Microsoft’s Baseline Security Analyzer (MBSA) has proven to
be an invaluable tool for helping keep servers and workstations current with
security patches and making sure that a computer is not suffering from common
security misconfigurations. Microsoft has released the latest version of this
tool, which includes a staggering number of improvements over the previous
versions. In short, if MBSA wasn’t a part of your security toolkit before, it’s
time to get it.

New stuff

MBSA 1.2 adds supports for a number of additional products,

  • Exchange
    Server 2003
  • MDAC
    2.5, 2.6, 2.7, and 2.8
    2.5, 2.6, 3.0, and 4.0
  • BizTalk
    Server 2000, 2002, and 2004
  • Commerce
    Server 2000 and 2004
  • Content
    Management Server 2001 and 2002
  • Host
    Integration Server 2000, 2004
  • SNA
    Server 4.0

Furthermore, MBSA supports Office 2000, XP, and 2003, but in
this release, it can scan only the local machine for these updates. Older
versions of MBSA supported only Windows, Internet Explorer, Windows Media
Player, and IIS updates.

It’s important to note that MBSA does not currently support
either embedded Windows or any of the 64-bit varieties. The same situation is
true if you still have Windows 95, 98, or Me machines in your organization.

Yo quiero MBSA

Even though Spanish isn’t supported, MBSA 1.2—and the
associated mssecure.xml data file—is available in four localized versions:
English, French, German, and Japanese. The scanner will automatically download
and use the appropriate mssecure.xml. For non-supported languages, MBSA 1.2
will use the English language mssecure.xml and disable checksum checks.

Doctor, heal thyself

MBSA 1.2 also scans for common configurations that may
expose a machine to attack. For example, it can now check to make sure that a
scanned machine has the Internet Connection Firewall enabled as well as determine
if there are ports open to external traffic. Furthermore, a scan can verify
that Automatic Updates are enabled and that the Internet Explorer zone
configuration is appropriate. This also works for custom Internet Explorer

For Windows Server 2003, MBSA also examines the Internet
Explorer Enhanced Security Configuration and reports any potential problems.
Finally, it now checks itself to make sure you’re running the most recent

New and improved

MBSA 1.2 includes two new command line switches: -unicode
and -nvc. The -unicode switch forces MBSA to output Unicode characters for the
Japanese language, while the -nvc switch prevents MBSA from automatically
checking if a newer version is available.

Get MBSA 1.2 and go

You can install MBSA 1.2 on any recent version of Windows,
including 2000, XP, and Server 2003. MBSA 1.2 is available as a free download from
Microsoft’s Web site.


MBSA 1.2 downloads as a single .msi file. To install the
product, double-click the .msi file. As usual with software installations, you’ll
get a page of licensing terms to which you need to agree, and you’ll be asked which
directory you’d like to install the product into. By default, MBSA 1.2 installs
to C:\Program Files\Microsoft Baseline Security Analyzer. After you provide this
information, installation completes very quickly and doesn’t even require a

Using MBSA 1.2

Following installation, run MBSA by double-clicking the icon
it creates on the desktop. You’ll be presented with the screen shown in Figure A.

Figure A

MBSA in action

Notice the option menu along the left side of the window.
These items are very self-explanatory and indicate exactly what will happen.
The security report options are grayed out since I haven’t run any scans. For
this example, I’ll scan a single Windows Server 2003 computer and ask for every
scan, but I won’t use a SUS server. I chose to scan a Windows Server 2003
computer rather than an XP system because the results are more interesting
(i.e., shares, secured Internet Explorer, etc.). The 2003 scan does everything
an XP scan would do (Figure B).

Figure B

Scan the machine listed using every technique to look for problems.

When you start the scan, the most current mssecure.xml file
is downloaded and, if the account you’re using has administrative rights to the
target, it is scanned and an extremely detailed report is generated.


I really like the
extremely detailed but very easy-to-handle reporting that comes out of MBSA
1.2. I especially like the fact that, besides just saying “Yep, you have a
problem,” the reports tell you exactly what the problem is and, more
importantly, how to correct it. See Figure
for an example.

Figure C

MBSA 1.2 has excellent, detailed reports.

Notice in Figure C that two of the five items were of
concern: Office Security Updates and Windows Security Updates. Next to each
item of concern are three links. The first link tells you what was scanned; the
second link provides you with the results of that particular scan; the third
link pops up a window that tells you how to correct the problem. Clicking on
the Result Details For The Office Security Updates on this machine provides the
details shown in Figure D.

Figure D

Some Office updates need to be installed on this computer.

MBSA also scans for other potential security problems on the
machine, as shown in Figure E. In
this particular scan, it detected four items of concern, including multiple
Administrator accounts and non-expiring passwords; it also noticed that
Automatic Updates was disabled. As above, a link to instructions for correcting
each of these problems is provided.

Figure E

Checks other than software updates are part of this invaluable tool.

Why haven’t you downloaded this already?

With an abundance of new features and capabilities, MBSA 1.2
is a must-have for any server administrator’s security toolkit. Supporting a
huge number of Microsoft applications, MBSA can serve you in two ways. First,
it will help you keep your servers protected from problems; second, with
powerful reporting capabilities, it can help you actually learn why you need to do the things that are suggested so you can
make an educated decision as to whether something is an acceptable risk in your