The Microsoft Web Application Configuration Analyzer is a smart security tool that will evaluate a computer's configuration for the security of general Windows, IIS, ASP.NET and SQL Server settings, and alert you to any problems.

If you think this sounds a little advanced, then you're right: it was originally developed for internal use at Microsoft, and is actually intended for use on servers. If you're an experienced Windows user, though, you'll find the program does have plenty to offer, even of a standard home PC. And it's certainly easy to use.

Launch the program, click Scan a Machine > Scan and it'll quickly evaluate your PCs setup. There are checks to confirm that your Windows Guest account is disabled, for instance; that CD AutoRun is disabled; that you're not running risky or unnecessary services like Remote Registry; that your firewall is enabled, User Account Control is turned on, and more.

Server admins will appreciate the IIS tests, which then check that web services extensions are disabled; server certificates are valid and haven't expired; log files are correctly configured; directory browsing, file permissions, mail and many other configuration details are set up correctly.

And SQL rules make sure that sample databases are removed, Windows authentication is enabled, and potentially dangerous protocols are disabled.

When the scan process is finished you'll get a detailed report highlighting any successes, and displaying alarming red "failed" messages wherever there are problems.

When you read the results, though, it's important to keep in mid that this is aimed at servers. So, for instance, the program will demand that all file shares are removed from the system drive, a wise move for servers, but entirely unnecessary (and probably counter-productive) for regular home PCs.

It makes sense to run the Microsoft Web Application Configuration Analyzer, then, check your system and see what it has to say. But don't blindly follow all its recommendations. If you understand the need for a change, then make it; but if you don't see why it matters that you've failed a particular test, then feel free to ignore it: this security point may simply not be relevant to your setup.

Verdict

The Web Application Configuration Analyzer is a welcome new security scanner, but if you're using it on anything other than a server then you must take care when interpreting the results