Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans of Windows systems for the purposes of categorizing the scanned system's current security configuration. The most recent release of MBSA, version 1.1.1 (as of this writing), can be installed and run on Windows 2000 Server and Professional systems as well as Windows XP Home Edition, Windows XP Professional, and Windows Server 2003.

MBSA cannot be installed on Windows NT 4.0 Server and Windows NT 4.0 Workstation, but those systems can be scanned over the network from another system. MBSA cannot be installed or run locally on Windows 95, 98, or Me systems; these systems cannot be scanned remotely from another host with MBSA installed, either.

With MBSA, you can scan systems for security configuration shortcomings within the operating system and scan additional services, such as Internet Information Services (IIS) 4.0 and 5.0, Internet Explorer versions 5.01 and higher, Microsoft SQL Server 7.0 and 2000, and Microsoft Office 2000 and Office XP. MBSA 1.1.1 also scans for missing security updates for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, along with updates missing from IIS 4.0 and 5.0, Internet Explorer 5.01 and higher, SQL Server 7.0 and 2000, Exchange 5.5 and 2000, and Windows Media Player 6.4 and higher.

Currently, MBSA is not localized for languages other than English. You can download it from http://download.microsoft.com/download/8/e/e/8ee73487-4d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi and begin installing the tool by running the associated MSI file. After starting the installation, you are prompted to enter user information for this installation and indicate whether MBSA is to be installed for only your use or for anyone who uses the system, as shown in Figure 7.5.

The account used to scan the system should have administrative access to that system. You can start MBSA by logging into an account that has local or Domain Administrator rights to the system or by using the RUNAS command to start MBSA with the appropriate user rights. Remote scans of other systems require the credentials for administrative access to the system. If you need to start the tool from the command line using RUNAS , you need to navigate to where the program is installed and then enter the following: < DRIVELETTER >:\Program Files\Microsoft Baseline Security Analyzer> [ic:ccc]RUNAS /user: < SYSTEM >\< USERNAME > mbsa At the secondary prompt, Enter password for < SYSTEM >\< USERNAME >: , supply the necessary password information for the administrator account.

After installing MBSA, you can choose to scan a single computer or more than one computer. For local scans to be successful, the Workstation service and Server service must be installed and running locally on the local system. To scan a remote machine, the scanning system must be running Windows Server 2003, Windows 2000, or Windows XP with Internet Explorer (IE) 5.01 or later or an XML parser, such as MSXML version 3.0 SP2 or later.

MBSA can perform remote scans of systems running Windows NT 4.0 SP4 and above, Windows 2000, Windows XP, or Windows Server 2003. To perform remote scans of Windows XP systems, simple file sharing must be disabled. For remote scans to be successful on these systems, the Server service, Remote Registry service, and File and Print Sharing services must be enabled and running.

For a client system to be set up to perform remote scans on other clients , it must be running Windows Server 2003, Windows 2000, or Windows XP. The systems must also have IE 5.01 or later or MSXML version 3.0 SP2 or later. Additionally, IIS Common Files are required if IIS systems are being remotely scanned. Also, the Workstation service and Client for Microsoft Networks must be installed and running.

When you decide to scan a number of systems at once, you need to supply their domain names or IP address ranges, as shown in Figure 7.6.

After entering location information for the systems, you can outline which parameters you want the analyzer to scan for. By default, all the following options are enabled:

• Check for Windows Vulnerabilities

• Check for Weak Passwords

• Check for IIS Vulnerabilities

• Check for SQL Vulnerabilities

• Check for Security Updates

The Windows vulnerabilities check scans for known security issues in Windows operating systems, such as the current status of the Guest account and whether MBSA detects the FAT32 file system in use. It also enumerates all available file shares and the number of members in the Administrators group . After the scan is finished, the output file provides instructions on best practices and workarounds for any problems found.

The weak passwords check scans systems for blank and weak passwords. This check might produce event log entries in the Security log, depending on whether auditing is enabled and whether additional time is available for this portion of the scan; the amount of available time depends on the number of accounts being scanned and the overall burden on the system hardware. Windows and SQL account password checks are not performed if the weak passwords option is not selected.

The scan for IIS vulnerability checks is normally performed on systems running IIS 4.0, 5.0, and 5.1 (for Windows XP systems) as well as version 6 under Windows Server 2003. MBSA also checks to see whether IIS Lockdown has been run on the scanned system. The output file provides instructions on best practices and workarounds for any problems found with the current IIS installation.

The scan for SQL vulnerability checks is normally performed for systems running SQL 7.0 and 2000 to root out possible security issues, such as whether Windows Authentication is being used or whether the SQL server is using SQL authentication or mixed mode. This scan also verifies the password status of the System Attendant (SA) account and the current status of SQL service account memberships. The output file outlines details of the SQL vulnerability checks and supplies instructions on best practices and workarounds for any problems.

The security updates check performed on the designated systems uses a version of the HFNetChk tool to detect any missing security updates. HFNetChk is available via the command line by running mbsacli.exe /hf .

MBSA also offers an option to use Software Update Services (SUS) for checking systems against a list of approved updates from the local SUS server. (SUS is discussed in more depth in the next section.) If you select this option (shown previously in Figure 7.6), MBSA looks for missing security updates in a list of approved updates on the SUS server rather than the full list of available security updates in the Mssecure.xml file. All security updates marked as approved by the SUS Administrator, including updates that have been superseded, are scanned and reported by the MBSA tool.