Committed to its new Strategic Technology Protection Program (STPP), Microsoft has increased the development and support of products surrounding its software update and security process program. Recently released update-focused products include Microsoft Software Update Services (SUS), Windows Update, and an update handler for Microsoft Systems Management Server (SMS) 2.0. Microsoft has targeted these products, which scan and automatically deploy updates to your systems, to large, comprehensive deployments. To complement these patch-deployment systems—or to implement a simple update-detection system—you can use the small yet agile and feature-packed Microsoft Baseline Security Analyzer (MBSA) to regularly scan your network. MBSA not only scans local and remote systems for patch-update status but also performs more than 65 vulnerability-scanning tests specific to Microsoft products. And although MBSA doesn't patch your systems or plug your holes, the product's fast and lightweight approach provides a quick and efficient method for canvassing your systems for common vulnerabilities.
No stranger to update scanning, MBSA provides the scanning engine that the enterprise-focused SMS SUS Feature Pack uses. MBSA also supports vintage HFNetChk functionality. HFNetChk, MBSA's predecessor, enables local and remote scanning of Microsoft OS security updates, as well as updates for Microsoft's enterprise applications such as Microsoft Exchange Server and Microsoft SQL Server. To extend HFNetChk's functionality, MBSA features product security scans that search for known OS misconfigurations that can result in system vulnerabilities.
MBSA includes both a graphical front-end version for ad hoc scanning and a script-friendly command-line interface version. MBSA saves its scan results in an easy-to-read XML format, further increasing the product's usefulness by letting you write custom reports that fit your needs.
MBSA Compatibility
Microsoft released MBSA 1.1.1 in June 2003. Although you must run this version of MBSA from a Windows XP or Windows 2000 computer, you can remotely scan XP, Win2K, and Windows NT 4.0 systems. (MBSA doesn't support the scanning of Windows Me or Windows 9x systems.) Using one scanner to scan multiple Microsoft products presents a challenge because of update-format compatibility problems. Microsoft uses multiple update engines and processes for many of its products, and until the company concentrates on one method, many of its update tools will work with only specific products. (For example, the Microsoft Office update tools work differently from the Windows Update tools, resulting in incompatible update-distribution methods.) Despite these challenges, MBSA supports security and update scanning for the Microsoft products that Table 1 lists.
MBSA Installation and Configuration
MBSA installation is a snap. Download the mbsasetup.msi Windows Installer (.msi) file from the MBSA Web site (http://www.microsoft.com/technet/security/tools/tools/mbsahome.asp). This site contains detailed information about MBSA, including descriptions of the MBSA scans and an FAQ that addresses how MBSA interoperates with other patch-deployment systems (e.g., SUS).
By default, the setup program installs MBSA in the C:\program files\microsoft baseline security analyzer directory. This folder contains the MBSA executables mbsa.exe and mbsacli.exe, which provide the GUI and Command Line Interface (CLI) to the scanning application. The installation directory also contains the HTTP and Extensible Style Language Transformations (XSLT) templates that MBSA uses to format and display the built-in reports. A Help directory provides comprehensive descriptions of each test that MBSA performs.
The MBSA folder contains several configurable text files, with which you can instruct MBSA to perform a more customized audit of your environment. The services.txt file includes a list of services that MBSA monitors and reports on. By default, MBSA reports on the MSFTPSVC, TlntSvr, W3SVC, and SMTPSVC services. To have MBSA report on additional services, add the appropriate short service names to this file. A second text file, noexpireok.txt, lists the account names that MBSA won't report as potential security problems (e.g., accounts that have passwords set to never expire). For example, by default, MBSA doesn't report on the IUSR_* or IWAM_* accounts. You can configure MBSA to skip specified accounts.
Every time you run MBSA, the program attempts to download a file called mssecure.cab from Microsoft. This compressed .xml file contains all the most recent software updates. Optionally, if you host an SUS server, you can direct MBSA to obtain its list of approved updates from that server instead of directly from Microsoft. Consequently, your reports will reflect only missing updates that you approved with your SUS server. MBSA's ability to reference and use your list of previously approved SUS updates helps you enforce your corporate update policy without the distractions of false positives from unapproved updates. For example, you might use SUS as the gatekeeper to manage the rollout of new updates to your end users. After you've assessed the applicability and tested the compatibility of a particular update, you approve its deployment through SUS. Then, depending on your environment's SUS configuration, end users' computers will either automatically download and install the patch or download and prompt users for manual installation. To enforce your update policy, use the graphical MBSA or the command-line Mbsacli utility to scan your end users' computers for missing updates. Schedule MBSA to run weekly and pull its list of updates to check from your SUS server's list of approved updates. The resulting XML reports will show you which systems haven't been successfully updated with your specifically approved updates.
To perform all the MBSA-supported scans, you need Local Administrator privileges on the target systems. Run mbsa.exe to launch the scanner's graphical version. This version gives you a simple-to-use interface with which you can quickly specify which scans you want to run and which computers you want to run them on, as Figure 1 shows. First, to specify the targets of your scan, click Pick a computer to scan or Pick multiple computers to scan, then enter an IP address, a range of IP addresses, or a domain name. (If you select targets by domain, MBSA might miss some computers, so you might try the seemingly more reliable method of entering a subnet range.) Next, select the scan options, such as checking for Windows vulnerabilities, weak passwords, Microsoft IIS vulnerabilities, SQL Server vulnerabilities, or security updates. Optionally, you can specify an SUS server to which MBSA will look for its list of software updates to compare with each client. Otherwise, MBSA will use the list of all updates that Microsoft provides. By default, the graphical MBSA client performs what Microsoft calls a baseline scan, which scans for and reports on only critical updates (as Windows Update defines them), as opposed to all security updates.
Start Scanning
To begin a scan, click Start scan. The length of time a scan takes depends on which options you've chosen. For example, in my environment, scanning a variety of services on a 16-computer network, including IIS, SQL Server, and Exchange, took about 5 minutes. By default, MBSA writes the security reports to the \%userprofile%\securityscans folder as .xml files. MBSA creates a separate XML report for every computer it scans—every time it scans the computer. These reports are generally about 20KB in size. I explain a little later how you can write a routine to import and aggregate the data to create a cross-computer report.
After you run the scan, click Pick a security report to view and select the name of the report you want to view. Although MBSA lets you sort by computer name, IP address, and scan date, you might find yourself deleting old reports to keep them from cluttering your folder after you've run multiple scans.
Be forewarned that when you first run MBSA on your network, you might find the vulnerability scan reports disconcerting. Out of the box, XP, Win2K, and NT computers all fail the MBSA scan with a Severe Risk security rating.