Windows security tools

Which tools do you use for security auditing of windows servers (by which I mean checking the configuration aligns with best practice and is free from administrative/configuration based vulnerabilities). Microsoft baseline security analyser seems to of been retjred and not supported on newer OS. So gauging what tools / scripts etc are common in 2018 would be interesting. I would have thought powershell scripts could replace what MBSA used to check for but couldnt find much out there.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
using Nessus for CIS compliance check .

More important is the patch level implemented and any End of Life status

alternative is to use new "security compliance manager (SCM)" i.e. Security Compliance Toolkit for policy analysis

Or DSC Environment Analyzer (DSCEA), a PowerShell module that uses the declarative nature of Desired State Configuration to scan systems in an environment against a defined reference. It  can provide reports on overall compliance and details on any DSC resource found to be non-compliant.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You could look at tools like OpenVAS.
pma111Author Commented:
Does openvas run on windows?
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

No it doesn't, but at least it is free.
pma111Author Commented:
Will check it out,thanks.
btanExec ConsultantCommented:
Dont think so but it maybe done indirectly.

For info, close to OpenVAS is Greenbone Security Manager for professional users, as GCE (Community ver) for users in SOHO environments, and as source packages, which are embedded into various Linux distributions as OpenVAS. The differences between these versions and the related Security Feed.
The Greenbone Security Manager Community Edition (GSM CE) is a derivative of the GSM ONE for evaluation purposes. The GSM CE may be deployed using VirtualBox on Microsoft Windows, MacOS and Linux systems.

In contrast to the commercial version the GSM CE uses the OpenVAS Community Feed instead of the Greenbone Security Feed. While the commercial versions support seamless updates of the operating systems new versions of the GSM CE are provided as ISO images requiring a new full installation. Further differences between the other GSM models and the GSM CE are explained on

But it can scan target Windows machine still
pma111Author Commented:
Are there costs associated with DSCEA and DCA? Such as the baselines themselves?
btanExec ConsultantCommented:
Nope if you are already having the Windows build licences. DSC was introduced in Windows Server 2012 R2, it is available for down-level operating systems via the Windows Management Framework (WMF) package. You should talk to your IT support team too.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.