The Microsoft Baseline Security Analyzer (MBSA) has been around since the introduction of Windows 2000, yet it remains a free, capable and underutilised tool in many Windows environments. MBSA has always been useful at scanning Windows environments for the presence or absence of security updates, and the latest version -- published in October 2007 and most recently updated in May 2008 -- adds support for Windows Vista and Windows Server 2008. MBSA 2.1, the most current version, is available from Microsoft (see the resources below for pointers and links).
The latest version of MBSA also features an updated, more user-friendly interface than previous versions. It uses more everyday language in its listing, and the analyser is now better organised and easier to follow. The format blends in with the overall look and feel of Windows Security Center utilities in Vista or Server 2008, as the following screenshot shows:
See larger image
Figure 1: Report details from MBSA on a Vista desktop
Working with MBSA
You can download and install the GUI version of MBSA on any individual PC (mbsa2mux86.exe for 32-bit Vista, and mbsa2mux64.exe for 64-bit Vista). After the installation, a report will be generated for the given machine, as shown in the preceding screenshot. A command-line version of the program, Mbsacli.exe, will also be installed in the same directory: C:\Program Files\Microsoft Baseline Security Analyzer by default.
Although MBSA works fine on a per-PC or workgroup basis, it's been architected to work on networks of all sizes, including enterprise-scale networks. To take advantage of these capabilities, use the command line version of MBSA with scripts that cycle through IP address ranges. The analyser deposits all of its reports into the machine's MBSA directory. For subsequent analysis and remediation, however, you can also specify a shared folder on your network for the console output. Microsoft has even put a useful set of sample scripts together to aid this pursuit (see Table 1, where you'll also find a how-to that describes MBSA command-line operation in detail).
The next screenshot shows a sample scan based on IP address value. Here's an example of a simple command to generate reports for a given set of machines: those in the private IP Class C network 192.168.1.x, for nodes numbered 2 through 5 (which just happens to match my local workgroup). If the data was made into a report file named "Workgroup Report 2-22-2009," the command would look like this:
Mbsacli /f "Workgroup Report 2-22-2009" /r "192.168.1.2-192.168.1.5"
You could easily create a script that varies report titles and IP address ranges, capturing an entire collection of local subnets simply by inserting the above text into a .bat file and manipulating report names and address ranges as needed. You can also use the /d domain-name switch to scan all computers in a target domain.
See larger image
Figure 2: MBSA scans may target specific IP addresses
By default, MBSA accesses a current catalog of Windows updates from one of Microsoft's Windows Update servers. But for enterprise environments that maintain their own security baselines, MBSA can be customised so that it accesses a different server instead. It's even possible to target a specific cabinet (.cab) file that distributes software as well, for secure networks that require offline scans (see resouces below for a pointer to this file, as well as download details).
Earlier versions of MBSA automatically installed whatever version of Windows Update Agent (WUA) was needed to produce a successful scan on each target client. This option remains available in version 2.1, but is now turned off by default so that administrators can control the behavior of MBSA on their networks. That said, MBSA cannot complete a scan successfully unless target clients run an appropriate version of the WUA. PCs that lack this software cannot be scanned until that agent software is updated or installed.
In environments where local installations of Windows Server Update Services (WSUS) provide managed updates, MBSA may be directed only to use Update Services servers. Clients that have no current WSUS server assignment will generate an error message that indicates they cannot be scanned when MBSA targets them. The setting gives administrators a means of applying MBSA scans only to managed PCs. Otherwise scans may be driven by the latest data from Windows Update online (MBSA's default mode of operation).
Take MBSA for a spin
MBSA offers a variety of interesting administrative vulnerability checks (local account password properties, incomplete updates, password expirations, Windows Firewall, automatic updates, file system, autologon, guest account, restrict anonymous, and administrator account checks are in its arsenal). It can also scan IIS and SQL Server installations, as well as analyse desktop and server machines. Its many features make MBSA worth using on a regular basis, particularly as part of a regular, scheduled program of security scans or audits. Many organisations do so annually, while some run a check as often as once a month or once a quarter. Once you start working with MBSA, you'll get a good sense of the kind of information it can provide. Depending on your user population, the frequency of software and server changes, and how you push security updates to your desktops and servers, you may decide to run scripted MBSA scans anywhere from 2 to 12 times a year.
Resources:
MBSA home
MBSA download details
MBSA How-to
MBSA scripting examples
MBSA FAQ
WSUS-supported products
wsusscn2.cab (For use in secure offline environments; see MBSA FAQ for details.)
