How To: Use Microsoft Web Application Configuration Analyzer v1.0

Syed Aslam Basha here from the Information Security Tools team.

Current version of WACA v1.0 CTP analyzes application configuration for security best practices related to General Application, IIS , ASP.NET Application and SQL Server settings.  Machine can be scanned remotely to identify any misconfigurations. It provides detailed report on multiple instances of checks for further analysis. Violations in the report can be exported to Excel or Visual Studio Team Foundation Server (TFS) ©.


  • Click on start – > All programs – > Microsoft information security – > Web Application Configuration Analyzer v1.0.
  • WACA is launched, click on scan a machine link under Quick actions/ File – > Scan a machine or press Ctrl + M
  • Enter Machine name - by default it loads host machine name, empty it scans local machine, you can enter remote machine name and you should have appropriate access on the machine to scan
  • Enter SQL instance name – by default its empty and scans sqlexpress instance
  • Select required Rule Category. WACA has got total 109 rules, General application rules 33, IIS application rules 63 and SQL application rules 13. Expand the rules to see the details.
  • WACABlog3
  • Click on Scan button
  • WACABlog1
  • After the completion of scan, click on view report button
  • WACABlog2
  • Click on export to excel to export the report to excel. You can save and share the report.
  • Click on save button to save the report
  • Click on export to TFS button to export violations as bugs in TFS. Select the violations and click on Export.
  • WACABlog6
  • Before exporting, set the TFS mappings as shown and save. Click on options – > Map team foundation server fields.
  • WACABlog4 

-Syed Aslam Basha ( )

Microsoft Information Security Tools (IST) Team

Test Lead


Please leave a comment if the blog post has helped you.