bringing in all of the results into a single report complete with an executive summary.

Now, I could be lazy and just compile all the output these tools already generate and call that a “report”, but I’m the creative type and believe in clear documentation that can translate to both non-technical staff and IT staff. They should have a uniform look, because Nessus’ output format is an HTML file and Nmaps’ is a text or XML file. Putting them all together into a printed out clump just looks sloppy, and I don’t go for sloppy with documentation.

There are plenty that do that job, but all of them are pretty hefty pricewise, which leaves those with a low budget for such items in the crunch. There is business opportunity in this area, so you would think this market would have a bit more variety. Changes in the security landscape are pushing it in that direction though, as security and compliance are becoming concerns to even some small businesses. If I was a .NET developer, I think I’d start writing something that did what I wanted. Alas, I’m not, but if any of them are out there lurking, get to coding!