Security Tools Community Edition

We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps.  Join the community!  

Introduction

There are many security tools available in the market, there are some that were not initially created to deal with security concerns, but they can be very useful in security related scenarios. A classic example of that can be found in some of the Sysinternals Tools. Many of those tools were created with a different purpose, not focusing in security, but since they are very powerful they can be used to troubleshoot security related cases. Here are some examples of articles that use the Sysinternals Tools to solve security related issues: 

• Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1
• Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 2
• Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 3
• The Case of the Sysinternals-Blocking Malware
• Identifying Suspicious Activity on your Edge Device – Part 1
• Identifying Suspicious Activity on your Edge Device – Part 2
• Zero Day Malware Cleaning with the Sysinternals Tools (PDF document)

The goal of this article is to create a place where the community can enhance the Microsoft TechNet Article that covers Security Tools by adding more references for tools that can be used to solve security related issues on Microsoft platform.

User Account, Groups and Credentials

This section describes some tools that can be used while dealing with security related issues for user, authentication, credentials and account management in general:

• LimitLogin - A tool used to limit concurrent user logins.
• ALTools - contains tools that assist you in managing accounts and in troubleshooting account lockouts.
• Klist - display current Kerberos TGT and tickets. By using purge option you can delete them.
• AccessChk - A tool to map Access rights on files/registry/global Objects based on user or Group. 

Certificates and PKI Tools

This section describes some tools that can be used while dealing with certificates and PKI issues that are related to security incidents:

• PowerShell PKI Module - simplify certain PKI management tasks by using automation with Windows PowerShell.
• CertUtil - dump certificate information.

Network Resources

This section describes some tools that can be used while dealing with security related issues from the network perspective:

• Netmon SSL Decryption Expert - netmon expert used to decrypt SSL traffic.
• TCPView - show you detailed listings of all TCP and UDP endpoints on your system.
• PortQryUI - Interface for the PortQry Command Line Port Scanner.
• Netsh AdvFirewall - configure and manage Windows Firewall via command line.
• Netstat -naob - show all TCP and UDP endpoints and processes associated to them (similar functionality as TCPView).
• Process Explorer - shows you information about which handles and DLLs a process has opened or loaded

System Security

This section describes some tools that can be used while analyzing system's security, from Windows platform to other Microsoft related products, such as IIS, SQL and others:

• Microsoft Baseline Security Analyzer - assist to identify missing security updates and common security misconfigurations.
• Microsoft Security Compliance Manager - provides centralized security baseline management.
• Enhanced Mitigation Experience Toolkit v3.0 - designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software.
• Attack Surface Analyzer - takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.
• BinScope Binary Analyzer - analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations.
• Windows Defender Offline - standalone software application that is designed to help detect malicious and other potentially unwanted software, including rootkits that try to install themselves on a PC.
• Sysmon - Tool to monitor and log system activity to the Windows event log. Useful for system analysis and incident response.

There are many other categories of tools that can be included in this community article. We encourage you to participate by adding more content and reference to security related tools.

Security Tools for Windows Server 2012

The official page for Security Tools to administer Windows Server 2012 is available here. Use this section to add other tools that are applicable to Windows Server 2012.

See also

Team’s Blog: http://blogs.technet.com/b/securitycontent

Other Languages

This article is also available in the following languages:

Italian (it-IT)

• Security Tools Community Edition (it-IT)