One of the toughest jobs that any network administrator faces is staying on top of security. Security can be difficult to manage, especially on a large scale. For example, if you’ve got 100 servers and 10,000 workstations, how do you know which machines have the latest service pack? Add that amount of confusion to the hundreds of hotfixes that Microsoft issues and you’ve got a weighty chore on your hands.
Sure, you can use automatic installation scripts, but there needs to be a way to confirm that the script has actually done its job. This is where the Microsoft Baseline Security Analyzer comes in. In this Daily Drill Down, I’ll introduce you to this tool and explain how to use it to its fullest.
What is the Microsoft Baseline Security Analyzer?
The Microsoft Baseline Security Analyzer (MBSA) is a replacement for the Personal Security Advisor utility. It’s designed to test for many different, common security vulnerabilities. What makes this utility unique is that it is dynamic. As Microsoft releases additional security updates and recommendations, the utility is automatically made aware of those updates through the Internet.
You can run MBSA on a single PC or on multiple PCs simultaneously. After the tests are run, a comprehensive report is generated for each PC. This report contains detailed information about any specific security problems that were found on that individual machine, along with specific instructions on how to fix these problems.
What gets tested?
Although not completely comprehensive, the MBSA performs a wide variety of tests on your computers. Some of the things it checks are:
- Windows vulnerabilities
- IIS vulnerabilities
- SQL vulnerabilities
The password test is one of the primary Windows vulnerabilities tests run by MBSA. On the screen that allows you to choose what tests should be run, the password test is actually listed separately from the Windows vulnerability tests. The reason for this is that if you have machines that have many user accounts on them, the password test can take a long time to complete. The password test begins by checking for short or blank passwords. It then tests for passwords that match the username or that use the words “password,” “admin,” or “administrator.” During the password test, Windows also checks to see if the passwords have expiration dates.
Another Windows vulnerability check that MBSA performs is to see which users are members of the local administrators' group. If more than two users are members of this group, then MBSA flags the user as a security risk.
MBSA also performs an auto-logon test. The auto-logon feature stores a username and password in the registry for the purpose of automatically logging on to the system on power up. If the auto-logon feature is enabled, and the password is stored in clear text, then MBSA flags it as a severe vulnerability. If the auto-logon feature is used, but the password is encrypted, then the machine is flagged as having a potential vulnerability.
One of my favorite features of the utility is that it can check to see if any unnecessary or risky services are running on the machine that’s being scanned. The actual list of services to be checked is provided by Microsoft, and tends to change on a regular basis as new vulnerabilities are discovered. Services related to Web publishing, Telnet, or remote access cause MBSA to raise red flags.
Another good test is the share test, which checks for the existence of shares on the machine, including hidden administrative shares. MBSA then verifies that each share is configured to use user-level permissions rather than share-level permissions, and that the shares exist on NTFS partitions.
There are also a variety of other Windows vulnerability tests that check for more common security problems. For example, tests exist that check to make sure that the Guest account is disabled and that all partitions are running the NTFS file system. Although such tests are basic, it’s nice to have them included so that you don’t accidentally forget about them.
The IIS portion of MBSA checks Internet Information Server versions 4.0 and 5.0 for known vulnerabilities. Part of this process includes performing a thorough test of sample applications and virtual directories that may be present on the server. More importantly, the utility tests to see if version 2.1 of the IIS Lockdown tool has been run on the server. In case you’re unfamiliar with the IIS Lockdown tool, it works by disabling unnecessary IIS features, thereby making the server more secure. You can find out more about the IIS Lockdown tool by reading the Daily Feature “Lock down security on your IIS server.”
The IIS vulnerability module of MBSA also runs a check to see if IIS is running on a domain controller. As you probably know, domain controllers contain sensitive information, such as user IDs, passwords, and SIDs. Running IIS on a domain controller makes this sensitive information vulnerable to prying eyes.
Still another area that’s tested by MBSA is IIS logging. If you enable IIS logging and use the W3C extended log file format, then IIS will log lots more information than what shows up through Event Viewer. IIS will log information such as who has visited your site and what folders or files visitors have attempted to access. This includes both Read and Write attempts. To put it simply, this log allows you to see who has been trying to hack you, when, and with what methods. By having this information, you can do something to block the would-be hacker, such as blocking his IP address or domain through packet filtering. The logging may also show you that you need to implement tighter security on certain folders.
The SQL Server Vulnerability module of the utility is designed to test SQL Server versions 7.0 and 2000. This module tests things like the system administrator (SA) account password status, the SQL service account memberships, the service account password status, and the authentication mode that’s used on the server.
As you can see, many different tests are performed on the SQL service account. In addition, MBSA checks to see if the service account has been locked out or disabled. The utility even performs some password checks on the service account to make sure that the service account password isn’t left blank, or the same as the account name or the machine name, or includes the words “password,” “sa,” “admin,” or “administrator.”
Another password check that the utility performs on the SQL server is to see if the Administrator password has been written in plain text to the SETUP.ISS or the SQLSTP.LOG files. If you use SQL Server Authentication rather than Windows Security Authentication to install SQL 7.0 service packs, then the Administrator password is saved in plain text into these files. Even after upgrading to SQL 2000, it’s possible that these files may still exist on your system. Therefore, the utility scans these files for the existence of the Administrator password and alerts you if necessary.
The authentication mode test consists of checking to see if the SQL server is set to use Windows authentication mode or mixed mode authentication. Windows authentication mode relies solely on Windows for authentication, while mixed mode authentication allows the SQL server to authenticate users if Windows hasn’t already done so. Microsoft recommends always using Windows authentication.
Additional SQL tests include verifying that the Everyone group only has Read permissions to critical SQL registry keys, and that only the Administrator and the system account have access to critical SQL folders on the hard disk. There’s also a check to see if SQL is running on a domain controller. As with IIS, running SQL on a domain controller has the potential of making sensitive account information available to hackers.
When you run the Baseline Security Analyzer and use the options to test for hotfixes, the utility will identify your operating system and look up the list of current hotfixes from an online database. Windows NT 4.0, Windows 2000, and Windows XP hotfixes are just the beginning. The utility also scans for other Microsoft products and checks to see if hotfixes have been installed for those products. Some of the products that hotfix tests are performed for include:
- Internet Information Server (versions 4.0 and 5.0)
- SQL Server (versions 7.0 and 2000, including the Microsoft Data Engine)
- Internet Explorer (versions 5.01 and later)
In addition to the tests that I’ve already described, the MBSA performs numerous other tests. Some of these tests are directly related to Windows, SQL, and IIS vulnerabilities. Other tests are performed on Microsoft products such as Microsoft Office or Internet Explorer. For example, tests exist that check to see if Internet Explorer is set to use the recommended security zone. Other tests check to see if Microsoft Office has been protected against macro viruses. There are too many of these miscellaneous tests to name here, but you can rest assured that all types of vulnerabilities are covered.
Acquiring the Microsoft Baseline Security Analyzer
You can download the MBSA directly from Microsoft’s Microsoft Baseline System Analyzer Web site. The download consists of a single MSI file. This means that you can install the utility on either Windows 2000 or on Windows XP. The installation procedure consists of running a very simple wizard. You can install the utility onto any Windows 2000 or Windows XP system, as long as that system has a network link to the computers for which you want to test the security. The utility requires about 2 MB of disk space.
Scanning your network
Unlike the popular Security Configuration and Analysis tool that comes with Windows 2000, the MBSA does not rely on templates. Instead, some of the vulnerabilities that the utility scans for, such as weak passwords, are hard coded into the utility. The list of the latest hotfixes and service packs are stored on the Web in an XML file that’s maintained by Microsoft. This means that the PC that’s doing the scanning must have Internet access in order to be able to test for the latest hotfixes and service packs.
When you initially run the MBSA, you’re presented with the screen shown in Figure A. As you can see in the figure, you have the option of scanning a single computer or scanning multiple computers. Because the basic idea behind this tool is to look for security vulnerabilities within your network, I’ll be scanning several different computers in my example. Therefore, click the Scan More Than One Computer option.
|You can scan a single computer or multiple computers.|
At this point, you’ll see the screen that’s shown in Figure B. This screen allows you to set the various scanning options. First, you must select which computers you want to scan. You may either enter the name of the domain that you want to scan, or you can enter a range of IP addresses. Using an IP address range tends to be more effective if you have multiple domains that you want to scan. Just keep in mind that the account that you’ve logged on with must have administrative privileges on the machine that you’re scanning. Simultaneous scans of multiple domains will fail unless the account that you’re using has administrative privileges in all domains.
|You can scan multiple computers based on domain name or on IP addresses.|
Regardless of which method you use, you need to know that the utility won’t scan all of the computers within the domain or IP address range. The utility will only scan machines that are running Windows NT, Windows 2000 (Professional, Server, and Advanced Server), and Windows XP (Professional and Home Edition).
Beneath the IP address range field is the Security Report Name field. By default, the security report name is set to %domain%- %computername% (%date%). In this report name, the %domain%, %computername%, and %date% variables would be replaced by the actual domain, computer name, and the date. Even if you’re using an IP address to test, the report name format is OK to use, because rather than generating one large report, the utility generates a separate report for each computer that it analyses.
At the bottom of the window are the various scanning options. As you can see in the figure, several check boxes allow you to control whether things like Windows vulnerabilities and weak passwords are tested. Select the desired scanning options and click the Start Scan button
Viewing the results
When the scanning completes, you’ll see a list of the systems that were either completely or partially scanned. As you can see in the Assessment column in Figure C, the utility tells you instantly what machines need the most attention. In this particular case, the machine Test2, which was diagnosed as a severe risk, is a Windows XP machine that is running a straight-out-of-the-box configuration, with no applications installed.
|You can tell which machines are high risks at a glance.|
Now, let’s look at an actual report of the machine that was determined to be a high risk. You can do so by simply clicking on the computer name. The report is much too long to fit onto a single screen. However, in Figure D, you can see the top portion of the report. Notice that each issue is scored with a red X (danger), a yellow X (caution), or a green check mark (good). Beneath each issue are links for what was scanned in the particular test, the result details, and specifics on how to correct the issue.
|This is a sample report for a high-risk machine.|
For example, in Figure D, you can see that the report indicates that seven Windows hotfixes were missing. In Figure E, you can see a description of the check that was performed. In Figure F, you can see the exact hotfixes that the utility was looking for, and which of those hotfixes were and weren’t installed. Finally, you’ll be presented with the utility’s description of how to fix the problem. This type of detailed information is available for every test performed on every individual system that is tested.
|This is a description of the hotfix test.|
|These are the actual Windows hotfixes for which the test was looking.|
A double-edged sword
As you can see, the Microsoft Baseline Security Analyzer can be a powerful tool to help secure your network. However, you must be careful when using it. MBSA’s report is stored in a set location where a hacker could conceivably find it. This would give the hacker concrete information about vulnerabilities on any machine you scanned. You can view more information about this risk on the SecuriTeam Web site, run by the organization that discovered the vulnerability.
Finally, you need to know that MBSA’s reports are not always 100 percent accurate. There has been much discussion in Usenet and in the press about MBSA’s tendency to misreport security problems. Even after applying recommended hotfixes, MBSA may continue to report that the server is vulnerable to attack and missing the hotfix that was just applied.
If you notice that MBSA is reporting missing hotfixes that you believe you’ve already installed, you may want to double-check the report by running Qfecheck or HFNetCheck as well as MBSA. You can find out more about Qfecheck by reading the Daily Feature “Keep track of Windows 2000 hotfixes with Qfecheck.”