Microsoft Baseline Security Analyzer
by Dan DiNicolo
When Microsoft announced that security would become their new "prime directive" a few months back, many people took it to be little more than standard Microsoft lip service. Certainly the road to building more secure systems will be a long one for Microsoft, especially since they're in catch-up mode for the most part. In the meantime, it appears as though they're at least making an effort, and a new tool just recently released - the Microsoft Baseline Security Analyzer - merits at very least a "must look" for system administrators.
Having spoken here about the importance of managing and monitoring security on a Windows network before, I'll spare you the sermon about the importance of keeping your systems updated with security patches. By this point, it should be clear that without proper updates applied, your system is susceptible to attack. That leaves everything in your hands. If you don't have the budget for one of the great tools that I've reviewed before (like Service Pack Manager from Gravity Storm Software), then at a minimum you'll want to take a look at the MBSA tool. This tool didn't just fall from the sky. If you're familiar with HFNetChk, Microsoft's command-line tool for monitoring the hotfixes and service packs applied to network systems, then MBSA will look like a dream come true. MBSA is basically a shell over HFNetChk, providing you with the same functionality but with a user-friendly and convenient interface. On top of that, it's capable of analyzing systems running Windows NT, 2000, and XP.
MBSA is a free download (about 2.5 MB in MSI format) from the Microsoft site, and I've provided a link at the end of the article. The installation is exceptionally simple. After launching the program, you have the option of scanning both the local or remote systems for missing hotfixes, security misconfigurations, and so forth.
If you pick a single computer to scan, you have the option of accessing it by name or IP address. A range of systems can also be specified. If you take a look at the screen shot below, you'll notice the range of vulnerabilities that MBSA will scan for - these include Windows security, weak passwords, IIS, SQL, and hotfix-related issues. Ultimately, the output will be written to a report that will be saved within the MBSA interface. You also have the options of printing or copying the final report directly from the tool.
The scan itself doesn't take very long to complete at all. On my XP system the scan completed in seconds, and a scan of a Windows 2000 file server over the network yielded similar results. Once the scan has completed, you'll be presented with a report, as shown below.
The report itself is great. Not only does it categorize vulnerabilities into groupings like hotfixes, password expiration, and so forth, but it also presents a handy colored icon to represent the state of a system. My report mentioned that I was missing 7 hotfixes - and here I was thinking that I had been good at keeping up to date! By clicking on the "results details" hyperlink, another window opens that lists all missing hotfixes, and direct links to their downloads.
Other security risks that you might not normally pay attention to also provide useful information. For example, all of my local user accounts have non-expiring passwords, as shown below.
However, my system did pass the password test - MSBA will also check and see whether any passwords are set to blank, or silly passwords such as "password", "admin", or "Administrator" - those you hopefully would never consider using at any rate.
The ability to scan multiple (or just a single) network system is part of what makes MBSA so useful. Scans of multiple systems can be accomplished by specifying a range of IP addresses or a Windows domain name. I chose to scan just a single server, and it quickly became apparent how badly I've been slacking off when it comes to my updates. Thank goodness it's just a test server!
Overall, the Microsoft Baseline Security Analyzer is a great step up from the hassles of HFNetChk, and provides a simple, effective, and cheap way of assessing the security risks found on network systems. However, while it makes you aware of issues, it does nothing to actually update those systems. Similarly, its scans are limited to basic core products, while many of the other tools in the market scan almost all products, and have integrated updating capabilities. If you're simply looking for information and want to handle updates manually, check out MBSA. If you're looking for a more robust security management solution, I would still suggest the a product like Gravity Storm's Service Pack Manager 2000.
MBSA can be downloaded here.