SAN FRANCISCO — Microsoft Corp has just released version 2.0 of its Web Application Configuration Analyzer.
A free download, the Web Application Configuration Analyzer scans IIS servers, hosted applications, and SQL Server instances for common security issues and misconfigurations.
 
Version 2.0 contains 159 rules, each of which is a specific security check that generates a Passed, Failed, or Indeterminate outcome in the resulting report. Rules are broken down into three separate categories: General Applications, IIS Applications, and SQL Applications
.
The rule checks were determined by Microsoft’s Information Security and Risk Management review team, whose job it is to harden pre-production and production servers within Microsoft. These checks are now being shared with the public.
Each rule category can be expanded to reveal the underlying rule details, Microsoft says. Any rule that is not appropriate for a scan can be suppressed. Once a suppression list has been set up it can be saved for future uses.  Suppressions can be changed and a report regenerated without needing to re-run the scan. IT staff can view multiple scans of the same machine or view a single machine’s scan and compare it to other machines.

The reporting section has been updated to include suppression information to show what passed, failed, was not applicable and what was suppressed.