Security

Lock IT Down: Walk-through of Microsoft's Baseline Security Analyzer

Shows how this tool replaces the old Network Security Hotfix Checker (Hfnetchk) command line utility, which checks for security breaches on your systems


Microsoft recently released the new Microsoft Baseline Security Analyzer (MBSA) as part of its trustworthy computing initiative. This release is basically a graphical user interface (GUI) for the previously released Network Security Hotfix Checker (Hfnetchk) command-line tool, although MBSA includes a command-line interface as well.

This tool offers a flashy, easy-to-use interface with excellent online help, making it simple to scan your systems for security holes and missing hotfixes or patches. Let's take a look at how it works.

Getting started
You can download MBSA for free from Microsoft’s Web site. The requirements include:
  • Windows 2000/XP
  • Internet Explorer 5.01 or higher
  • MSXML version 3.0 SP2
  • IIS Common files, if you want to scan your IIS Web server

In addition, any computer on your network that this tool scans needs to have the following:
  • Windows NT 4.0 SP4 or above or Windows 2000/XP
  • IIS 4.0/5.0, if you want to scan for vulnerabilities
  • SQL 7.0/2000, if you want to scan for vulnerabilities
  • Office 2000/XP, if you want to scan for vulnerabilities

Note
You must have local administrator rights to the computer you want to scan, and the Remote Registry service must be running.

Running MBSA
After downloading and installing the utility, run the executable. You'll see the Welcome To The Microsoft Baseline Security Analyzer screen, shown in Figure A.

Figure A


As you can see, you have the option to scan a computer for vulnerabilities, scan multiple computers, and/or view your existing reports of computers you have scanned in the past. For this example, I will choose to scan a single computer and click Next, which will bring up the options shown in Figure B.

Figure B


Now you need to specify a computer name or IP address, along with the name of the report that will be created (the default option will work fine). Then, you can select from the following options:
  • Check For Windows Vulnerabilities
  • Check For Weak Passwords
  • Check For IIS Vulnerabilities
  • Check For SQL Vulnerabilities
  • Check For Hotfixes

Once you make your selections, click Start Scan. Depending on the options you select, your scan will begin searching for vulnerabilities and missing service packs and hotfixes. Once the scan is complete, a summary page will appear with links and explanations on how to fix your vulnerabilities (Figure C).

Figure C


With each vulnerability found, MBSA will tell you what was scanned and how to fix it. For example, I am running SQL Server under a local system account, which isn’t recommended. The tool found this vulnerability (Figure D) and recommended that I run SQL Server under a domain user account (Figure E).

Figure D


Figure E


MBSA also found that I have four shares running on my computer, and it displayed each share and its security rights (Figure F).

Figure F


You can continue to read and review your summary until you have fixed all of your vulnerabilities. Once you have done that, rerun MBSA to see that everything was eliminated.

Under the hood
In case your are wondering where all of this information is being stored, you can view it from the %userprofile%\SecurityScans directory. If you want to delete a report, you must do it from Windows Explorer. Furthermore, every computer you scan produces an individual XML report. When you open one of these files, you will see something similar to Figure G.

Figure G


If you receive errors on the scan, it could be because of one of the following reasons:
  • You're not a local Administrator on one of the machines being scanned.
  • The target computer does not respond to the tool's initial ping.
  • The Server And Remote Registry service is not running.
  • IIS common files are not installed on an IIS Web server being scanned.
  • MBSA does not have Internet access to download the XML file from Microsoft. (If you ran the tool previously, it will use the local cached copy.)

Running MBSA from the command line
If you prefer to run this tool from the command line, open up a command prompt, browse to the directory where you installed MBSA, and run the mbsaclie.exe /? to view the command-line options.

Summary
With this release of MBSA, Microsoft is moving closer to its goal of trustworthy computing. Microsoft has done a good job with this tool, and it is only version 1.0. This is a step in the right direction.

Editor's Picks