MBSA Introduction

Microsoft Baseline Security Analyzer (MBSA) is a free tool that lets systems administrators evaluate common Microsoft security vulnerabilities, including missing security updates. Microsoft released MBSA a couple of years ago as part of its Windows Strategic Technology Protection Program (STPP). A number of iterations of the tool have improved its functionality over the years, and Microsoft has also released a package of sample scripts for MBSA to help administrators overcome some of the MBSA tool's limitations, for example, in the areas of report aggregation and batch scanning. These improvements have helped establish MBSA as a useful tool for your toolkit-especially if budget is an issue.

When you run a scan using the GUI version of MBSA (MBSA.exe), you see results such as those in Web Figure A that show each scanned system and an assessment. The GUI provides a quick and useful way to see the results of one scan. After you use MBSA.exe or the command-line version of MBSA (mbsacli.exe) to run a scan, the results are stored as an XML file in the %userprofile%/securityscans folder (e.g., C:documents and settingsadministrator.securitysecurityscans). You can also use the GUI to see other scans you've run by clicking the Click here to see all security reports link, which shows the contents of the SecurityScans directory. Depending on the frequency of your scanning and the number of systems that you scan, you'll soon find this listing overwhelming and not ideal for quickly assessing the state of a security update or vulnerability check for many computers across your organization. Also, if multiple people are performing scans (even from the same computer), the results will be in a separate folder for each user. To review the results of another user's scan, you'll need to collect the scan results and copy them to your SecurityScans profile. You can use the Mbsacli command to automate regular scanning and data collection.

MBSA doesn't deploy patches, so don't think of it as your only patch-management tool. Its patch-scanning engine was developed by Shavlik, which sells a tool-HFNetChkPro-that does deploy patches. Also, MBSA's scan for vulnerabilities isn't nearly as comprehensive as some commercial or open-source vulnerability scanners. (For a review of several of these tools, see "Vulnerability Scanners," October 2004, InstantDoc ID 43888.) However, when you use MBSA together with another Microsoft patch deployment technology-such as Software Update Services (SUS) or its successor, Windows Update Services (WUS)-it provides a good cross-check of your systems' compliance with Microsoft's security recommendations.

MBSA reports on basic security vulnerabilities and missing patches using either MBSA.exe or Mbsacli. MBSA checks nearly 100 configuration settings such as basic passwords, whether the guest account is enabled, and Microsoft Internet Explorer (IE) and Microsoft Outlook zone settings; lists a system's administrators and possibly unnecessary services such as Telnet and Microsoft IIS; and checks for many other configuration problems involving Windows, Microsoft Office, SQL Server, Microsoft IIS, Microsoft Data Access Components (MDAC), and other Microsoft products. The most recent version of MBSA-1.2.1-supports Windows XP Service Pack 2 (SP2) features such as scanning for Windows Firewall installations.