Microsoft Baseline Security Analyzer Help

Contents

Release Notes for MBSA Version 2.0

For the most up-to-date information about this release, see Release notes for MBSA version 2.0.

Return to Contents

Getting Started

Microsoft® Baseline Security Analyzer (MBSA) version 2.0 gives you the ability to assess the administrative vulnerabilities present on one or multiple computers. MBSA scans the specified computers and then generates a report that contains details for each computer about the security checks that MBSA performed, the results, and recommendations for fixing any problems. In addition to checking for misconfiguration that might cause security problems in the operating system, you can check for security problems in Microsoft SQL Server and Microsoft Internet Information Services (IIS). You can also determine whether a computer has the most current Microsoft Windows® and Microsoft Office updates installed, and you can check for security updates, update rollups, and service packs for other products hosted by the Windows Update site.

MBSA 2.0 is integrated with Windows Server Update Services (Update Services), ensuring that MBSA uses the most current Update Services update catalog when scanning computers with an assigned Update Services server. If the Update Services server is not available, or a computer is not assigned an Update Services server, MBSA uses a cached offline catalog (if available) or downloads the current catalog available from the Microsoft Windows Update site.

The following sections describe the minimum required configuration of computers that run MBSA or are scanned by MBSA, outline the types of security scans you can choose to perform, and explain options for configuring target computers.

Return to Contents

System Requirements

This section describes the system requirements for computers running or being scanned by MBSA.

Requirements for Running MBSA to Scan the Local Computer

Requirements for Running MBSA to Scan Remote Computers

Requirements for a Computer to Be Scanned Remotely

To run MBSA, you must be logged on with an account that has local administrative privileges on each computer being scanned either locally or remotely.

Internet access is required on the computer running MBSA in order to download an offline catalog (CAB) file from the Microsoft Web site. If a previous copy of the file was downloaded in a prior scan, the tool will attempt to use the locally cached copy if an Internet connection is not detected. The file will be downloaded and used for a scan based on the available connectivity of the target computer to the Microsoft Update site. If the target computer can utilize a connection to Microsoft Update, a more efficient scan can be used with less network utilization than the .cab file.

Obtaining an XML Parser

XML parsers have shipped in each version of Internet Explorer since version 5.01. However, it is recommended to have the latest version of Internet Explorer and the latest version of the MSXML parser installed.

The latest version of the MSXML parser is available from the Microsoft Web site.

Additional information on the Microsoft XML parser is available from the Microsoft XML Developer Center.

Return to Contents

Scanning Options

The following checks are optional. Before scanning a computer, you can choose whether or not to run these checks. See Scanning Options for more details.

Check for Windows administrative vulnerabilities
Selecting this option scans for problems with the way that Windows is configured on the target computer. Such factors as the number of members of the local Administrators group, file-system type, and whether Windows Firewall is enabled are checked and reported.
Check for weak passwords
Selecting this option tests the passwords of local user accounts to determine whether any are blank or have other problems that might allow them to be guessed easily.
Check for IIS administrative vulnerabilities
Selecting this option checks for Internet Information Services (IIS) administrative vulnerabilities. When scanning servers running IIS, the computer running MBSA must have the Common Files installed for the highest version of IIS to be scanned. For example, to scan servers running IIS 6.0, the IIS 6.0 Common Files must be installed on the computer running MBSA.
Check for SQL Server administrative vulnerabilities
Selecting this option checks for administrative vulnerabilities on each instance of Microsoft SQL Server, Microsoft Data Engine, or Microsoft SQL Server 2000 Desktop Engine (MSDE) running on the target computer.

Note

Check for security updates
Selecting this option checks the target computer for missing Microsoft Windows and Microsoft Office updates. When you select this option, you can also specify the following options:
Configure computers for Microsoft Update and scanning prerequisites
Selecting this option installs the current version of Microsoft Update Agent on the target computer if it is absent or out of date and configures the target computer to meet other requirements for scanning for security updates.
Scan using Update Services servers only
Selecting this option scans only for those security updates that are approved on the computer's Update Services server. The Microsoft Update Web site or an offline catalog are not used.
Scan using Microsoft Update only
Selecting this option uses only the security update catalog downloaded from the Microsoft Update Web site to determine the updates to be checked. Updates that are not approved on the computer's Update Services server are reported as though they were approved.

Return to Contents

Security Checks

This section lists the security settings that Microsoft Baseline Security Analyzer version 2.0 checks during a full scan. Note that if a product is not installed on a computer being scanned, the corresponding product checks will not be performed and will not be reflected in the MBSA scan reports.

Security update checks

Scanning computers for security updates utilizes Windows Server Update Services. MBSA provides integration for Update Services administrators and is a comprehensive standalone tool for the information technology professional.

Check for security updates, update rollups, and service packs published to Microsoft Update

Windows checks

Check for account password expiration
Check for file system type on hard drives
Check if Auto Logon feature is enabled
Check if Guest account is enabled
Check the RestrictAnonymous registry key settings
Check the number of local Administrator accounts
Check for blank or simple local user account passwords
Check if unnecessary services are running
List the shares present on the computer
Check if Windows auditing is enabled
Check the Windows version running on the scanned computer
Check if Internet Connection Firewall is enabled
Check if Automatic Updates is enabled
Check if incomplete updates require the computer to be restarted

IIS checks

Check if the IIS Lockdown tool (version 2.1) was run on the computer
Check if IIS sample applications are installed
Check if IIS parent paths are enabled
Check if the IIS Admin virtual folder is installed
Check if the MSADC and Scripts virtual directories are installed
Check if IIS logging is enabled
Check if IIS is running on a domain controller

SQL Server checks

Check if Administrators group belongs in Sysadmin role
Check if CmdExec role is restricted to Sysadmin only
Check if SQL Server is running on a domain controller
Check if sa account password is exposed
Check SQL Server installation folders access permissions
Check if Guest account has database access
Check if Everyone group has access to SQL Server registry keys
Check if SQL Server service accounts are members of the local Administrators group
Check if SQL Server accounts have blank or simple passwords
Check the SQL Server authentication mode type
Check the number of Sysadmin role members

Desktop application checks

List the Internet Explorer security zone settings for each local user
Check if Internet Explorer Enhanced Security Configuration is enabled for Administrators
Check if Internet Explorer Enhanced Security Configuration is enabled for non-Administrators
List the Office products security zone settings for each local user

Return to Contents

Command-Line Tool

Instead of the MBSA graphical user interface (GUI) tool, you can use the MBSA command-line tool to perform local and remote security scans and to display reports from previous scans. The tool is located in the directory where MBSA 2.0 was installed (by default, %programfiles%\Microsoft Baseline Security Analyzer 2).

Syntax

To perform a full scan of one or more computers:

MBSACLI [/target {[domain\]computer | IP} | /r IP-IP | /d domain] [/n option[+option...]]  
        [/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/listfile file]  [/wa | /wi] 
        [/catalog file] [/nvc] [/nai] [/nm] [/nd] [/u username /p password]

To scan the local computer for updates only, sending the results to standard output (STDOUT) in XML:

MBSACLI [/xmlout] [/unicode] [/wa | /wi] [/nd] [/catalog file]

To scan one or more computers for updates only, creating reports that can be displayed by MBSA:

MBSACLI [/target {[domain]\computer | IP} | /r IP-IP | /d domain] [/n OS+IIS+SQL+Password] 
        [/o template] [/qp] [/qr] [/qe] [/qt] [/q] [/unicode] [/listfile file] 
        [/wa | /wi] [/catalog file] [/nvc] [/nai] [/nm] [/nd] [/u username /p password]

To display a report:

MBSACLI [/l] [/ls] [/lr report] [/ld report] [/nvc]

To display usage information:

MBSACLI [/?]

Parameters

You cannot use any of these parameters more than once each time you run the command.

/target [domain\]computer | IP
Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.
/r IP-IP
Scans all the computers that are identified by a range of IP addresses.
/d domain
Scans all the computers in the specified domain.
/n option[+option...]
Excludes the specified scan types from the scan. You can specify the following options, separating them with a plus sign (+):
OS
Excludes Windows administrative vulnerability checks
SQL
Excludes SQL Server administrative vulnerability checks
IIS
Excludes IIS administrative vulnerability checks
Password
Excludes password vulnerability checks
/o template
Specifies the template that MBSA uses when naming the XML output file. You can use these symbols to represent computer-specific information:
%d%
Replaced with the name of the computer's domain
%c%
Replaced with the name of the computer
%t%
Replaced with the date and time when the scan was performed
%IP%
Replaced with the computer's IP address

The default file-name template is %d - :%c% (%t%).

You can also use the variable names that were supported by previous versions of MBSA: %domain%, %computername%, and %date%.

/qp
Does not display scan progress.
/qr
Does not display the report list.
/qe
Does not display the error list.
/qt
Does not display the text output after scanning a single computer.
/q
Does not display scan progress, the report list, the error list, or text output.
/listfile file
Scans the computers identified in a file. The file argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.
/xmlout
Checks the local computer for security updates only, displaying the results as XML text. To save the report in a file, use command redirection to redirect standard output (STDOUT) to a file, for example, mbsacli /xmlout > output.xml.

For more information about using this parameter, see Security Updates Scan.

/wa
Scans only for security updates that are approved on the computer's Update Services server. The Microsoft Update web site and the offline catalog are not used. This parameter cannot be used with the /wi parameter.
/wi
Uses only the Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer's Update Services server are displayed as though they were approved. This parameter cannot be used with /wa parameter. Use this parameter to scan computers whose assigned Update Services servers are not available.
/catalog file
Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care. The file argument must specify a file located on the computer performing the scan.
/nvc
Prevents MBSA from checking for a newer version of MBSA.
/nai
Prevents MBSA from installing or updating the Windows Update Agent on the computer being scanned. When this parameter is used, computers that do not have the required version of Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.
/nm
Scans computers by using an offline catalog instead of the Windows Update site. Depending on the size of the offline catalog and network load, using this parameter may cause MBSA to take more time to or more network bandwidth.
/nd
Do not download any files from the Microsoft Web site when scanning. Use this parameter to prevent the download of Wsusscan.cab, Muauth.cab, WindowsUpdateAgent20-x86.exe and WindowsUpdateAgent20-x64.exe during the scanning process. When this parameter is selected, MBSA will use any previously downloaded copies of the files. If you want, you can download the files yourself and place them in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache. This parameter applies only to downloads from the Microsoft Web site to the scanning computer. Downloads from the scanning computer to the target computer are automatic and cannot be disabled if the corresponding features are used.
/u username /p password
Specifies the user name and password to be used when scanning a remote computer. The /u and /p parameters must be used together and cannot be used when scanning the local computer. The specified user must have administrative privileges on the computer being scanned. For security purposes, the password is not sent over the network in clear text. Instead, MBSA uses the Windows challenge-response mechanism to secure the authentication process.
/l
Lists all available reports.
/ls
Lists reports from the most recent scan.
/lr report
Displays an overview of the specified report.
/ld report
Displays the details of the specified report. When scanning a single computer, this is the default behavior unless the /qt parameter is used.
/unicode
Produces the report with Unicode characters. Users running Japanese MBSA or scanning computers running Japanese Windows should specify this parameter.
/?
Displays usage information for the command-line tool.

Selecting a computer to scan

Use the following parameters to specify the computer to be scanned. If you do not specify one of these parameters on the command line, MBSA scans the local computer, that is, the computer on which it is running.

/target [domain\]computer
Scans the named computer. The domain or workgroup name is optional.
/target nnn.nnn.nnn.nnn
Scans the computer identified by the specified IP address.
/r nnn.nnn.nnn.nnn-nnn.nnn.nnn.nnn
Scans the computers identified by a range of IP addresses.
/listfile filename
Scans each computer identified by name or IP address listed in the specified file. Place each computer name or IP address on a separate line in either an ASCII or UNICODE format text file.
/d domain
Scans all computers in the specified domain.

Excluding specific checks

To exclude a specific check from scan, use the /n parameter with the keyword for that check. The following are the keywords you can use with the /n parameter.

/n IIS
Skips IIS checks
/n OS
Skips Windows Operating System (OS) checks. This also skips the Internet Explorer and Outlook zone checks and the Office macro security checks.
/n Password
Skips password checks.
/n SQL
Skips SQL Server/MSDE checks.
/n Updates
Skips security update checks.

Specifying parameters for security update checks

The following parameters determine how a security update check is performed and reported.

/wa
Scans only using an assigned Update Services server. Unapproved updates are not listed. This parameter checks for security updates using only the computer's assigned Update Services server. MBSA will not utilize the Microsoft Update site or the offline catalog when scanning. This parameter cannot be use with the /wi parameter. If a scanned computer does not have an Update Services server assigned, the scan will return an error. Unapproved updates are displayed as an informational result.
/wi
Scans only using Microsoft Update. Updates that are not approved on the target computer's assigned Update Services server are shown as though they were approved. This parameter checks for security updates using only the Microsoft Update site or the offline catalog. It does not use the target computer's assigned Update Services server when scanning. This parameter cannot be used with the /wa parameter. Default is to show unapproved updates as an informational result.
/xmlout
Checks the local computer for security updates only, displaying the results as XML text.
/catalog file
Specifies the offline catalog containing the security update information to be used when scanning. The offline catalog must be a .cab file signed by Microsoft. The default offline catalog is Wsusscan.cab, which is downloaded from the Microsoft Web site. When this parameter is not used, Wsusscan.cab is downloaded from the Microsoft Web site if it is different from the locally cached version. Using this parameter prevents a newer file from being downloaded, and so should be used with care.
/nai
Prevents MBSA from installing or updating the Windows Update Agent on the computer being scanned. When this parameter is used, computers that do not have the required version Automatic Updates will return an error in the report, and computers that do not have Windows Installer 3.0 or later may receive incomplete results from Microsoft Office and other products that require Windows Installer 3.0 for scanning.
/nm
Scans computers by using an offline catalog instead of the Windows Update site. Depending on the size of the offline catalog and network load, using this parameter may cause MBSA to take more time to or more network bandwidth.

Scanning only for security updates

Using /xmlout specifies that MBSA only checks for security updates and displays scan results as XML text in the command line window. Only the MBSA engine (Mbsacli.exe and Wusscan.dll) files are needed for this type of scanning, and only the parameters listed below can be used with this parameter:

When using the /xmlout parameter, you must explicitly redirect the XML output into a file using standard console redirection. Also, the XML results must be processed separately from MBSA because they observe a different format than the full MBSA report files. The benefit of this parameter is to avoid the full installation package of MBSA 2.0 when only checking for updates on a single computer. If the minimum system requirements are met, only the engine files are needed and can be easily copied from another computer having a full installation present.

Displaying results and details

You can use the MBSA command-line interface to list or display reports produced by previous scans. These report parameters cannot be combined with scanning parameters.

/l
Lists all the reports that are available.
/ls
Lists the reports from most recent scan.
/lr report
Displays an overview of the named report.
/ld report
Displays details of the named report. Unless the /qt parameter is used, this is the default behavior whenever MBSA scans a single computer.

Return to Contents

General Notes

Scan Reports

Scan reports are stored on the computer on which MBSA is installed, in the SecurityScans folder of the user's profile (%userprofile%\SecurityScans). MBSA creates an individual security report for each computer that it scans, either locally or remotely. Report files are named with the file extension .mbsa, which is a registered file association for MBSA, so that clicking on the file in Windows Explorer will start MBSA to view the report.

Security Updates Scan

When you perform a security update scan, all security-related updates are checked and reported. If a target computer has a registered Update Services server, the report will indicate which updates have not been approved on the Update Services server using an informational score. When you select the Scan using Update Services servers only check box or use the /wa parameter on the command line, only security updates marked as approved by the Update Services administrator are checked and reported by MBSA.

In addition, updates that are installed and not yet superseded by another update will be included in the Current Update Compliance section of the report. When an update has been superseded by another update and both are installed, the report will only reflect the more recent update and not both. When available during update publication, related IDs will be included in the report as they have been listed in the Technical Details section of the security bulletin.

Security update checks are not performed for products that are not installed on a scanned computer, and these checks are not listed in the Security Update Scan Results table in the report.

For more information, see Scanning Options; you can also access this topic while running MBSA.

Partially Installed Updates

For updates installed by using Windows Update, Microsoft Update, or Automatic Updates that required a restart of the computer that was postponed by the user, the report will indicate that the update is not installed because the required reboot has not occurred. In this case, restarting the computer and scanning again will cause the update to report the proper installation status.

For updates that were installed by directly downloading or running the update, but for which a required system restart was postponed, MBSA will provide an indication of the pending restart under the Windows Check named Incomplete Updates. This capability is available only for those updates that were built using the standard installer (update.exe) with a minimum version of 6.1.22.0.

Localized Versions

MBSA 2.0 has console localization support for Japanese, German, and French, but has the ability to scan localized OS versions of the target computers independently of the console language. This is because all languages supported by Microsoft Update can be scanned equally, but the results are stored in the language of the MBSA console installation.

The following examples illustrate scenarios that may be encountered when using different languages of the operating system and of the MBSA console:

Remote (Network) Scans

MBSA can be used to scan a domain or a range of IP addresses from a central computer given the system requirements listed earlier in this topic. When performing remote scans, you must run MBSA while logged on with an account that has local administrative privileges on each computer being scanned. When using the MBSA command-line tool to perform scans, you can either run the tool while logged on with an account with local administrative privileges on each computer, or you can use the /u and /p parameters to supply the user name and password of such an account. In a multidomain environment where a firewall or filtering router separates the two networks (two separate Active Directory® domains), TCP ports 139 and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote servers being scanned.

Error Reporting

Microsoft Baseline Security Analyzer displays an error if any of the following occurs:

Return to Contents

Security Implications of Remote Scanning

If you use MBSA to scan remote computers, you should be aware of two aspects that might affect your network's security.

Updating Windows Update Agent on Target Computers

When scanning a target computer for security updates, MBSA relies on Windows Update Agent (WUA) running on the target computer. If the target computer does not have the current version of WUA installed, MBSA by default installs the required version of WUA. If you are a network administrator and are concerned that a hostile user on the Local Area Network (LAN) might be able to intercept the WUA installation files and corrupt them or substitute malware (such as a Trojan horse program) for the installation files while they are being transmitted to the target computers, you can prevent this default behavior. (An MBSA user who is not a network administrator, such as a user scanning only the local computer, need not be concerned about this risk.) When using the Windows-based MBSA application, clear the Configure computers for Microsoft Update and scanning prerequisites check box before performing a security update scan. When using the MBSA command-line tool, specify the /nm and /nai options on the command line.

If you prevent MBSA from installing or updating WUA on target computers, you can use one of several methods to ensure that the current version of WUA is installed on each target computer:

The following sections describe each of these methods in greater detail. In addition to these methods, you can deploy WUA using a software distribution product, such as SMS or a third-party solution.

Important

Using Windows Server Update Services

Windows Server Update Services (Update Services) enables network administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. By using Update Services, you can fully manage the distribution of updates that are released through Microsoft Update to computers in your network. Computers that are assigned to an Update Services server automatically receive the current version of WUA, enabling them to be scanned by MBSA. To learn more about Update Services, see the Microsoft Web site.

Using the Microsoft Update Web Site

You can configure target computers to obtain the current version of WUA directly from Microsoft Update and to configure the target computer to use Microsoft Update when being scanned. To do so, log on each target computer as an administrator, connect to the Microsoft Update Web site and follow the instructions provided there.

Manually Installing WUA

If you want to maintain maximum control over how WUA is installed or updated on target computers, you can manually install WUA on each target computer. Doing so requires that you execute the appropriate WUA installation program on each target computer, either by logging on interactively and then running the installation program, or using a software distribution system such as Microsoft Systems Management Server.

You can obtain the necessary WUA installation programs from the Microsoft Web site:

Deploying WUA Within a System Image

If you are configuring new computers that are being built from a disk image, you can install WUA on the master computer, register the master computer with Microsoft Update, or both, before creating the master image. Be sure you are familiar with how to prepare a Windows system image. For more information, see the Microsoft Web site.

MBSA and Administrator Accounts

Scanning with MBSA requires you to run MBSA with an account that is an administrator on all scanned computers. Depending upon how your network has been secured, this can introduce significant risk should the user-account be compromised, but it is necessary to be able to scan for certain vulnerabilities. If this risk is acceptable, you should take steps to mitigate this risk. For example, making this account a member of the Domain Admins group requires less administrative overhead because the account automatically has the required rights on all potential clients, but if the account is compromised, the risk to the enterprise is severe. You should consider creating a special account for this purpose and enabling the account only when it is needed to scan domain computers. Making the account a local administrator on each target computer but not a member of the Domain Admins group requires you to manage this account on every target computer, but the risk of compromise is limited to the target computers themselves, not to the domain as a whole. You can further mitigate the threat by using only Kerberos authentication, which is less vulnerable to attacks than LanMan authentication, but doing so might require an upgrade to Active Directory.

Return to Contents

How to Correct Common Errors

For up-to-date information about troubleshooting MBSA setup and operations, see the Frequently Asked Questions at the Microsoft Web site.

Return to Contents

Reporting Bugs or Requesting Support

An MBSA newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:

    News server:  Msnews.microsoft.com
    Newsgroup:  Microsoft.public.security.baseline_analyzer

To contact Microsoft Product Support Services, see the Microsoft Web site.

When reporting bugs, include the following information:

Return to Contents