Security Tools
Applies To: Windows Server 2008, Windows Vista
A variety of tools are available to administer security and address ongoing threats to your computers and network. To help you find the right tool for the job, the following security tools are grouped by task:
Manage user accounts, groups, and credentials
Modify or create new security principals
Manage certificates and encryption
Manage a CA and other Active Directory Certificate Services tasks
Manage access to network resources
Take ownership or securely delete files
Manage security auditing and audit logs
Analyze and manage security policies
Analyze and manage computer processes and performance
Diagnose and remediate overall system security
This is not an exhaustive list, either of security-related tasks or of security-related tools. Other tools that are not listed here can be used to perform tasks that have security implications, and additional security-related tools will be added to this list periodically. For additional tools, see:
Manage user accounts, groups, and credentials
Managing user identities and processes for logon and authentication involve important yet often repetitive tasks. To obtain information about and manage user accounts, groups, and credentials, use one of the following tools.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Displays user, group, and privileges information for the user who is currently logged on to the local computer. If used without parameters, whoami displays the current domain and user name. |
|
Windows command-line tool |
Creates, lists, and deletes stored user names and passwords or credentials. |
|
Windows command-line tool |
Adds, displays, or modifies local groups. |
|
Windows command-line tool |
Adds or modifies user accounts, or displays user account information. |
|
Windows PowerShell cmdlet |
Gets a credential object based on a user name and password. |
|
Windows PowerShell cmdlet |
Gets information about the Authenticode signature in a file. |
|
Sysinternals utility |
Lists active logon sessions. |
|
Sysinternals utility |
Lists users logged on to a computer. |
Modify or create new security principals
Adding, deleting, and modifying account and group information is one of the most frequent administrator tasks. To modify or create new security principals, use one of the following tools.
| Tool | Type | Description | ||
|---|---|---|---|---|
Windows command-line tool |
Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file containing the shared secret key of the service.
|
|||
Windows command-line tool |
Creates, lists, and deletes stored user names and passwords or credentials. |
|||
Windows command-line tool |
Adds, displays, or modifies local groups. |
|||
Windows command-line tool |
Adds or modifies user accounts, or displays user account information. |
|||
Windows command-line tool |
Allows you to add specific types of objects to the directory. |
|||
Windows PowerShell cmdlet |
Adds computers to a workgroup or domain. |
|||
Windows PowerShell cmdlet |
Removes computers from workgroups or domains. |
|||
Windows PowerShell cmdlet |
Resets the computer account password. |
.gif)
NoteManage certificates and encryption
Certificate and encryption can significantly strengthen the security of a network and its resources. To manage certificate requests and encrypted files or directories, use the following tools.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Requests certificates from a certification authority (CA), retrieves a response to a previous request from a CA, creates a new request from an .inf file, accepts and installs a response to a request, constructs a cross-certification or qualified subordination request from an existing CA certificate or request, or signs a cross-certification or qualified subordination request. |
|
Windows command-line tool |
Displays or alters the encryption of directories and files on NTFS volumes. If used without parameters, cipher displays the encryption state of the current directory and any files it contains. |
|
Windows PowerShell cmdlet |
Gets information about .pfx certificate files on the computer. |
|
Windows PowerShell provider |
Allows you to navigate the certificate namespace and view the certificate stores and certificates. You can also copy, move, and delete certificates and certificate stores, and open the Certificates snap-in for the Microsoft Management Console (MMC). |
|
Manage a CA and other Active Directory Certificate Services tasks
Active Directory Certificate Services (AD CS) role services allow an organization to issue and manage certificates that enable a variety of network infrastructure requirements. To manage a CA and complete a variety of other AD CS tasks, use the following tool.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Collects and displays certification authority (CA) configuration information, configures AD CS, backs up and restores CA components, and verifies certificates, key pairs, and certification paths. |
Manage access to network resources
Files, folders, and shares that are protected by using access control lists (ACLs) can be monitored and managed by using the following tools, cmdlets, and utilities. To obtain information about access permissions on resources, use one of the following tools.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories. Icacls.exe replaces the Cacls.exe tool for viewing and editing DACLs. |
|
Windows command-line tool |
Displays and changes permissions (access control entries) in the ACL of objects in Active Directory Domain Services (AD DS). |
|
Windows PowerShell cmdlet |
Gets the security descriptor for a resource, such as a file or registry key. |
|
Sysinternals utility |
Allows you to scan file shares on your network and view their security settings. |
|
Sysinternals utility |
Displays access permissions to files, registry keys, or Windows services for a specified user or group. |
|
Sysinternals utility |
Displays access permissions to directories, files, and registry keys for all users and groups on computers in your domain. |
Take ownership or securely delete files
Administrators might need to modify the ownership of files or ensure that deleted files cannot be accessed. To take ownership or securely delete files, use one of the following tools.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file. |
|
Sysinternals utility |
Allows you to securely overwrite your sensitive files and remove previously deleted files by using this Department of Defense–compliant secure deletion program. |
Manage security auditing and audit logs
Security auditing allows you to monitor and analyze a wide variety of computer and network activities. The following utilities can be used to configure event logging and manage event logs and event log entries.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Displays information about and performs functions to modify audit policy settings. |
|
Windows command-line tool |
Creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line. |
|
Windows PowerShell cmdlet |
Deletes all entries from specified event logs on a local or remote computer. |
|
Windows PowerShell cmdlet |
Gets the events in the event queue. |
|
Windows PowerShell cmdlet |
Gets the events in a specified event log or a list of the event logs on a computer. |
|
Windows PowerShell cmdlet |
Creates a new event. |
|
Windows PowerShell cmdlet |
Creates a new event log and a new event source on a local or remote computer. |
|
Windows PowerShell cmdlet |
Deletes events from the event queue. |
|
Windows PowerShell cmdlet |
Deletes an event log or unregisters an event source. |
|
Windows PowerShell cmdlet |
Displays the event logs of the local or a remote computer in Event Viewer. |
|
Windows PowerShell cmdlet |
Writes an event to an event log. |
|
Windows PowerShell cmdlet |
Sets the event log properties that limit the size of the event log and the age of its entries. |
|
Sysinternals utility |
Allows you to collect event log records. |
|
Windows command-line tool |
Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs. |
Analyze and manage security policies
Security policy is the configurable set of rules that the operating system follows when determining the permissions to grant in response to a request for access to resources. You can use the following tools to analyze and manage security policy settings for a single computer or a domain.
| Tool | Type | Description | ||
|---|---|---|---|---|
Windows administrative tool |
Determines the minimum functionality required for a server's role or roles and disables functionality that is not required. |
|||
Windows command-line tool |
Configures and analyzes system security by comparing an existing configuration to at least one template. |
|||
Windows command-line tool |
Refreshes local and domain Group Policy settings, including security settings.
|
|||
Windows command-line tool |
Displays Resultant Set of Policy (RSoP) information for a remote user and computer. |
Analyze and manage computer processes and performance
Understanding the configuration and behavior of a computer and the applications and processes running on that computer are important to diagnosing performance issues and system failures but can require detailed investigation. The following tools can assist with many of these tasks.
| Tool | Type | Description |
|---|---|---|
Windows command-line tool |
Allows a user to run specific tools and programs with different permissions than the user's current logon provides. |
|
Windows command-line tool |
Communicates with the Service Controller and installed services. |
|
Windows command-line tool |
Enables you to shut down or restart local or remote computers one at a time. |
|
Windows command-line tool |
Displays a list of currently running processes on the local computer or on a remote computer. |
|
Windows command-line tool |
Ends one or more tasks or processes. Processes can be ended by process ID or image name. |
|
Windows command-line tool |
Configures, queries, or changes Boot.ini file settings. |
|
Windows PowerShell cmdlet |
Gets the execution policies in the current session. |
|
Windows PowerShell cmdlet |
Changes the user preference for the execution policy of the shell. |
|
Sysinternals utility |
Allows you to start programs as a different user via a shell context-menu entry. |
|
Sysinternals utility |
Includes command-line tools for listing the processes running on local or remote computers, running processes remotely, restarting computers, and obtaining copies of event logs. |
|
Sysinternals utility |
Allows you to bypass the password screen during logon. |
|
Sysinternals utility |
Shows what programs are configured to start automatically when a computer starts and the user logs on. Autoruns also shows the registry and file locations where applications can configure auto-start settings. |
|
Sysinternals utility |
Allows you to find out what files, registry keys, and other objects processes are open, which dynamic link libraries (DLLs) they have loaded, and who owns each process. |
|
Sysinternals utility |
Allows you to run processes with limited-user rights. |
Diagnose and remediate overall system security
Microsoft provides a number of free tools that can be used to diagnose overall system health and security and protect against the risk of infection from malware. The following tools can be used to accomplish these tasks.
| Tool | Type | Description |
|---|---|---|
Download |
Checks computers running Windows 7, Windows Vista, Windows XP, Windows Server 2008, or Windows Server 2003 for infections by specific, prevalent malicious software and helps remove any infection found. |
|
Download |
Helps small-sized and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. |
|
Download |
Provides information and recommendations about best practices to help enhance security within your IT infrastructure. |
|
Download |
Allows you to enter information including business requirements and application architecture, which is then used to produce a threat model. |
|
Sysinternals utility |
Allows you to scan your computer for rootkit-based malware. |
|
Sysinternals utility |
Allows you to collect file version information and verify that images on your computer are digitally signed. |