Does Microsoft Baseline Security Analyzer (MBSA) work with Exchange Server?
MBSA is a terrific tool for performing security assessments on Exchange servers, but you need to use MBSA 1.1. MBSA 1.0 doesn't do anything special for Exchange servers—it scans the underlying Windows OS to check for the right set of patches and configuration options, but it doesn't check any Exchange-specific bits. In particular, MBSA 1.0 doesn't check Exchange hotfixes or registry key permissions. MBSA 1.1, which Microsoft released just after MEC 2002, fixes this limitation. As a bonus, MBSA 1.1 includes a full-fledged command-line version that you can use to automate and schedule scans so that you get a fresh scan report whenever you need one.