Microsoft's Baseline Security Analyzer (MBSA) has proven to be an invaluable tool for helping keep servers and workstations current with security patches and making sure that a computer is not suffering from common security misconfigurations. Microsoft has released the latest version of this tool, which includes a staggering number of improvements over the previous versions. In short, if MBSA wasn't a part of your security toolkit before, it's time to get it.
MBSA 1.2 adds supports for a number of additional products, including:
- Exchange Server 2003
- MDAC 2.5, 2.6, 2.7, and 2.8
- MSXML 2.5, 2.6, 3.0, and 4.0
- BizTalk Server 2000, 2002, and 2004
- Commerce Server 2000 and 2004
- Content Management Server 2001 and 2002
- Host Integration Server 2000, 2004
- SNA Server 4.0
Furthermore, MBSA supports Office 2000, XP, and 2003, but in this release, it can scan only the local machine for these updates. Older versions of MBSA supported only Windows, Internet Explorer, Windows Media Player, and IIS updates.
It's important to note that MBSA does not currently support either embedded Windows or any of the 64-bit varieties. The same situation is true if you still have Windows 95, 98, or Me machines in your organization.
Yo quiero MBSA
Even though Spanish isn't supported, MBSA 1.2—and the associated mssecure.xml data file—is available in four localized versions: English, French, German, and Japanese. The scanner will automatically download and use the appropriate mssecure.xml. For non-supported languages, MBSA 1.2 will use the English language mssecure.xml and disable checksum checks.
Doctor, heal thyself
MBSA 1.2 also scans for common configurations that may expose a machine to attack. For example, it can now check to make sure that a scanned machine has the Internet Connection Firewall enabled as well as determine if there are ports open to external traffic. Furthermore, a scan can verify that Automatic Updates are enabled and that the Internet Explorer zone configuration is appropriate. This also works for custom Internet Explorer zones.
For Windows Server 2003, MBSA also examines the Internet Explorer Enhanced Security Configuration and reports any potential problems. Finally, it now checks itself to make sure you're running the most recent version.
New and improved
MBSA 1.2 includes two new command line switches: -unicode and -nvc. The -unicode switch forces MBSA to output Unicode characters for the Japanese language, while the -nvc switch prevents MBSA from automatically checking if a newer version is available.
Get MBSA 1.2 and go
You can install MBSA 1.2 on any recent version of Windows, including 2000, XP, and Server 2003. MBSA 1.2 is available as a free download from Microsoft's Web site.
MBSA 1.2 downloads as a single .msi file. To install the product, double-click the .msi file. As usual with software installations, you'll get a page of licensing terms to which you need to agree, and you'll be asked which directory you'd like to install the product into. By default, MBSA 1.2 installs to C:\Program Files\Microsoft Baseline Security Analyzer. After you provide this information, installation completes very quickly and doesn't even require a reboot.
Using MBSA 1.2
Following installation, run MBSA by double-clicking the icon it creates on the desktop. You'll be presented with the screen shown in Figure A.
|MBSA in action|
Notice the option menu along the left side of the window. These items are very self-explanatory and indicate exactly what will happen. The security report options are grayed out since I haven't run any scans. For this example, I'll scan a single Windows Server 2003 computer and ask for every scan, but I won't use a SUS server. I chose to scan a Windows Server 2003 computer rather than an XP system because the results are more interesting (i.e., shares, secured Internet Explorer, etc.). The 2003 scan does everything an XP scan would do (Figure B).
|Scan the machine listed using every technique to look for problems.|
When you start the scan, the most current mssecure.xml file is downloaded and, if the account you're using has administrative rights to the target, it is scanned and an extremely detailed report is generated.
I really like the extremely detailed but very easy-to-handle reporting that comes out of MBSA 1.2. I especially like the fact that, besides just saying "Yep, you have a problem," the reports tell you exactly what the problem is and, more importantly, how to correct it. See Figure C for an example.
|MBSA 1.2 has excellent, detailed reports.|
Notice in Figure C that two of the five items were of concern: Office Security Updates and Windows Security Updates. Next to each item of concern are three links. The first link tells you what was scanned; the second link provides you with the results of that particular scan; the third link pops up a window that tells you how to correct the problem. Clicking on the Result Details For The Office Security Updates on this machine provides the details shown in Figure D.
|Some Office updates need to be installed on this computer.|
MBSA also scans for other potential security problems on the machine, as shown in Figure E. In this particular scan, it detected four items of concern, including multiple Administrator accounts and non-expiring passwords; it also noticed that Automatic Updates was disabled. As above, a link to instructions for correcting each of these problems is provided.
|Checks other than software updates are part of this invaluable tool.|
Why haven't you downloaded this already?
With an abundance of new features and capabilities, MBSA 1.2 is a must-have for any server administrator's security toolkit. Supporting a huge number of Microsoft applications, MBSA can serve you in two ways. First, it will help you keep your servers protected from problems; second, with powerful reporting capabilities, it can help you actually learn why you need to do the things that are suggested so you can make an educated decision as to whether something is an acceptable risk in your environment.