Improving Web Application Security: Threats and Countermeasures
The following information will help you troubleshoot scanning errors or explain inconsistencies between scans .
False Positives From Security Update Checks
There may be cases where MBSA reports that an update is not installed, even after you complete an update or take the steps documented in a security bulletin. There are two reasons for these false reports :
-
Files scanned were updated by an installation that is unrelated to a security bulletin. For example, a file shared by different versions of the same program may be updated by the newer version. MBSA is unaware of the new versions and, because it is not what is expected, it reports the update is missing.
-
Some security bulletins are not addressed by a file update but a configuration change that cannot be verified . These types of flags will appear as Note or Warning messages, marked with yellow Xs.
Both must be noted and ignored for future scans.
Requirements for Performing Remote Scans
MBSA makes use of the following network services to scan a computer:
-
Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP (local scans only on Windows XP computers that use simple file sharing)
-
IIS 4.0, 5.0 (required for IIS vulnerability checks)
-
SQL 7.0, 2000 (required for SQL vulnerability checks)
-
Services must be installed or enabled: Server service, Remote Registry service, File & Print Sharing
f any of the services are unavailable or administrative shares (C$) are not accessible, errors will result during the scan.
Password Scans
Password check performed by MBSA can take a long time, depending on the number of user accounts on the machine. The password check enumerates all user accounts and performs several password change attempts using common password pitfalls such as a password that is the same as the username. Users may want to disable this check before scanning Domain Controllers on their network. For details on the MBSA password check, see the topic "Local Accounts Passwords" in the MBSA whitepaper on TechNet http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsawp.asp .
Differences Between Mbsa.exe and Mbsacli.exe
It is important to know the differences between the default options of the two MBSA clients : the GUI tool, Mbsa.exe, and the command-line tool, Mbsacli.exe. The examples shown previously in this How To take these defaults into account.
The MBSA GUI calls /nosum , /v , and /baseline by default. The details for those options are:
| /nosum | Security update checks will not test file checksums. |
| /v | Displays security update reason codes. |
| /baseline | Checks only for baseline security updates. |
The MBSA command line calls no options and runs a default scan.
Категории