Is your network ready to combat malicious hackers? Are your systems up-to-date with the current-patches or security updates? Are you aware of security misconfigurations such as missing passwords? The easiest way to look at how closely the security state of your network devices meets Microsoft's security recommendations is by running the Microsoft Baseline Security Analyzer (MBSA) tool.

In June, Microsoft released the latest version of its popular no-cost tool, MBSA 2.0 ( available at http://www.microsoft.com/technet/security/tools/mbsahome.mspx). Lets take a look at the new features it offers.

Overview
This new release is more than a simple update; it includes new features and has been designed to integrate seamlessly with other update tools such as Windows Server Update Services (WSUS) and the Systems Management Server (SMS) Inventory Tool for Microsoft Updates (ITMU). MBSA 2.0 uses the Automatic Updates agent and supports Windows 2000 Server Service Pack 3 (SP3) or later, Windows XP, and Windows Server 2003 (both 32-bit and 64-bit versions). MBSA 1.2.1 supports Win2K SP2 or earlier, and Windows NT 4.0. (For a complete listing of which version of MBSA to use to scan various Microsoft products, see the Microsoft article "Microsoft Baseline Security Analyzer (MBSA) 2.0 is available" at http://support.microsoft.com/?kbid=895660).

MBSA 2.0, like its predecessor MBSA 1.2.1, comes in two editions—a GUI edition (which resembles a Web page), and a command-line (CLI) edition. Both versions scan your network for updates that have or haven't been installed on your network devices and for obvious vulnerabilities such as missing or weak passwords, passwords that are set to expire, and best-practice security settings. MBSA 2.0 can scan single or multiple, local or remote systems, but when MBSA remotely scans a system it might not be able to check firewall settings. (For more information about scanning a system with built-in firewall protection, see the Web-exclusive sidebar "Troubleshooting MBSA 2.0 and Windows Firewall," http://www.windowsitpro.com, InstantDoc ID 49243).

Microsoft Update
MBSA 2.0 uses the Automatic Updates agent to get information from Microsoft Update (a Microsoft Web site service) rather than Windows Update (used with MBSA 1.2.1). MBSA 2.0 can also leverage your patch management infrastructure, which I describe in the Web-exclusive sidebar "Using MBSA 2.0 with WSUS," http://www.windowsit pro.com, InstantDoc ID 49242. MBSA 2.0 connects with the update agent to scan a workstation or server and report on installed and missing updates. Unlike MBSA 1.2.1, MBSA 2.0 lets you select updates and patches that the scan results indicate are missing by selecting a download icon, then MBSA automatically downloads the appropriate update or patch from Microsoft Update.

Periodically, Microsoft will release a new version of the Automatic Updates agent that includes new functionality and enhanced vulnerability detection. MBSA 2.0 can deploy the latest agent to scanned systems to ensure scans are as accurate as possible.

In some instances, MBSA 1.2.1 can scan for updates for server products that MBSA 2.0 can't scan for, so you might need to run both versions until MBSA 2.0 supports most Microsoft products. But be aware that Microsoft expects to discontinue support for and stop distributing MBSA 1.2.1 during first quarter 2006.

Severity Ratings Assigned to Bulletins
Microsoft assigns severity ratings for each bulletin it releases to help an administrator prioritize when (or if) he or she should install an available update or patch. When MBSA 2.0 scans a device, the scan report lists missing updates and patches and the assigned severity rating for each. There are four ratings: critical, important, moderate, and low. A critical rating indicates a vulnerability that should be addressed immediately: for example, a problem that could result in an Internet worm propagating in your network without detection. An important rating indicates a vulnerability that could compromise data integrity and data processing. A moderate rating indicates a vulnerability that is difficult (but not impossible) for a hacker to exploit. A low rating indicates a vulnerability that is extremely difficult to exploit, and if exploited would create a minimal impact on your network. MBSA 2.0 also reports Common Vulnerabilities and Exposures Identifiers (CVE-IDs), when one has been assigned to a vulnerability. MBSA 1.2.1 doesn't support the severity-rating feature.

A New Catalog File for Updates
MBSA 1.2.1 and Windows Update use the Security Update Bulletin catalog file, mssecure.cab, to check for the latest updates. This catalog file contains update information about the files and system settings for NT 4.0 through Windows 2003, and for optional components such as Internet Information Services (IIS) 6.0, SQL Server, and Exchange Server. MBSA 1.2.1 and earlier connected to remote systems, and the catalog file looked for files and registry entries to determine which updates were applied. However, these earlier MBSA versions couldn't detect all the updates needed for all products because of their architecture and the format of the mssecure.cab file.

MBSA 2.0 uses a new catalog file, wsusscan.cab (WSUS also uses this file), which is available from Microsoft Update. MBSA 2.0 no longer connects to remote client systems through administrative shares (e.g., C$, D$, ADMIN$) and the Remote Registry service. MBSA 2.0 connects to the Automatic Updates agent, which uses information in the wsusscan.cab file to determine the status of updates. If MBSA 2.0 determines that the device being scanned doesn't have a copy of the Automatic Updates agent client installed, MBSA can automatically install the latest version. If automatic installation is disabled, MBSA 2.0 will report a problem scanning for updates but will continue to perform checks for security best practices.

Selecting Scan Options
After you download and install MBSA 2.0 on your computer, MBSA adds a shortcut to the Start menu. Click the shortcut to launch the MBSA GUI edition. On the Baseline Security Analyzer welcome window, choose one of the following scan options: Pick a computer to scan, Pick multiple computers to scan, or Pick a security report to view.

Scanning a local or remote computer. When you select Pick a computer to scan, by default, the computer you're using appears in the Computer name field. To scan a remote device, you can:

  • enter the remote device's name using the format domainname\computername. If you want to scan a remote device, you need to log on to the scanning system using a domain account that has administrative privileges—for example, an account that is a member of the Domain Admins group.
  • select the device's configured name from the drop-down menu if you've previously scanned it.
  • enter the remote device's IP address.

In the Security report name field, enter the variables that are listed below the field and that you want to use in the report name. In the Options section, select the options you want MBSA to scan for. Figure 1 shows a sample screen with computer name, report name, and selected options. To start the scan, click the Start scan button.

MBSA 2.0 downloads the Automatic Updates client (if it's missing) and the latest wsusscan.cab file from Microsoft Update and uses this catalog file to scan for security problems.

Scanning multiple computers. This process is the same as scanning a single computer, except that you select Pick multiple computers to scan and enter a domain name in the Computer name field, or enter a range of IP addresses to scan. If you enter a domain name, MBSA 2.0 needs to be able to connect to and use the domain's master browser to enumerate the devices in that domain. This means that MBSA can scan only devices that are online and have reported to the browser. The scan results list devices that weren't scanned and any security concerns. You can use the error codes listed at the end of each entry to troubleshoot why MBSA 2.0 was unable to scan the remote device. You can convert error codes into error messages by typing at the command line

net helpmsg <error code></error>

The results of the scans are stored in the user's profile in the System-Scans folder. The default filename for the scan results is Domainname - Computername (MM-DD-YYYY HH:MM AM/PM).mbsa.

Viewing security reports. MBSA creates a separate XML file for every computer it scans and saves the report (with the report name you specified in the selection window) in the user's profile (i.e., the user running MBSA) in the SecurityScans folder. The resulting XML file can be easily parsed or imported into an application such as Microsoft Excel. (In most cases, it's easier to view the report with the MBSA GUI edition.)

If you scanned a single computer, MBSA automatically launches the View security report window and displays the scan results, as Figure 2 shows. If you scanned multiple computers, select Pick a security report to view to display scan results.

In the Result column, you'll notice three links: What was scanned, Result details, and How to correct this. The Result details link provides more information, such as which security updates are missing.

The What was scanned link provides details from online Help about what MBSA 2.0 scanned for, and the How to correct this link displays a Help text file that describes how you can correct the problem. Figure 3 shows the type of information displayed when you select Result details. This screen lists updates that are missing on the target device(s). You can either select an item's ID to display more information about a missing update or select the Download icon to download the update from Microsoft Update.

Using the CLI edition. To use the CLI version, go to C:\program files\Microsoft Baseline Security Analyzer 2 and run the mbsacli.exe file. To get the command-line options, run mbsacli.exe /?. If you want to use alternative credentials when you scan a computer (either local or remote), you can use the /u ( specifies the username) and /p (specifies the password) switches. The CLI edition is more flexible than the GUI edition because it lets you select switches to control how a scan is performed. The CLI edition, by default, saves scan results as an XML file in the user's profile in the SecurityScans folder, using the default filename Domainname - Computename (MM-DD-YYYY HH:MMAM/PM).mbsa.

Keeping Up
Microsoft plans to continuously add support for Microsoft products to the Microsoft Update Web site so that MBSA can scan for updates for current Microsoft OSs and supported products. (You can check the updates currently available at http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us.) In many ways, MBSA 2.0 represents not just an upgrade in features and functionality but a radical redesign that makes this tool more useful. It's a tool that all security administrators should have in their arsenal.

For more information about MBSA 1.2.1, see "Microsoft Baseline Security Analyzer," InstantDoc ID 41275, and "Automate MBSA," InstantDoc ID 45265. For more information about MBSA 2.0, see "MBSA 2.0 Frequently Asked Questions," http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx.