Microsoft Baseline Security Analyzer: Do updates offer improved Windows security?

The latest version of MBSA also features an updated, more user-friendly interface than previous versions. It uses more everyday language in its listing, and the analyser is now better organised and easier to follow. The format blends in with the overall look and feel of Windows Security Center utilities in Vista or Server 2008, as the following screenshot shows:

Working with MBSA
You can download and install the GUI version of MBSA on any individual PC (mbsa2mux86.exe for 32-bit Vista, and mbsa2mux64.exe for 64-bit Vista). After the installation, a report will be generated for the given machine, as shown in the preceding screenshot. A command-line version of the program, Mbsacli.exe, will also be installed in the same directory: C:\Program Files\Microsoft Baseline Security Analyzer by default.

Although MBSA works fine on a per-PC or workgroup basis, it's been architected to work on networks of all sizes, including enterprise-scale networks. To take advantage of these capabilities, use the command line version of MBSA with scripts that cycle through IP address ranges. The analyser deposits all of its reports into the machine's MBSA directory. For subsequent analysis and remediation, however, you can also specify a shared folder on your network for

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Tech tips A review of Nmap scan options and timing templates How to test a firewall with Nmap Rootkit Hunter demo: Detect and remove Linux rootkits Using Nmap to scan for open ports, updated servers and more How to perform Nmap scans and port checks Installation tips before beginning Nmap port scans NAC and endpoint security: The hard questions Securing Windows services to prevent hacker attacks Windows security: Remote Desktop, hosts file and keyboard lock down How to detect and remove rootkits with Windows encryption Threat and Vulnerability Management How to defend against rogue DHCP server malware Web application firewall's value depends on effort you put in Firewall rule management best practices Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list Buying botnets: Underground network marks ominous 'milestone' Gartner sees better days ahead for security budgets How to secure the Border Gateway Protocol Coping with top security in a world of deperimeterization Computer misuse cases: Get there before the bad guys IT overhaul results in cheaper, better endpoint security management Endpoint and NAC Protection How to defend against rogue DHCP server malware USB drive security project protects endpoints, aids CoCo compliance Buying botnets: Underground network marks ominous 'milestone' Symantec offers endpoint protection management, monitoring services Gartner sees better days ahead for security budgets Coping with top security in a world of deperimeterization IT overhaul results in cheaper, better endpoint security management Microsoft cracks down on click fraud ring IT pros find corporate firewall rules tough to navigate Understand the differences in network access control solutions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the console output. Microsoft has even put a useful set of sample scripts together to aid this pursuit (see Table 1, where you'll also find a how-to that describes MBSA command-line operation in detail).

The next screenshot shows a sample scan based on IP address value. Here's an example of a simple command to generate reports for a given set of machines: those in the private IP Class C network 192.168.1.x, for nodes numbered 2 through 5 (which just happens to match my local workgroup). If the data was made into a report file named "Workgroup Report 2-22-2009," the command would look like this:

You could easily create a script that varies report titles and IP address ranges, capturing an entire collection of local subnets simply by inserting the above text into a .bat file and manipulating report names and address ranges as needed. You can also use the /d domain-name switch to scan all computers in a target domain.

By default, MBSA accesses a current catalog of Windows updates from one of Microsoft's Windows Update servers. But for enterprise environments that maintain their own security baselines, MBSA can be customised so that it accesses a different server instead. It's even possible to target a specific cabinet (.cab) file that distributes software as well, for secure networks that require offline scans (see resouces below for a pointer to this file, as well as download details).

Earlier versions of MBSA automatically installed whatever version of Windows Update Agent (WUA) was needed to produce a successful scan on each target client. This option remains available in version 2.1, but is now turned off by default so that administrators can control the behavior of MBSA on their networks. That said, MBSA cannot complete a scan successfully unless target clients run an appropriate version of the WUA. PCs that lack this software cannot be scanned until that agent software is updated or installed.

In environments where local installations of Windows Server Update Services (WSUS) provide managed updates, MBSA may be directed only to use Update Services servers. Clients that have no current WSUS server assignment will generate an error message that indicates they cannot be scanned when MBSA targets them. The setting gives administrators a means of applying MBSA scans only to managed PCs. Otherwise scans may be driven by the latest data from Windows Update online (MBSA's default mode of operation).

Take MBSA for a spin
MBSA offers a variety of interesting administrative vulnerability checks (local account password properties, incomplete updates, password expirations, Windows Firewall, automatic updates, file system, autologon, guest account, restrict anonymous, and administrator account checks are in its arsenal). It can also scan IIS and SQL Server installations, as well as analyse desktop and server machines. Its many features make MBSA worth using on a regular basis, particularly as part of a regular, scheduled program of security scans or audits. Many organisations do so annually, while some run a check as often as once a month or once a quarter. Once you start working with MBSA, you'll get a good sense of the kind of information it can provide. Depending on your user population, the frequency of software and server changes, and how you push security updates to your desktops and servers, you may decide to run scripted MBSA scans anywhere from 2 to 12 times a year.

Resources:
MBSA home
MBSA download details
MBSA How-to
MBSA scripting examples
MBSA FAQ
WSUS-supported products
wsusscn2.cab (For use in secure offline environments; see MBSA FAQ for details.)

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.