Microsoft Windows Security Resource Kit

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) is a tool that can determine which critical updates are installed on a target computer, as well as which security updates are required. MBSA allows you to target the current computer, a remote computer, a specified list of computers, a range of IP addresses, or all computers in a designated domain. The tool will scan computers for an update status based on a downloaded XML catalog file and will report the status in output files or to the screen.

MBSA allows scanning for common security misconfiguration errors on target computers. MBSA reports only on the current status of the computer and does not provide you with any distribution functionality. Once a computer is analyzed, other tools must be used to deploy the missing service packs and updates. Otherwise, the missing service packs and updates must be manually downloaded and installed.

To run MBSA, a user must be a local administrator on the target computer. This prevents attackers from using MBSA to scan a remote computer to determine potential weaknesses.

MBSA version 1.1 scans for the latest service packs and security updates for the following products:

• Microsoft Windows NT 4.0, Windows 2000, and Windows XP

• IIS 4.0 and IIS 5.0

• SQL Server 7 and SQL Server 2000 (including Microsoft Data Engine)

• Internet Explorer 5.01 or later

• Windows Media Player 6.4 or later

• Microsoft Exchange Server 5.5 and Exchange 2000 Server (including Exchange Admin Tools)

  In addition to scanning for service pack and security updates, MBSA scans for common security-related configuration issues and stores the results of the scans in XML format files. However, MBSA does not scan for security configuration issues for Exchange Server or for Windows Media Player. For these products, the MBSA only scans for security updates.

What About HfNetChk?

In addition, Shavlik produces a full-feature version of the tool, known as HfNetChkpro, which provides a GUI interface and allows the distribution and installation of missing security updates after the initial scan. For more information on Shavlik tools for security updates, see http://www.shavlik.com.

Scanning for Updates in the GUI Mode

By default, MBSA runs in a GUI mode that allows you to define scanning options and view the results of the security scan in the MBSA window. The security update scan performed by MBSA only scans and reports on updates designated as critical security updates by the Windows Update site.

If you enable the option to use an SUS server, MBSA does not download the updates from the SUS server. Instead, MBSA will report only updates approved at the SUS server in its XML report for the target computer.

When scanning for security updates, perform the following procedure:

1. Open MBSA.

2. Choose whether to scan a single computer or multiple computers.

3. To scan for security updates only, designate your target computer or computers as shown in Figure 23-5, enable the Check For Security Updates option, and click Start Scan.

4. When the scan is complete, you can view an XML file for each computer. For each computer, the output will report any missing security updates for Windows, IIS, Windows Media Player, Exchange Server, and SQL Server, as well as give a security assessment rating for the target computer.

   Figure 23-5. Scanning for security updates with MBSA

Security scan reports are stored in the %userprofile%\SecurityScans folder at the computer where MBSA is executed. The reports are in an XML format and are best viewed in the MBSA interface.

For details on using MBSA for performing security audits, see Chapter 24, Using Security Assessment Tools.

Scanning for Updates with the Command-Line Version of MBSA

MBSA includes a command-line version executable, Mbsacli.exe, which can perform scans for security updates and service packs. Version 1.1 of the Mbsacli.exe utility can perform the same tests performed by Shavlik s HfNetChk.exe utility.

When you execute Mbsacli.exe with the /hf switch, indicating an HfNetChk -style scan, all security-related updates are included in the scan and the resulting reports. The results of the Mbsacli.exe scan are displayed in the command window, rather than in XML files.

When scanning for security updates with the Mbsacli.exe /hf command, you can use the following parameters:

• -h hostname

  Scans the computer designated by the NetBIOS computer name. If not included, the local host is scanned. Multiple computers can be scanned by separating each host name with a comma.

• -fh filename

  Scans the computer names specified in the named text file. The text file must contain one computer name per line, with a maximum of 256 names.

• -i xxx.xxx.xxx.xxx

  Scans the designated IP address. You can designate multiple IP addresses by separating each entry with a comma.

• -fip filename

  Scans the IP addresses designated in the named text file. The text file must contain one IP address per line, with a maximum of 256 IP addresses.

• -r xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

  Specifies a range of IP addresses to be scanned.

• -d domainname

  Specifies that all computer accounts in the designated domain name are to be scanned.

• -b

  Scans only for critical updates, rather than for all security updates. This parameter produces the same list of required updates as the graphical version of MBSA.

• -s 1

  Suppresses NOTE messages. NOTE messages do not include an installable executable but provide a detailed procedure that must be performed to prevent the security vulnerability associated with the update.

• -s 2

  Suppresses WARNING messages. WARNING messages do not prescribe remedies to prevent vulnerabilities. They simply state that the usage of the specific service is considered a security weakness.

• -nosum

  Specifies that the computer should not perform checksum validation for the security update files.

• -z

  Specifies that the computer should not perform registry checks.

• -v

  Displays verbose details when a security update is determined to be missing. This is useful when you receive NOTE or WARNING messages.

• -f filename

  Specifies the name of a file in which to store the results.

• -u username

  Specifies the user name to use when scanning a local or remote computer or groups of computers.

• -p password

  Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the user name switch. Note that this password is not sent over the network in cleartext. Instead, Mbsacli.exe implements NT LAN Manager (NTLM) authentication.

• -x XMLfile

  Specifies an XML data source for the security scan. If not specified, the latest version of MSSecure.xml is downloaded from the Microsoft Web site.

  For a complete listing of the parameters available when running Mbsacli.exe /hf, see 303215 Microsoft Network Security Hotfix Checker (HfNetChk.exe) Tool Is Available.