Parsing the XML Reports
In its current version, MBSA provides one XML report for every scanned computer. Manually wading through these files can be burdensome. Fortunately, because MBSA saves these reports in XML, you can open them in an XML-aware application or create a script to parse through the files and extract specific data. For example, you can use Windows Script Host's (WSH's) FileSystemObject to loop through each file in the folder that contains your reports. For each file, use the XML Document Object Model (DOM) to load the XML document. Then, loop through and display only those elements that match a part of the report that interests you.
Although the reports are sometimes long, they're broken into hierarchical elements, so interpreting them is logical and straightforward. The <Check> node, which contains the report data for a particular test, includes an ID attribute that defines that test. The <Check> node might be located directly under the root node or beneath the <SQLInstance> node. For example, <Check ID="115" ...> corresponds to Windows security updates and <Check ID="10212" ...> corresponds to SQL Server security updates. Web Table 1 lists all the tests that MBSA performs. Expanding a node provides a particular test's detailed results, which you can further parse for a specific update. For great XML primers that include sample code, visit the Microsoft Developer Network (MSDN) library. (A good place to begin is the "XML DOM User Guide" at http://msdn.microsoft.com/library/default.asp?url=/library/enus/xmlsdk30/htm/xmconxmldomuserguide.asp. The document provides an example of loading an XML document but requires a bit of Windows scripting knowledge.)
MBSA Limitations
Although MBSA performs admirably as an all-in-one update-checking tool and basic Microsoft product security-configuration checker, it has limitations. MBSA doesn't scan for Office updates or updates that aren't related to security, so you'll need to rely on other tools to report those updates. MBSA is strictly a scanner and doesn't deploy patches or remediate misconfigurations. (However, it provides useful Help documents that walk you through the remediation of any discovered vulnerability.) For an update scanner that includes more robust patch-management features for as many as 50 computers, check out the free HFNetChkLT tool from Shavlik Technologies, the creators of HFNetChk. HFNetChkLT provides the same capabilities of its commercial sibling, HFNetChkPro (with the exception that HFNetChkLT lets you scan only 50 computers).
Both HFNetChkLT and HFNetChkPro support robust update scanning, patch distribution, and graphical reporting. They also support logging to a SQL Server database and scanning for Office updates. Although they don't offer the vulnerability-scanning features of MBSA, they extend patch management beyond MBSA's current capabilities and provide an aggregated view of missing patches across your organization. You can obtain HFNetChkLT at http://www.shavlik.com/phfnetchklt.aspx.
When you use MBSA, remember that the cursory scans it performs look for the most common misconfigurations of Microsoft products. The vulnerability scanner is a step in the right direction, but it doesn't offer the broad scanning capabilities that dedicated vulnerability-assessment software—such as Internet Security Systems' (ISS's) Internet Scanner or the open-source vulnerability tool Nessus—provides. For example, MBSA checks only five basic password rules (such as whether the password is blank, contains the username or computer name, or contains the words password, admin, or administrator), so you shouldn't use MBSA in lieu of true password-auditing software. MBSA fills a gap for organizations that don't have specialty security software, but be aware of MBSA's limited scanning depth so that you can decide whether your situation warrants the extra horsepower of a more powerful scanner.
Fixing the Known and Unknown
Running MBSA on your network can inform you of problems you didn't even know existed. The MBSA Help text provides useful descriptions of how to use a variety of technologies to attack the vulnerabilities. You can use centralized administration tools such as Active Directory Group Policy to eliminate some vulnerabilities. And you can use Windows scripting to automate the elimination of local system vulnerabilities. For example, consider authoring a script to disable a guest account or change a registry setting for all computers in your domain. You can find techniques for many of these solutions on the Internet and in reference texts.
MBSA offers terrific functionality for ad hoc or scheduled reccurring security scans of your network's computers. Although not as comprehensive as a full-blown vulnerability scanner or as powerful as a patch-deployment system, MBSA is a good fit for your security toolkit.