Microsoft Free Security Tools – Microsoft Baseline Security Analyzer

This article in our series on Microsoft’s free security tools is focused on a tool called the Microsoft Baseline Security Analyzer (MBSA).  Many years ago before Windows Update was available, servicing software was much more painful than it is today.  Microsoft released security updates weekly, and there were few deployment technologies available to help determine which systems needed which updates.  I wrote an article on this topic if you are interested in a walk down memory lane.  For those IT administrators that lived through those days, the MBSA was a godsend.  Today, 10 years later, the MBSA is still a free security tool that many, many IT Professionals use to help manage the security of their environments. 

The MBSA is an easy-to-use tool designed for IT professionals and helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It is a standalone security and vulnerability scanner designed to provide a streamlined method for identifying common security misconfigurations and missing security updates. MBSA is used by many leading third-party security vendors and security auditors and, on average, scans over 3 million computers each week. 

  Microsoft Baseline Security Analyzer (MBSA)

The MBSA provides built-in checks to determine if Windows administrative vulnerabilities are present, if weak passwords are being used on Windows accounts, the presence of known IIS and SQL administrative vulnerabilities, and which security updates are required on each individual system.  The MBSA provides dynamic assessment of missing security updates.  The MBSA can scan one or more computers by domain, IP address range or other grouping.  Once complete, the MBSA provides a detailed report and instructions on how to help turn your system into a more secure working environment. The MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML.

To use the MBSA tool, users will need either Windows Server 2008 R2, Windows 7, Server 2003, Server 2008, Vista, XP or Windows 2000 and will need administrator privileges sufficient to scan the target computers.

After installing MBSA and running the tool, users are taken to the screen seen below which provides quick access to three different sides of the application.  Users can scan a computer using its name or IP address, scan multiple computers within a domain name or a range of IP addresses, or view existing security scan reports.  There are even more options available through the command-line interface to support scripting and fine-tuned control over MBSA’s scanning and reporting features.

From the MBSA scan menu, users have the option to select some or all of the following, which are all checked by default:
• Windows administrative vulnerabilities: the MBSA checks for Windows account-related issues, such as an open Guest account or too many administrative accounts. It also looks at the number of file shares and the PC’s file system to make sure you’re using NTFS instead of FAT for better security.

  • Weak passwords: the MBSA looks for blank or weak passwords throughout all Windows accounts.
  • IIS administrative vulnerabilities: for machines running IIS 5.0 or 6.0, MBSA scans to make sure all the necessary default security options and hotfixes have been run. The tool does not support IIS 7.
  • SQL Server administrative vulnerabilities: the MBSA scans for any versions of SQL Server or Microsoft Data Engine (MSDE) on the machine, looking at the authentication mode to see if you’re using Windows authentication or Mixed Mode (Windows and SQL authentication). It also checks the status of the system administrator account password.
  • Security updates: the MBSA checks the status of all updates with security implications – which include security updates, service packs and update rollups to determine if any are missing. If you’re unsure whether your target computer is correctly configured to check for Microsoft Updates, you can use the option to automatically install and configure the Microsoft Update service on a client.  The MBSA scans Windows and all Microsoft applications installed on the target computers to determine if there are risks from missing security updates. You can tell the MBSA whether to use the Microsoft Update live service, a Windows Server Update Services (WSUS) server or an offline catalog as the source for missing security updates.

The MBSA also provides an expanded list of options beyond what is available via the graphic interface via the command-line interface.  These options can be accessed by opening a command-prompt in the MBSA installation directory and running MBSACLI.exe /?.  The additional features are especially helpful when scripting, performing MBSA scans on specific PCs during login, or managing security scans across a large number of PCs.

  • Create an explicit list of machines to scan (using /listfile)
  • Choose the location of the offline catalog to use (using /cabpath)
  • Direct completed scan reports to a specific network share or directory (using /rd)
  • Use a ‘compact’ version of MBSA on local computers without the need to install the entire MBSA package (using /xmlout)

After you select the appropriate options and computers, you then trigger the scan, which typically takes several minutes to run. By default, the MBSA will automatically attempt to reach Microsoft Update for the latest catalog.  The MBSA will augment the scan using any updates approved by the WSUS admin in managed environments.  In situations where there is no Internet connectivity and no WSUS server, the MBSA will use the offline (WSUSSCN2.CAB) catalog to perform a security scan. Once the scan has completed, the MBSA will generate a full on-screen report, displaying the results of the scan item by item.

A completed scan report groups its findings into categories matching the options in the scan menu, such as administrative vulnerabilities, SQL Server status and security updates.  This is helpful in quickly resolving any issues discovered.  The top of the report indicates which of three data sources were used, including Microsoft Update (the live service), Windows Server Update Services (a managing WSUS server) or Microsoft Update offline (when no other data source was available).  It will also display the actual WSUS server used (if appropriate) and the date of the offline catalog.  If an MBSA scan report is older than 7 days, the report will also indicate that a new scan should be performed to ensure an up-to-date security assessment.

If you are looking for a free security tool that provides a streamlined method to identify missing security updates and common security misconfigurations then I recommend using the Microsoft Baseline Security Analyzer.  For more information please check out these additional resources:

Tim Rains
Director
Trustworthy Computing

 

 

 

 

 

 

 

 

 

 

About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »