Reporting Bugs or Requesting Support
The following are required on a machine running the tool:
- Windows 2000 or Windows XP
- Internet Explorer 5.01 or greater
- An XML parser (MSXML version 3.0 SP2) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.0 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, please refer to the readme file in the MBSA installation folder on obtaining an XML parser separately.
- The IIS Common Files are required on the computer on which the tool is installed if performing remote scans against IIS computers.
The following are required on a machine to be scanned by the tool:
- Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP (local scans only on Windows XP computers that use simple file sharing)
- IIS 4.0, 5.0 (required for IIS vulnerability checks)
- Internet Explorer 5.01 or greater
- SQL 7.0, 2000 (required for SQL vulnerability checks)
- Microsoft Office 2000, XP (required for Office vulnerability checks)
Users must have local Administrative privileges on each machine being scanned,
whether a local or remote scan is being performed. The Server service (as well as the Remote Registry
service on Windows 2000 and Windows XP) is required to be running on all
systems being scanned.
Please see Q303215 for more information on these services.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported in V1.
MBSA V1 checks for the following security settings during a full scan. Clicking on each check will display its associated description file with more details.
Check for missing hotfixes and service packs
Check for account password expiration
Check for file system type on hard drives
Check if autologon feature is enabled
Check if the Guest account is enabled
Check the RestrictAnonymous registry key settings
Check the number of local Administrator accounts
Check for blank and/or simple local user account
passwords
Check if unnecessary services are running
List the shares present on the computer
Check if auditing is enabled
Check the Windows version running on the scanned
computer
Check if the IIS Lockdown tool (Version 2.1) was
run on the computer
Check if the IIS sample applications are installed
Check if parent paths are enabled
Check for missing IIS hotfixes
Check if the IIS Admin virtual directory is installed
Check if the MSADC and Scripts virtual directories are
installed
Check if IIS logging is enabled
Check if IIS is running on a Domain Controller
Check if Administrators group belongs to sysadmin
role
Check if CmdExec role is restricted to sysadmin only
Check if SQL Server is running on a Domain Controller
Check if sa account password is exposed
Check SQL installation folders access permissions
Check if Guest account has database access
Check if the Everyone group has access to SQL registry
keys
Check if SQL service accounts are members of the local
Administrators group
Check if SQL accounts have blank or simple passwords
Check for missing SQL hotfixes
Check the SQL Server authentication mode type
Check the number of sysadmin role members
List the Internet Explorer security zone settings
per each local user
List the Outlook security zone settings per each local
user
List the Office products security zone settings per
each local user
The following parts of a scan are optional and can be disabled in the tool UI prior to scanning a computer:
- Windows Operating System (OS) checks
- IIS checks
- SQL checks
- Hotfix checks
- Password checks
Note the hotfix checks performed on the computer use a custom version of the HFNetChk tool which is automatically installed during setup.
If hotfix checks are not performed using the Microsoft Baseline Security Analyzer, users can download the HFNetChk tool separately from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp.
The tool can be run from the command line using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Hotfix - Skip Hotfix checks
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this directory.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition,
attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note
the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
The tool checks for vulnerabilities on the first (DEFAULT) instance of SQL Server found on the computer. If the DEFAULT instance is not found,
the tool will check for the first named instance found. Scanning multiple versions of SQL may be supported in a future version of the tool.
In addition, the hotfix checker in V1 will report all available hotfixes from Microsoft, but may not be able to confirm the presence of all SQL-related hotfixes. This is due to a limitation in scanning each instance of SQL Server and will be addressed in future MBSA versions.
MBSA will display errors if any of the following occur:
Please email bug reports or questions to
When reporting bugs to this alias, please include the following information:
- Operating System and Service Pack version on the machine running the tool,
- Operating System and Service Pack version of the machine being scanned,
- Internet Explorer version,
- Tool version information located in the About Microsoft Baseline Security Analyzer window (in the tool GUI)