Scanning Options

Before performing a scan, you can disable the following scan items in the Microsoft Baseline Security Analyzer (MBSA) user interface:

Windows administrative vulnerability checks
Weak passwords check
Internet Information Services (IIS) administrative vulnerability checks
SQL Server administrative vulnerability checks
Security updates check

Windows administrative vulnerability checks

This group of checks scans for security issues in the Windows operating system, such as Guest account status, file-system type, available file shares, and members of the Administrators group. Descriptions of each Windows check are shown in the security report, with instructions on how to fix any issues that are found.

Weak passwords check

MBSA checks computers for blank and weak passwords during a scan. This check can take a long time, depending on the number of user accounts on the computer. You may want to disable this check before scanning domain controllers on your network. Note that this check may produce event-log entries in the Security log if auditing is enabled on the computer for logon/logoff events. If this option is not selected, the Windows and SQL Server account password checks are not performed.

IIS administrative vulnerability checks

This group of checks scans for security issues in IIS 5.0 and IIS 6.0, such as sample applications and certain virtual directories present on the computer. MBSA also checks if the IIS Lockdown tool has been run on the computer, which can help an administrator configure and secure servers running IIS. Descriptions of each IIS check are shown in the security reports, with instructions on how to fix any issues that are found.

SQL Server administrative vulnerability checks

This group of checks scans for administrative vulnerabilities on each instance of SQL Server and Microsoft Data Engine (MSDE) found on the computer, such as the type of authentication mode, sa account password status, and service account memberships. All individual checks are performed on each instance of SQL Server and MSDE. Descriptions of each check are shown in the security reports, with instructions on how to fix any issues that are found.

MSDE is a data engine built and based on core SQL Server technology. It is a redistributable database engine that supports single- and dual-processor desktop computers. MSDE is packaged in a self-extracting archive for ease of distribution and embedding. Since it is fully compatible with other editions of SQL Server, users can upgrade from MSDE to SQL Server if an application grows beyond the storage and scalability limits of MSDE.

Security updates check

Scanning computers for security updates uses Windows Server Update Services. MBSA provides integration for Update Services administrators and is a comprehensive standalone tool for the information technology professional. MBSA uses a catalog that is updated by Microsoft every time new security updates are released. This catalog is used to check the status of security updates on the computers being scanned. If any security updates in the catalog are not installed on the scanned computer, MBSA flags these updates in the security report. MBSA scans for missing security updates for the products published to the Microsoft Update site only.

Note: For products that are not installed on a scanned computer, the security updates check is not performed for those products and is not listed in the Security Update Scan Results table in the report.

Configure computers for Microsoft Update and scanning prerequisites

This option causes MBSA to install or update the Windows Update Agent to the version needed for a scan to take place. Windows Installer is also required for scanning certain products and the scan report indicates whether Windows Installer needs to be updated. Computers with an Internet connection having Automatic Updates enabled are updated automatically, but computers that fail to meet these conditions cannot be scanned for updates without the correct version of these components. Clearing this option ensures that the scanning process does not alter the target computer configuration, but could result in some computers or products not being scanned.

If the computer is managed by an Update Services server, using this option does not interfere with managed updates or settings. Computers that have Automatic Updates turned off continue to be turned off. Computers that have Automatic Updates turned on may begin to receive Automatic Updates reminders if this option is used unless an Update Services server is assigned. Administrators that have configured the Automatic Updates service to be disabled should first ensure the Automatic Updates setting is turned off before using this option if they are using another update management solution.

Computers that are not managed by Update Services may receive Automatic Updates reminders for the additional content published to Microsoft Update depending upon how Automatic Updates has been configured. These additional items may include updates for Microsoft Office or SQL Server, for example.

These features can be controlled separately when scanning from the command line.

By default, scanning uses Microsoft Update and the client's assigned Update Services server. Using advanced Update Services options, you can perform a security update check that uses only the list of approved updates from your local Update Services server, or ignore that list and scan using only Microsoft Update. By default, items not in the list of approved updates on the assigned Update Services server are given only an informational score.

Advanced Update Services options:

Scan using assigned Update Services servers only: Use this option in managed Update Services environments. Computers that do not have an Update Services server assigned receive an error message in the report indicating they could not be scanned. This option allows an Update Services administrator a way to ensure that only managed computers are included, and as a result, only approved updates are included and graded in the reports.
Scan using Microsoft Update only