A First Look at the New MBSA
Microsoft recently released a new version of Microsoft Baseline Security Analyzer (MBSA), a free security auditing and reporting tool. MBSA 1.2 has many enhancements that improve its functionality for system and security administrators. In addition to the ability to scan 10,000 machines in one run, MBSA now audits against a Microsoft Software Update Services (SUS) server, and, when run locally, reports on macro settings in Microsoft Office products, the state of the Automatic Updates client, and the state of the Internet Connection Firewall (ICF). Here’s an overview of the more notable new features in MBSA 1.2.
Expanded product support. MBSA 1.2 supports an expanded list of Microsoft products, including Windows Server 2003, Microsoft Exchange Server 2003, several versions of BizTalk Server, Commerce Server, Content Manager Server (CMS), SNA Server, and Microsoft Office. MBSA also audits the installed version of Microsoft Virtual Machine (VM) on Windows 2000 and older platforms and Microsoft Data Access Components (MDAC—the COM+ updates we see several times each year). In addition to reporting on missing security hotfixes, MBSA also audits the configuration of server products, alerting you to potential security vulnerabilities. The utility identifies potential vulnerabilities and provides a roadmap for addressing them.
Interim and general hotfixes. The audit distinguishes between security updates released as Quick Fix Engineering (QFE) patches (temporary hotfixes distributed to selected customers) and security updates released to the general public at Windows Update or as a public download. This eliminates the unnecessary warnings we’ve become accustomed to in previous versions.
Support for multiple versions of the same hotfix. The audit recognizes installed patches, even when the file version numbers for the same hotfix are different. The master catalog Microsoft uses to manage software updates lists the most current version of each installed component for each supported product. In some cases, the version number on a file in a hotfix for a single-processor system might be different than the version number for the same file for a mulitprocessor system. Because MBSA now understands that components in the same hotfix can have different version numbers, you’ll no longer see warning messages for hotfixes you've installed correctly.
Automatic Updates client. The utility audits and reports on the configuration of the Automatic Updates client, so you can determine whether a machine is using the Automatic Updates feature, whether or not the update mode is automatic or manual, and which server the client contacts for updates. When Automatic Updates is disabled, MBSA flags this as a red warning with the message “The Automatic Updates system service is not correctly configured.”
ICF. You can audit ICF on Windows 2003 and Windows XP platforms, but only if you run the scan locally—MBSA can't analyze ICF on a remote system. When ICF is enabled, MBSA lists all active network connections and enumerates ports that are open to external traffic.
Auditing with SUS. You can direct MBSA to use the update catalog you've already built on an internal SUS server, instead of downloading the standard mssecure.xml catalog. This feature lets you evaluate the state of internal systems using only the updates you've approved for your site. This approach should make the scan faster and more efficient and will help you determine which network systems aren't being properly maintained. Keep in mind, however, that although the current version of SUS can update OSes, Microsoft Internet Explorer (IE), and Windows Media Player (WMP), SUS doesn't yet support update scenarios for Microsoft Office, SQL Server, or Exchange Server.
Multiple Language Support. The MBSA GUI version and the XML catalog are available in English, Japanese, German, and French. By default, the utility will download the language specific catalog. If the correct language version isn't available, MBSA will roll back to the English version that is always available at Microsoft. See the white paper at http://www.microsoft.com/technet/security/tools/mbsahome.mspx for more information about how MBSA operates when you mix language versions of the utility and the catalog.
Test Drive Results
I tested MBSA 1.2 on Win2K and XP Professional Edition platforms. The first time I downloaded the XML catalog, there was a noticeable delay. When I asked for a report of all domain members, the progress-tracking indicator showed that the utility overlaps scanning operations, which reduces the amount of time the tool uses to audit multiple machines. MBSA downloads the XML catalog every time you start a new audit, as long as the system on which you're running MBSA can access the Internet. If you run MBSA several times in a row, you need to wait for the catalog download, even though the catalog probably hasn't been modified during the previous 5 minutes. When you run the utility in production mode, on a weekly or monthly audit cycle, you do want MBSA to download the most recent product catalog. A GUI option to disable the catalog download during testing would be nice. MBSA uses NetBIOS (i.e., WINS-registered) names to locate systems, shared drives, and shared folders. Machines publish NetBIOS names when you enable File and Print Sharing on the network adapter. If this feature is disabled, MBSA will be unable to locate the system. If you have systems on which you've disabled this feature for security purposes, exclude them from the audit scan. The reliance on NetBIOS introduces potential security concerns, even when this protocol is enabled only for internal communication. If MBSA must cross a firewall to analyze systems in a remote location, the firewall must allow traffic on TCP ports 139 (NetBIOS session service) and 445 (Microsoft Directory Service) and UDP ports 138 (NetBIOS datagram service) and 139 (NetBIOS session service) to successfully locate and probe remote systems. You can run MBSA from the command line and fine tune its operation with many command-line arguments. To do so, create a shortcut to mbsacli.exe, which by default is located in Program Files, Microsoft Baseline Security Analyzer. Use the command
to display the command-line options. The GUI version would be more valuable if it offered the extensive command-line arguments as drop-down menu options. You can read the white paper and download the newest version of MBSA at the MBSA home page (http://www.microsoft.com/technet/security/tools/mbsahome.mspx).