I've noticed over the years that there's a really funny trend when it comes to Microsoft add-ons and utilities: the most useful members of the bunch tend to be [a] free, and [b] entirely under-utilized because nobody realizes that they're there. With the release of a new version of the Microsoft Baseline Security Analyzer (MBSA), it's a good time to introduce this neat little tool to those of you who aren't familiar with it, and perhaps re-introduce it to those of you who've relegated it to a closet.
MBSA is a free utility that allows you to scan anywhere from one to 10,000 computers for patch levels and various potential security "gotchas." (Unlike Windows Update, though, it does not automatically download any missing patches that it finds.) The utility runs on any machine running Windows 2000 or better, and has been localized for English, German, Japanese and French.
In addition to providing support for XP SP2, the new version of MBSA (1.2.1) has greatly improved the "help" function that provides detailed information about the issues it finds. No really, I mean it. Rather than being the stereotypical "no-help" help system, the new MBSA actually offers useful and clearly written guidance concerning where to find security patches and how to correct potential security issues. MBSA can scan for updates for Windows, SQL, IIS, Office, Exchange 2003, Content Management Server and a number of other Microsoft products. The newest version will also perform a configuration check on your Windows Firewall/ICF configuration and your Windows Update settings.
And MBSA will scan for some of the most common -- and dangerous -- security misconfigurations on Windows machines, including:
- Unnecessary services running on workstations, such as IIS, SMTP or Telnet server.
- Is the Guest account disabled?
- Do local user accounts have strong passwords?
- Are Internet Explorer security zones configured correctly?
- On IIS servers, are the IIS sample applications installed? (Microsoft recommends against this on a production server.)
- On SQL servers, does the all-powerful "sa" account have a strong password?
The one possible shortcoming to MBSA -- and the reason why I didn't use it all that extensively initially -- is that the MBSA GUI produces a single XML file for each machine that it scans. So if you have a large domain, it would seem that you're forced to sit and click "show next report" until your mouse fingers threaten to sue for carpal tunnel.
However, MBSA also has a command-line component that can be incorporated into any number of scripting solutions. In fact, you'll find several sample scripts on Microsoft's Web site that perform a number of tasks, including my favorite: creating a summary report from an entire MBSA scan. These scripts are freely available for download, and can be customized to suit your environment. This level of flexibility makes MBSA a useful utility in any Windows administrator's tool belt.
Laura E. Hunter is a Microsoft MVP and SearchWin2000.com site expert.
This was first published in September 2004