Microsoft Baseline Security Analyzer v1.2.1

by Daniel Petri - January 8, 2009

(MBSA 1.2.1 was released in the middle on August 2004 and replaces MBSA 1.2)

MBSA Version 1.2.1 is a tool designed for the IT Professional that helps with the assessment phase of an overall security management strategy. MBSA Version 1.2.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems.

MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, Internet Explorer, Office, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server.

What's New in MBSA V1.2.1

MBSA 1.2.1 includes all the great scanning abilities of 1.2 and adds these additional features:

  • Support for Windows XP Service Pack 2 security enhancement
  • Clear guidance for locating updates and necessary actions
  • Prioritize results more easily by showing summary counts for each score

Localization:

  • MBSA releases are now available for German, Japanese, and French.
  • The mssecure.xml file will be localized to these four languages and will be automatically downloaded and used by the tool when a German, Japanese, or French machine is scanned once they are available in the Microsoft Download Center.

Additional Product Support:

  • MBSA can scan for security updates in the following products:
    • Microsoft Office (local scans only)
    • Exchange Server 2003
    • MDAC 2.5, 2.6, 2.7, and 2.8
    • Microsoft Virtual Machine
    • MSXML 2.5, 2.6, 3.0, and 4.0
    • BizTalk Server 2000, 2002, and 2004
    • Commerce Server 2000 and 2002
    • Content Management Server 2001 and 2002
    • Host Integration Server 2000, 2004, and SNA Server 4.0

Alternate File Version Support (allows multiple sets of file details to be checked in security updates scan)

Additional Configuration Checks:

  • Internet Connection Firewall configuration check
  • Automatic Updates configuration check
  • IE zone configuration checks (custom IE zone interpretation, Internet Explorer Enhanced Security Configuration checks for Windows Server 2003)
  • MBSA tool version check (for new MBSA releases)
  • Additional MBSA CLI Switches (-unicode, -nvc)

Download MBSA v1.2.1 HERE (1.6mb)

System Requirements

The following list describes the system requirements to scan a local computer:

  • Windows Server 2003, Windows 2000, or Windows XP.
  • Internet Explorer 5.01 or later.
  • An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
  • The Workstation service and the Server service must be running.
  • You must have the World Wide Web Service to perform local IIS administrative vulnerability checks.

The following list describes the system requirements for a computer that is running the tool and scanning remote computers:

  • Windows Server 2003, Windows 2000, or Windows XP.
  • Internet Explorer 5.01 or later.
  • An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article for information about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
  • The IIS Common Files are required on the computer where the tool is installed to perform remote scans of IIS computers.

Note: The IIS 6.0 Common Files are required on the local machine when you remotely scan an IIS 6.0 server.

  • The Workstation service and Client for Microsoft Networks are turned on.

The following list describes the system requirements for the computer you want to scan remotely by using the tool:

  • Windows NT 4.0 Service Pack 4 (SP4) and later, Windows 2000, Windows XP (local scans only on Windows XP-based computers that use simple file sharing), or Windows Server 2003.
  • IIS 4.0, 5.0, 5.1 or 6.0 (to perform IIS vulnerability checks).
  • Internet Explorer 5.01 or later (to perform Internet Explorer security zones checks).
  • SQL 7.0, 2000 (to perform SQL vulnerability checks).
  • Office 2000, Office XP, or Office 2003 (to perform Office vulnerability checks).
  • The following services must be installed: Server service, Remote Registry service, File and Print Sharing.

Users who perform the scan must have local administrative credentials on each computer that they want to scan, regardless whether they perform a local scan or a remote scan.

Note: For remote scans, the administrative shares must be enabled on the scanned computer for MBSA to successfully connect and perform the scan.

You must have Internet access to download the Mssecure.cab file from the Microsoft Download Center. Mssecure.cab is used for the security updates scan. If a previous copy of the Mssecure.cab file was downloaded during a prior scan, MBSA will try to use the locally cached copy if an Internet connection is not detected.

Download the Latest Mssecure.cab

How to obtain the MSXML parser

XML parsers have shipped in Internet Explorer 5.01 and later. However, Microsoft recommends that you use the latest version of Internet Explorer and the latest version of the MSXML parser.

Download MSXML 4.0 Service Pack 2 (Microsoft XML Core Services) (5.2mb)

Notes About Scanning

Scan Reports

Scan reports are stored on the computer where the tool is installed in the %userprofile%'SecurityScans folder. An individual security report is created for each computer that is scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans that are created by the tool in this folder.

Security Updates Scan

By default, a security update scan that you carry out from the MBSA GUI or from Mbsacli.exe scans and reports missing updates that Windows Update marks as critical security updates (also known as baseline critical security updates). When you carry out a security update scan from Mbsacli.exe by using the /hf switch, all security-related security updates are scanned and reported on. A user who runs an HFNetChk-style scan must use the -b option to scan only for Windows Update critical security updates.

Password Checks

The password checks can add a lot of time to a scan, depending on the computer role and the number of user accounts on the computer. Additionally, attempts to check individual accounts for weak passwords can add Security log entries (logon or logoff events) if auditing is enabled on the computer. MBSA resets any account lockout policies that are detected on the computer so that no individual user accounts are locked out during the password check. This check is not performed on domain controllers.

If you do not select this option before you scan a computer, both the local Windows and SQL account password checks will not be performed.

IIS Checks

The IIS 6.0 Common Files are required on the local machine that is used to remotely scan an IIS 6.0 server. The IIS 6.0 Common Files can be used to also scan earlier versions of IIS machines (for example, IIS 5.0). However, the IIS 5.0 Common Files cannot be used to remotely connect to and scan a computer that is running IIS 6.0.

SQL Server Checks

The tool checks for vulnerabilities on each instance of SQL Server that it finds on the computer. It performs all the individual SQL checks on each instance.

Localized Windows Builds

MBSA version 1.2.1 can scan English, German, French, and Japanese localized versions of the Windows operating system. This support includes the ability to download localized versions of the Mssecure.xml file from Microsoft. Checksum checks will not be performed when you scan a non-English computer for missing security updates without the associated localized Mssecure.xml file.

(Screenshot of the opening screen)

(Multiple computer scanning option)

After the scanning is complete you'll get a summery of all the issues that where scanned and their status.

(Screenshot of a sample scan report)

Every scanned issue has 2 or 3 options you can work with. One is to see what was scanned. The second is to see the scan results, and the third is a page that will help you fix the problems (if there were any).

(Screenshot of sample result details)

Links

Download MBSA v1.2.1 HERE (1.6mb)

Microsoft Security Baseline Analyzer

Microsoft Baseline Security Analyzer (MBSA) Version 1.2.1 Is Available - 320454 (Details on new features, scanning options, and bug fixes in V1.2.1)

Microsoft Baseline Security Analyzer (MBSA) Q&A

White Paper: Microsoft Baseline Security Analyzer V1.2.1

How to script MBSA V1.2.1 including sample roll-up scripts



Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars