With the release of version 1.2 of the Microsoft Baseline
Security Analyzer (MBSA 1.2), Microsoft has vastly improved this already
excellent proactive security tool and turned it into a much more full-featured
utility. The MBSA includes a powerful graphical user interface that provides
administrators with a way to interactively scan the local and remote servers
and desktop machines. From the reports generated, administrators can take appropriate
action to address potential security problems, such as installing required
patches, enabling automatic updates, or turning on the Windows XP firewall.

Scripted scans

One area that the GUI does not address is the ability to
script a scanning session. Most administrators work normal business hours,
which are times that heavy scans are usually avoided because of their potential
impact on the network, servers, and desktop computers. For this reason, the
MBSA includes a command-line utility that performs the same functions as its
GUI counterpart and can be included in nightly/weekly/monthly routines to scan
for vulnerabilities. From this scan, a report is generated from which an
administrator can take proactive steps to protect the infrastructure.

The executables

MBSA includes two executables: mbsa.exe and mbsacli.exe. The
mbsa.exe executable powers the GUI side of the utility, while, as you might
expect, the mbsacli.exe executable is the command-line side. By default, both
of these executables are stored in C:\Program Files\Microsoft Baseline Security
Analyzer. Please note that if you have the GUI MBSA utility open, the command-line
version will not run.

By default, the results of a scan are stored in the
C:\Documents and Settings\user name\SecurityScans
folder and have names similar to “WORKGROUP – W2K3 (5-20-2004 5-35 PM)”,
where the workgroup/domain is listed along with the system name and the date
and time of the scan. This is true for both the GUI and the command line, but
you don’t usually have to know this for the GUI, since the program handles the
report display.

Using the command line

There are two ways to run the command-line version of MBSA.
The first syntax actually performs scans, and the second one provides a listing
of results from the most recent scan. So, it’s a two-pass process.

Running a basic local scan

Mbsacli.exe doesn’t actually require any parameters. If you
omit them, the local computer is simply scanned, assuming that you have
administrative rights with the current logon. The results of a local scan from
the command line should look something like this:

Computer Name, IP Address, Assessment, Report Name
WORKGROUP\W2K3,, Severe Risk, WORKGROUP - W2K3 (6-1-2004 6-21 PM)

Viewing the results of the basic scan

As with the GUI version, the command-line version of MBSA
produces very detailed results to help you pinpoint and address potential
security weaknesses in your network. I like the fact that it doesn’t just assume
you want things “fixed.” Instead, it provides information so you can
make a decision about what to address or ignore. To get the results, type the
following, substituting the appropriate report name:

mbsacli /ld "WORKGROUP - W2K3 (6-1-2004 6-21 PM)" 

When reports are generated using a command-line scan, they
can also be viewed with the GUI at your leisure. Both the GUI and the command
line store their files in the same location, so each utility can use the scan
results generated from the other utility. Figure
displays the local scan showing up as an entry in the GUI’s Pick A Security
Report To View option. Figure B
shows the first page of that scan.

Figure A

The recent scan also shows up in the GUI.

Figure B

The first page of the scan

Personally, I like to be able to script this kind of stuff
and view the results with a GUI. The command-line viewing option works, but it’s
more difficult to interpret.

Full syntax

As I mentioned, there are two syntaxes for mbsacli.exe,
depending on whether you want to just run a scan or view the results of a
previously run scan. Here’s the full syntax of the mbsacli command:

mbsacli [/c|/i|/r|/d domain] [/n option] [/o file] [/f file] [/qp] [/qe] [/qr] 

Switches you can use include:

● /c
domain\computer—Scan the computer named in domain\computer.

● /i
IP_addr—Scan the computer identified by the IP address provided.

● /r
“IP_addr-IP_addr”—Scan the computers in the range of IP addresses

● /d domain—Scan
all computers in the target domain.

● /n option—By
default, MBSA performs all scans against the targets. Use /n to remove specific
scans. Valid options are OS, SQL, IIS, Updates, Password. To omit more than one
scan, separate the /n options with a + (plus sign).

● /o file—Specify
the name of the file to which to write the results. A default name is presented
above with the syntax “%D% – %C% (%T%)”, where %D% is the domain or
workgroup name, %C% is the name of the computer, and %T% is the date and time
of the scan.

● /f file—Write
console output to the file specified.

● /qp—Don’t
display the progress of the current scan.

● /qe—Don’t
display errors present in the current scan.

● /qr—Don’t
display the list of reports.

● /s 1—Suppress
security notes.

● /s 2—Suppress
security notes and warnings.

● /nvc—By
default, MBSA always checks for a new version of itself when it runs. Use /nvc
to skip this check.

● /baseline—Check
only for baseline security updates rather than all updates (default in GUI).

● /nosum—Do
not verify checksums for security updates. Use only if you need different
language versions of patches and need to rename them for a language supported
by MBSA (default in GUI).

● /sus
[susserver | susfilename]—Get a list of approved updates from a SUS server.
This option requires the URL of the SUS server and will look for a file named

● /hf—Run
in hfnetchk mode. Use “mbsacli -hf /?” for details. This mode allows
you to use the extremely granular scanning and reporting functionality that was
present in the command-line hfnetchk utility. Note that, unlike straight-up
mbsacli, this does not produce XML output.

The report syntax and switches slightly vary. The report
syntax is:

mbsacli [/e] [/l] [/ls] [/lr file] [/ld file] [/unicode] [/hf] [/?] 

Switches include:

● /e—Show
the errors from the most recently run scan.

● /l—Show a
list of all reports that are available for viewing.

● /ls—List
the reports available from the most recent scan. Remember that a report is
generated for each system in a scan.

● /lr file—Display
the overview of the report named by file.

● /ld file—Display
the complete details of the report named by file.

● /Unicode—Output
Unicode only.

● /v—Display
the reason codes for security updates.

● /hf—Run
in hfnetchk mode. Use “mbsacli -hf /?” for details. This mode allows
you to use the extremely granular scanning and reporting functionality that was
present in the command-line hfnetchk utility. Note that, unlike straight-up
mbsacli, this does not produce XML output.

More flexibility from the command line

Note that MBSA can scan up to 10,000 machines simultaneously.
If you need to scan more, you’ll have to perform multiple scans. Scanning by IP
address is limited to 256 machines. If you want to scan off-hours or run scans
regularly and view the results at your leisure, mbsacli.exe is invaluable and
is especially useful when combined with the reporting functions of the GUI
version of MBSA.