Test your defenses with the Microsoft Security Assessment Tool
Most companies face security vulnerabilities that don't appear on the radar screen. The Microsoft Security Assessment Tool can help you find them.
As long as they use passwords, antivirus software, and a few other basic protections, most small and midsize companies assume they're secure. "Their view is very myopic when it comes to security," says Marcus Solorio, general manager of Lanlogic, a Microsoft Gold Certified solution provider in Livermore, California. In truth, most firms have many hidden gaps in their security defenses.
For organizations without security expertise, exposing those gaps can be challenging. The Microsoft Security Assessment Tool (MSAT), a free download designed for companies with between 50 and 1,500 desktops, helps simplify that process.
How it works
MSAT doesn't directly test your defenses. It's an interactive survey that guides you through more than 240 questions about your risk profile and countermeasures. You can run it on your own or in collaboration with a partner. Here's how it works:
| • | Take the survey. MSAT's questions are based on widely accepted best practices and the collective security expertise of Microsoft, Cisco, the Computer Emergency Response Team (CERT), and others. The survey delves deeply into four topics: infrastructure, applications, operations, and people. For example, it asks whether you offer security awareness training and how quickly you delete a former employee's network account after he or she leaves your company. |
| • | Translate the results into a plan. After you complete the survey, MSAT offers customized advice on how you can reduce vulnerabilities in your systems and business processes. Unless you have a security professional on staff, however, you'll need help from a qualified Microsoft partner to turn those recommendations into a thorough, actionable remediation plan. "MSAT's real value comes when a partner can look at this information and translate it into actions for your company," Solorio says. |
| • | Put the plan into action. MSAT can help you decide which of those actions to take first. By making hypothetical changes to your answers, you can see which improvements would best elevate your security ranking, thereby helping you prioritize next steps. MSAT lets you save and compare assessments, too, so by retaking the survey regularly you can track your progress over time. |
| • | Involve senior management. An MSAT session typically takes one to two hours and requires input from multiple business and IT managers. Seek sponsorship from your CEO or another senior executive to help gain participation from the stakeholders. |
In the end, most participants find investing the time in the MSAT process worthwhile. "The feedback I've received has been very favorable," Solorio says. By asking questions that many organizations rarely consider, and may even have trouble answering, MSAT gives managers a new appreciation for the wide array of potential threats. "It's eye-opening what they don't know about their own business," he adds.
For example, he says, a local school district that Lanlogic works with didn't realize some of its remote offices were operating without a firewall. Similarly, a financial services client didn't know it was using outdated remote access authentication controls. MSAT routinely exposes such security gaps, saving companies from potentially costly problems later. That's a big return on a small investment of time.
 | Rich Freeman is a Seattle, Washington-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry. |
