Turn a passive network diagram into an active security tool
The Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool for auditing basic security configurations, including security updates and Microsoft IIS and Microsoft SQL Server configurations. The tool's command-line interface lets you include MBSA commands in logon scripts or run MBSA ad hoc from the command prompt. If you're visually oriented, however, you might prefer to view the problem report on a network diagram so you can get an at-a-glance view of the status of your computers. Microsoft Office Visio 2003 Connector for the Microsoft Baseline Security Analyzer, a free add-on for Microsoft Office Visio 2003, lets you do just that.
The Visio Connector lets you scan computers and access all MBSA commands and output directly through Visio. Visio is a drawing program that lets you use stencils to represent the devices in your network as objects, known as shapes. Shapes can have aesthetic properties, such as color and line thickness, and logical properties, such as an assigned name or IP address that represents a computer. By integrating MBSA scans and Visio diagrams, you can create a Visio document of your server topology that shows the results of an MBSA scan of your servers.
Scan results persist when you copy shapes, so you can run a scan on a computer and then copy the shape representing that computer to another document while retaining the original scan results. In this way, Visio Connector can turn your passive network diagrams into active security tools.
Installing the Visio Connector
To install the Visio Connector, first download and install MBSA. Although the connector works with both MBSA 1.2 and 2.0, MBSA 2.0 supports Windows Server Update Services (WSUS), provides severity ratings for detected problems, and includes new security checks that the earlier version doesn't, such as scanning for updates for Office XP or later. You can download MBSA 2.0 at http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx. Then, run the setup program (MBSASetup-EN.msi) to install the tool. (For information about MBSA 2.0 features, see "Crank Up Security with MBSA 2.0," March 2006, InstantDoc ID 49245.)
Next, download the Visio Connector software from http://www.microsoft.com/technet/security/tools/mbsavisio.mspx and run the Visio Connector for MBSA.msi setup package to install the add-on. To use the connector, you must have Visio 2003 installed. I recommend Visio Professional 2003, which includes additional stencils such as network rack diagrams and logical network diagrams that help make the Visio plug-in more usable.
Setting Up a Visio Document
After you've installed the Visio Connector, start Visio and click File, New, Choose Drawing Type. Choose either a Basic Network Diagram or a Detailed Network Diagram. From the stencil, select a shape tab that contains a computer object, such as the Computers and Monitors, Network and Peripherals, or Servers tab. Each tab contains different computer objects that the Visio plug-in recognizes.
Choose a computer object, such as Server, File Server, Email Server, PC, or Laptop Computer, and drag it onto the Visio document. A new MBSA menu will appear within the Visio menu bar. To configure the shape, right-click it and select Properties to display the Custom Properties dialog box. The Visio Connector uses the custom properties, which include Network Name, IP Address, Location, Building, and Room, to identify the computer that you want to scan. In the Custom Properties dialog box, either type the computer name in the Network Name field or the IP address in the IP Address field. One feature of Visio is its ability to allow dialog boxes, such as Custom Properties, to remain open, letting you make changes to the properties as you continue to work on your document.
Performing a Scan
Put your mouse cursor on the computer shape to make its information icon appear. Click the information icon as shown in Figure 1 to perform a baseline security scan. (You can also start a scan from the MBSA menu option.) Starting a scan opens the MBSA Visio scan dialog box, which shows a list of all the computer objects that were discovered. From this dialog box, you can choose which objects to scan and what type of scan to perform (e.g., a scan for Windows, IIS, and SQL vulnerabilities; weak passwords; or missing security updates).
You can use the connector to scan computers from all the pages within your document, which is handy if you use multiple pages to manage your network. For example, on the first page you might list your Active Directory (AD) topology using shapes to represent your domain controllers (DCs), and on another page you might document your email topology with shapes for your Exchange servers. When you perform a scan, a new window opens within Visio that shows you the status of the scan. The data shown in this window resembles the output of mbsacli.exe, the command-line version of MBSA, and is essentially a list of the computers that were scanned and the findings.
After the scan is complete, click the Report tab to view a summary report of the scan. The summary report resembles the output generated by the MBSA GUI tool, but it's embedded within the Visio document, as Figure 2 shows. Like the MBSA GUI report, the embedded report summarizes the systems that were scanned and the results, lets you drill down into details of the scan, and offers recommendations on how to correct problems that MBSA discovered. The Visio plug-in color-codes the scanned shape according to the scan results to give you an at-a-glance summary of your network using the familiar green-is-good, red-is-bad color scheme. You can toggle the color coding options, and you can close the status and report windows and restore them at any time from the MBSA menu.
If you already have an MBSA scanning mechanism in place and simply want to view the results in Visio, you can import completed scans, although doing so overwrites the earlier data. You can also open a network diagram document that you created in Visio 2003 and use the plug-in on that document's objects. Unfortunately, you can't use the connector with documents created in earlier versions of Visio.
As I mentioned earlier, the Visio plugin uses a shape's custom properties to determine which machine to scan. You can use a shape's Network Name property or IP Address property to label the shape on the Visio document so that you can easily correlate the information on your diagram with that in a scan report. For example, Figure 2 shows the scan for the computer named Slate, and the network diagram shows the location of Slate in your network.
You can easily correlate the Network Name property and the label so that updating the property automatically updates the label. First, right-click a server object, select Properties, and enter the computer name as the Network Name property. Next, click the text tool on the Visio toolbar, then click the shape again (or click the shape and then press F2) to enter text about the object. Right-click the text box and click Insert Field to open a Field window, then select Custom Properties in the first box and Network Name in the second box, as Figure 3 shows. Click OK, and the computer name you entered for the Network Name property will appear with the shape. If you change the computer name, remember to update the shape's custom properties so the shape's label will update automatically. Don't update the text field directly—you must update the properties of the shape to change its name.
To label a shape with its IP address, make sure that the object's IP address is entered in the IP Address property. Then, follow the same procedure as above, but select IP Address instead of Network Name in the Field window.
Useful Tool for Visio Aficionados
You must have your server topology in Visio to use the Visio Connector. If your network topology isn't already in a Visio document, you'll probably find that scanning from the MBSA GUI or command line is quicker than using the Visio Connector.
If you're a Visio aficionado, however, you'll find the Visio Connector for MBSA to be a useful tool. It takes some time to become proficient with the connector, but getting started is easy, especially if you have the Microsoft Office Visio 2003 Resource Kit for IT Professionals. The resource kit includes stencils of commercial equipment; Neon Software's LANsurveyor for Microsoft Office Visio 2003 tool, which automatically creates a Visio document of your network; and a rack design and management tool. Although the Visio Connector for MBSA is free, the resource kit costs $399.
The Visio Connector for MBSA is a nice add-on for administrators who use Visio and who are looking for a tidy method of tracking and conducting security scans for their networks. The Visio Connector is a great way to leverage your investment in Visio to help you organize the scanning and auditing of your network.
"New and Improved MBSA Belongs in Your Security Toolkit,"
"Using MBSA 2.0 with WSUS,"
"Automate MBSA," Windows IT Pro,