Running the Microsoft Baseline Software Analyzer After the Server Is Configured

After the server is fully configured, run the Microsoft Baseline Software Analyzer (MBSA) to identify other patches needed or possible issues with the configuration. This helps to ensure that the new server is protected from attacks and more resistant to the viruses circulating on the Internet. Of course, the organization still needs to have a well-thought-out virus protection strategy.

The MBSA should be run after the standard patches and fixes are downloaded and installed because it takes the server "hardening" process several steps further and assesses the vulnerability of the server by also scanning for common security misconfigurations. MBSA (version 1.2.1 is the most current as of this writing (2.0 is available in Beta)) can be downloaded from http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

MBSA Version 1.2.1 can perform local or remote scans of Windows systems and runs on Windows 2000, Windows XP, and Windows Server 2003 systems. It will scan for common system misconfigurations in the following products: Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS), SQL Server, Internet Explorer, and Office. MBSA 1.2.1 will also scan for missing security updates for the following products: Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, IE, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server, and Office.

Chapter 15, "Implementing and Validating SharePoint Security," provides additional information on the use and capabilities of MBSA.