by Dan DiNicolo
When Microsoft announced
that security would become their new “prime directive” a few months back,
many people took it to be little more than standard Microsoft lip service.
Certainly the road to building more secure systems will be a long one for
Microsoft, especially since they’re in catch-up mode for the most part. In
the meantime, it appears as though they’re at least making an effort, and a
new tool just recently released – the Microsoft Baseline Security Analyzer – merits at very least a “must look” for system
In his latest article, Dan DiNicolo reviews a new tool recently released by Microsoft called the Microsoft Baseline Security Analyzer that merits at very least a ‘must look’ by system administrators.
Having spoken here about
the importance of managing and monitoring security on a Windows network
before, I’ll spare you the sermon about the importance of keeping your
systems updated with security patches. By this point, it should be clear that without proper
updates applied, your system is susceptible to attack. That leaves
everything in your hands. If you don’t have the budget for one of the great
tools that I’ve reviewed before (like Service Pack Manager from Gravity
Storm Software), then at a minimum you’ll want to take a look at the MBSA
tool. This tool didn’t just fall from the sky. If you’re familiar with
HFNetChk, Microsoft’s command-line tool for monitoring the hotfixes and
service packs applied to network systems, then MBSA will look like a dream
come true. MBSA is basically a shell over HFNetChk, providing you with the
same functionality but with a user-friendly and convenient interface. On
top of that, it’s capable of analyzing systems running Windows NT, 2000, and
MBSA is a free download
(about 2.5 MB in MSI format) from the Microsoft site, and I’ve provided a
link at the end of the article. The installation is exceptionally simple.
After launching the program, you have the option of scanning both the local
or remote systems for missing hotfixes, security misconfigurations, and so
If you pick a single
computer to scan, you have the option of accessing it by name or IP address.
A range of systems can also be specified. If you take a look at the screen
shot below, you’ll notice the range of vulnerabilities that MBSA will scan
for – these include Windows security, weak passwords, IIS, SQL, and
hotfix-related issues. Ultimately, the output will be written to a report
that will be saved within the MBSA interface. You also have the options of
printing or copying the final report directly from the tool.
The scan itself doesn’t
take very long to complete at all. On my XP system the scan completed in
seconds, and a scan of a Windows 2000 file server over the network yielded
similar results. Once the scan has completed, you’ll be presented with a
report, as shown below.
The report itself is great.
Not only does it categorize vulnerabilities into groupings like hotfixes,
password expiration, and so forth, but it also presents a handy colored icon to
represent the state of a system. My report mentioned that I was missing 7
hotfixes – and here I was thinking that I had been good at keeping up to
date! By clicking on the “results details” hyperlink, another window opens
that lists all missing hotfixes, and direct links to their downloads.
Other security risks that
you might not normally pay attention to also provide useful information. For
example, all of my local user accounts have non-expiring passwords, as shown
However, my system did pass
the password test – MSBA will also check and see whether any passwords are
set to blank, or silly passwords such as “password”, “admin”, or
“Administrator” – those you hopefully would never consider using at any
The ability to scan
multiple (or just a single) network system is part of what makes MBSA so
useful. Scans of multiple systems can be accomplished by specifying a range
of IP addresses or a Windows domain name. I chose to scan just a single
server, and it quickly became apparent how badly I’ve been slacking off when
it comes to my updates. Thank goodness it’s just a test server!
Overall, the Microsoft
Baseline Security Analyzer is a great step up from the hassles of HFNetChk,
and provides a simple, effective, and cheap way of assessing the security
risks found on network systems. However, while it makes you aware of issues,
it does nothing to actually update those systems. Similarly, its scans are
limited to basic core products, while many of the other tools in the market
scan almost all products, and have integrated updating capabilities. If
you’re simply looking for information and want to handle updates manually,
check out MBSA. If you’re looking for a more robust security management
solution, I would still suggest the a product like
Gravity Storm’s Service Pack Manager 2000.
MBSA can be