Looking for a good Security Audit for SMBs

We are looking for a good Security Audit to run for SMBs (5-60 user envir.) for both non-server and server environments.

Windows XP, Windows 7, Server 2k3, Server 2k8, SBS 2k3, SBS 2k8

LVL 32
Blue Street TechLast KnightAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

acunetix is great as well as nessus


madunix (Fadi SODAH)Chief Information Security Officer Commented:
I use opensource tools and my own scripts(perl/python), maybe you could use BackTrack, a nice distro with a lot of security tools....beside that check out
1.      Nessus (Linux if you can) http://www.nessus.org/nessus/
2.      Nikto (Linux) http://www.cirt.net/nikto2
3.      Paros proxy (Linux if you can) http://www.parosproxy.org/index.shtml
4.      Ike-scan (Linux) http://www.nta-monitor.com/tools/ike-scan/
5.      SARA (Security Auditor's Research Assistant) (Linux) http://www-arc.com/sara/
6.      MBSA (discutable) http://technet.microsoft.com/en-us/security/cc184923.aspx
7.      Backtrack http://www.linux-magazine.com/w3/issue/77/BackTrack.pdf
8.      skipfish http://code.google.com/p/skipfish/
9.     appscan http://www-01.ibm.com/software/awdtools/appscan/
10.    http://www.mcafee.com/us/downloads/free-tools/index.aspx

Blue Street TechLast KnightAuthor Commented:
Thank you for your responses. I am looking for something simple to use...no programming to provide a basic security audit. For a few particular clients it would be nice to do HIPPA security audit as well.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

acunetix would be prefect it also does PCI (payment card industry) checks as well
Blue Street TechLast KnightAuthor Commented:
@remixedcat: maybe i have mis-read but acunetix is primarily used for web security...i am looking for LAN and PC security. I am looking for something that you can plug into a network test its over all security and view a report for remediation. To be clear I am not looking for firewall penetration testing either.
ok. when you said servers I figured you'd need that as well....
Blue Street TechLast KnightAuthor Commented:
aaa. I'm sorry, i should have been more precise! my bad.
IT security audit cover the following areas

1. A substantial LAN/Network security audit
2. A detailed firewall audit
3. A complete security checklist, covering everything from firewalls to data access.
4. Specific security questionnaires covering: virus management, network routers, contingency, system access, dial-in access and much more.

To manage all this I recommend to use BackTrack. BackTrack is basically a penetration testing tool. Since you don't want to get in to details of password policy, patch management, antivirus, access control etc. you can simply check the risk level of each desktop, server, router, firewall etc.

BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. Support for Live CD and Live USB functionality allows users to boot BackTrack directly from portable media without requiring installation, though permanent installation to hard disk is also an option.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightAuthor Commented:
@expert_tanmay: thanks for you r response, but it looks like this product is for Linux and i specifically stated the OS that I need covered in my question. Do you have a rec. for those? Thanks!
madunix (Fadi SODAH)Chief Information Security Officer Commented:
look at Nessus; NeXpose; Qualys Guard; Retina Network Security Scanner; Saintbox; Shadow Security Scanner; Automated Scanning; FS 1000; Internet Scanner; LANguard


As I said, I use opensource tools and my own scripts(perl/python) beside BackTrack(a nice distro with a lot of security tools) http://www.remote-exploit.org/backtrack.html
Hi diverseit,
Please understand penetration testing is not necessarily done only on Linux machines. Penetration tests are done to get insight of various vulnerabilities in any kind of network. They indicate how sturdy are your systems security so that you can take preventive measures at required places.

Yes the BackTrack software is built on Linux but you are not required to install it anywhere. You need to only create a live CD or thumb and run it from there.

Blue Street TechLast KnightAuthor Commented:
Thanks for the insight expert_tanmay!
I've requested that this question be closed as follows:

Accepted answer: 168 points for expert_tanmay's comment http:/Q_26945759.html#35421188
Assisted answer: 166 points for expert_tanmay's comment http:/Q_26945759.html#35414671
Assisted answer: 166 points for madunix's comment http:/Q_26945759.html#35418857

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Blue Street TechLast KnightAuthor Commented:
Sorry I let this one slip by.
Blue Street TechLast KnightAuthor Commented:
I completely forgot about this question.
Blue Street TechLast KnightAuthor Commented:
@ALL: Thanks for your patience...my sincere apologies again. I know all too well how frustrating it is to give solutions and not hear from the person asking the question. (gulp) again sorry.  :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.