How To: Use the Microsoft Baseline Security Analyzer

J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

Microsoft Corporation

Published: June 2007

This information applies to computers that run the following:

• Servers running Windows 2000 Server, Windows Server 2003, or Windows Server 2008
• Developer workstations running Windows 2000 (all versions), Windows XP Professional, Windows Server 2003, Windows Vista, or Windows Server 2008
• SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE)

Note   MSDE is not supported on Windows Vista.

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.

Summary: Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server. MBSA also scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+. MBSA uses Microsoft Update and Windows Server Update Services (WSUS) technologies to determine needed updates. This Microsoft Update data source is obtained either directly from the Microsoft Update Web site or, if offline or in a secure environment, from an offline catalog file named Wsusscn2.cab.

This How To includes the following information:

• It describes how to use MBSA to perform a security updates scan.
• It describes how to use MBSA to check for current settings that are not secure.

This How To reviews each mode separately, although both modes can be performed in the same pass.

Before You Begin What You Must Know Scanning for Security Updates and Patches Scanning Multiple Systems for Updates and Patches SQL Server and MSDE Specifics Scanning for Secure Configuration Additional Information Additional Resources

Install MBSA, using Mbsasetup-x86-EN.msi (or the appropriate x64 or localized version), to either the default MBSA installation directory or to a tools directory you specify. If both the target computer and scanning computer have direct access to the Internet, skip to the What You Must Know section to enable MBSA access through the Windows Firewall. Otherwise, perform the following steps to enable offline scanning by copying the necessary files to a local, user-based cache directory:

• Download MBSA. Download MBSA from the MBSA home page, and then install it to the default directory.

• Updates for MBSA. If both the computer you will be scanning and the computer with MBSA installed have Internet access, the latest security catalog (.cab file), authentication files, and WUA installer files will be automatically downloaded, if needed. If either the target computer or the computer with MBSA installed does not have Internet access, download the following files and place them in the C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\MBSA\2.0\Cache\ directory on the computer that is performing the scan:

  • Offline catalog (Wsusscn2.cab). This is the offline catalog file. Download it from https://go.microsoft.com/fwlink/?LinkId=76054.

  • Authentication file (Muauth.cab). This authentication file allows the remote WUA client to respond to MBSA. Download it from https://go.microsoft.com/fwlink/?LinkId=90994.

  • WUA standalone installer. If needed, the WUA client on the target computer will be updated to the latest version. To make these files available for offline use, download the appropriate (or both) standalone installers from the following locations:

    https://go.microsoft.com/fwlink/?LinkId=90992 (for x86 installer)

    https://go.microsoft.com/fwlink/?LinkId=90993 (for x64 installer)

• Default installation directory. The default installation directory for MBSA is
  \Program Files\Microsoft Baseline Security Analyzer 2\.

  Note   You need to run commands from this directory. MBSA does not create an environment variable for you.

Before using this How To, you should be aware of the following:

• You can use MBSA from the graphical user interface (GUI) executable file, Mbsa.exe, or from the command line executable file, Mbsacli.exe.
• MBSA uses ports 138 and 139 to perform its vulnerability assessment scans; it requires a secure connection using DCOM through the Windows Firewall to perform security update scans. For information about three methods to enable DCOM exceptions to perform remote MBSA scans, see "How can I scan a computer that is protected by a firewall?" in MBSA 2.0 Frequently Asked Questions on Microsoft TechNet.
• MBSA requires administrator privileges on both the computer with MSBA installed and the target computers that you scan. If you are using the command-line interface, you can use the options /u (user name) and /p (password) to specify the user name to run the scan. Do not store user names and passwords in text files such as command files or scripts. If you are using the GUI, you can right-click MBSA and then click Run As to specify the appropriate credentials for perform a remote scan.
• MBSA requires the following software to be installed:
  • Windows 2000 SP3 or later, Windows XP (local scans only on computers running Windows XP that use simple file sharing), Windows Server 2003, Windows Vista, or Windows Server 2008
  • The latest Windows Update Agent (WUA) client; MBSA automatically updates computers that need an updated WUA client if the option Configure computers for Microsoft Update and scanning prerequisites is selected.
  • IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks)
  • SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks)
  • Microsoft Office 2000, Office XP, or Office 2003 (required for Office vulnerability checks)
  • The following services must be installed or enabled: Server service, Workstation service, Remote Registry service, File & Print Sharing, and the DCOM updates and firewall exceptions (required for security update checks)

For tips about working with MSBA, see Additional Information later in this How To.

Note    MBSA will automatically assess missing security updates on target computers based on their access to the live Microsoft Update) Web site. If the target computer is also assigned to a WSUS server, the Microsoft Update results are limited to the updates approved by the WSUS server administrator. If the target computer cannot determine its security state based on Microsoft Update and an assigned WSUS server, the offline catalog (Wsusscn2.cab) on the scanning computer is pushed to the target computer to make the security assessment.

You can run Mbsa.exe and Mbsacli.exe with options to verify the presence of security patches.

The following procedure describes how to use the MBSA GUI tool.

To use the MBSA GUI tool to scan for updates and patches

1. On the Programs menu, click Microsoft Baseline Security Analyzer.
2. Click Scan a computer.
3. Make sure that the following options are not selected, and then click Start scan.
   • Check for Windows administrative vulnerabilities
   • Check for weak passwords
   • Check for IIS administrative vulnerabilities
   • Check for SQL administrative vulnerabilities

The advantage of using the MBSA GUI tool is that the report is opened immediately after the local computer is scanned. For more information about interpreting the report, see Analyzing the Output later in this section.

To use the command line tool (Mbsacli.exe) to check for security updates and patches, run the following command from a command-line prompt.

mbsacli /target 192.168.195.137 /n os+iis+sql+password

The preceding command scans the specified computer with the supplied IP address and checks for missing updates.

A successful scan produces results similar to the following.

Scanning...
1 of 1 computer scans complete.

Scan Complete.

Security assessment: Strong Security
Computer name: DOM\CONTOSO
IP address: 172.30.163.56
Security report name: DOM - CONTOSO (5-15-2007 8-54 AM)
Scan date: 5/15/2007 8:54 AM
Scanned with MBSA version: 2.1.2030.0
Catalog synchronization date:
Security update catalog: Microsoft Update

The header information will be followed by a completed, text-based scan report. If you prefer, you can redirect the output to a text file for later review by adding the following to the end of the mbsacli command-line command:

> output.txt

A report file is generated in the profile directory of the logged in user (%userprofile%), on the computer from where you ran the MBSA tool. The easiest way to view the results of those reports is by using the GUI mode of MBSA.

You can also use MBSA to scan a group of computers based on domain membership, an IP address range, or an explicit list of computers by NetBIOS name. To scan a range of computers, specify /d (for domain), /r (for IP address range), or /listfile <textfile> (for a list of computer names separated by newline characters) as the command-line switch.

The following command scans all computers in the CONTOSO domain for security updates, but it does not scan for administrative vulnerabilities:

mbsacli /d contoso /n os+iis+sql+password

The following command scans all computers in the IP address range 192.168.195.130 to 192.168.195.254 for security updates, but it does not scan for administrative vulnerabilities:

mbsacli /r 192.168.195.130-192.168.195.254 /n os+iis+sql+password

The following command scans all computers listed in the ComputerNames.txt file for security updates, but it does not scan for administrative vulnerabilities:

mbsacli /listfile computernames.txt /n os+iis+sql+password

SQL Server and MSDE instances are scanned and reported as separate instances. Each instance is noted with Instance Name as shown in Figure 1.

Figure 1

SQL Server and MSDE specifics

In addition to scanning for missing security updates, MBSA scans for system configurations—also referred to as vulnerability assessment (VA) checks—that are not secure. For a detailed list of what is checked by this scan, see the MBSA documentation included in the MBSA Help file.

The secure configuration scan can be done in the following phases:

• Perform the scan.
• Analyze the scan.
• Correct any issues that you find.

The next sections describe each of these phases.

Run MBSA and clear the Check for security updates check box when performing the scan.

The resulting report appears similar to the patch scan described earlier. When you click the link, a page appears with the details of the issue found, the solution to the issue, and instructions to correct the issue.

Compare the issue details against your security policy and if the issue is not addressed by your policy, follow the provided instructions.

For each issue listed in the scan report, click the How to correct this link. The page that appears provides the solution and instructions to correct the issue.

The following information helps troubleshoot scanning errors and explain inconsistencies between scans.

MBSA uses the following network services to scan a computer:

• Windows NT 4.0 SP6 and later, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), Windows Server 2003, Windows Vista, or Windows Server 2008.
• IIS 4.0, 5.0, 5.1, or 6.0 (required for IIS vulnerability checks)
• SQL Server 7.0, 2000 (required for SQL vulnerability checks)
• The following services must be installed or enabled: Server service, Workstation service, Remote Registry service, File & Print Sharing, and exceptions for each of these services if the Windows Firewall is enabled.

If any of the services are unavailable or disabled, administrative shares (C$) are not accessible, or if these services do not have an exception configured in the Windows Firewall, the scan will result in errors.

Password check performed by MBSA may take a long time, depending on the number of user accounts on the computer. The password check enumerates all user accounts on the target computer and performs limited password change attempts using common password pitfalls, such as a password that is the same as the user name. To limit the impact of weak password checks of domain controllers, MBSA does not perform a full set of weak password checks against domain controllers. For information about the MBSA password check, see "Security update checks" in the MBSA Help file.

For most functions of MBSA, the GUI tool, Mbsa.exe, and the command-line tool, Mbsacli.exe, perform the same functions. In some cases, the command-line interface provides more technical options for advanced administrators. The following command-line switches are examples of command-line interface–based features that are not available in the MBSA GUI tool:

• /nvc. This switch instructs MBSA to not attempt to connect to the Internet to check for an updated version of the MBSA scan tool.
• /qp. This switch instructs MBSA to not show scan progress.
• /qt. This switch instructs MBSA to not display the completed scan report immediately after a scan completes.
• /Unicode. This switch instructs MBSA to provide the completed scan report in Unicode format.
• /u. This switch lets you specify the user name of an administrator-level user on the target computer(s).
• /p. This switch lets you specify the password of an administrator-level user on the target computer(s).
• /catalog. This switch lets you specify an alternate location for the offline catalog (Wsusscn2.cab) file.
• /rd. This switch lets you specify an alternate location for the completed scan report. (This is useful when running MBSA in a non-user context or as a domain administrator.) You can use this switch to place completed scan reports on a network share or in a local directory.
• /nd. This switch instructs MBSA to not download any files from the Microsoft Web site when performing a scan. In other words, it instructs MBSA to perform the scan like it would in offline mode.
• /xmlout. This switch instructs MBSA to perform a security scan (no vulnerability assessment checks) using the most basic files necessary to perform an MBSA scan (Mbsacli.exe and Wusscan.dll) without performing a full MBSA installation. This is useful for performing a basic security scan without having to install all MBSA features. This mode allows a limited set of command-line switches, including only /catalog, /wa, /wi, /nvc, and /Unicode.

When the mbsacli command runs without any command-line switches, it runs a default scan against the local computer.

For more information about MBSA, see Microsoft Baseline Security Analyzer on Microsoft TechNet.

© Microsoft Corporation. All rights reserved.