Thank you for installing Microsoft Baseline Security Analyzer Version 1.0 (V1).
How to use the Microsoft Baseline Security Analyzer
System and Language Applicability
Reporting Bugs or Providing Feedback
The GUI version of the tool is run by executing MBSA.exe from the directory in which the tool was installed. The command line version is run by
executing mbsacli.exe in a command window.
Microsoft Baseline Security Analyzer V1 may be run on Windows 2000 or Windows XP machines. It can perform scans against Windows NT 4, Windows 2000, and Windows XP machines. Note: Only local scans can be performed against Windows XP Home Edition and Windows XP Professional machines that use the simple file sharing model. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems.
Microsoft Baseline Security Analyzer is currently not localized for languages other than English. Localization will be included in a future version of the tool.
The following are required on a machine running the tool:
- Windows 2000 or Windows XP
- Internet Explorer 5.01 or greater
- An XML parser (MSXML version 3.0 SP2) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.0 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately.
- The IIS Common Files are required on the computer on which the tool is installed if performing remote scans against IIS computers.
The following are required on a machine to be scanned by the tool:
- Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP (local scans only on Windows XP computers that use simple file sharing)
- IIS 4.0, 5.0 (required for IIS vulnerability checks)
- Internet Explorer 5.01 or greater
- SQL 7.0, 2000 (required for SQL vulnerability checks)
- Microsoft Office 2000, XP (required for Office vulnerability checks)
Users must have local Administrative privileges on each machine being scanned,
whether a local or remote scan is being performed. The Server service (as well as the Remote Registry
service on Windows 2000 and Windows XP) is required to be running on all
systems being scanned.
Please see Q303215 for more information on these services.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported in V1.
XML parsers have shipped in each version of Internet Explorer since IE 5.0. If you are running IE 5.0 or greater, you do not need to install a separate parser*.
- If you are running an earlier version of Internet Explorer and do not wish to upgrade to IE 5.0 or greater, you may download and install a standalone version of the Microsoft XML parser.
MSXML version 3.0 SP2 is available from the following location:
(above URL may have been wrapped for readability)
Additional information on the Microsoft XML parser is available from
http://www.microsoft.com/xml
- If you are running IE 5.0 or greater and the tool is still unable to read or locate the XML file, there is a chance that another application may have "unregistered" the XML parser.
To "re-register" the XML parser, please type the following at a command prompt:
'regsvr32 msxml.dll' (without the quotes)
The following parts of a scan are optional and can be disabled in the tool UI prior to scanning a computer:
- Windows Operating System (OS) checks
- IIS checks
- SQL checks
- Hotfix checks
- Password checks
Note the hotfix checks performed on the computer use a custom version of the HFNetChk tool which is automatically installed during setup.
If hotfix checks are not performed using the Microsoft Baseline Security Analyzer, users can download the HFNetChk tool separately from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp.
The tool can be run from the command line using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Hotfix - Skip Hotfix checks
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this directory.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition,
attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note
the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
The tool checks for vulnerabilities on the first (DEFAULT) instance of SQL Server found on the computer. If the DEFAULT instance is not found,
the tool will check for the first named instance found. Scanning multiple versions of SQL may be supported in a future version of the tool.
Please email bug reports or questions to
When reporting bugs to this alias, please include the following information:
- Operating System and Service Pack version on the machine running the tool,
- Operating System and Service Pack version of the machine being scanned,
- Internet Explorer version,
- Tool version information located in the About Microsoft Baseline Security Analyzer window (in the tool GUI)
Microsoft Baseline Security Analyzer was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com/security).