MBSA, now in version 2.1 is actually pretty decent. It not only tests for missing patches (what it's well-known for) but also uncovers other weaknesses in your Windows-based systems such as:
- Users in the Administrator group
- Open file shares
- Null sessions enabled
- Automatic Update status
- IIS lockdown status
- Login auditing status
- Blank or weak Windows and SQL Server passwords
- Weak Internet Explorer zone and Microsoft Office macros security settings
MBSA is free and relatively painless to run. You can download and run it on your local computer or, if you have administrative rights and are currently connected, run it against a single networked system or your entire network for that matter. To show you how MSBA works, I ran it against my network (Figure 1). As it turns out, it found some missing updates on my test system that I assumed were up-to-date -- after all, Automatic Updates were enabled.
This is a perfect example of how assuming your patches are current simply because you use WSUS, Automatic Updates, or third-party tool can really come back to bite you.
Yet, even with all of MBSA's positive traits, I have found some downsides:
- MBSA is not a full-fledged vulnerability scanner that you can rely on to detect everything (never assume that just because MBSA has checked for the basics that you're in the clear).
- MBSA is not a vulnerability scanner that's going to check for third-party software weaknesses, Web application flaws, or really anything outside of the out-of-the-box Microsoft-delivered realm (the source of many vulnerabilities in Windows).
- MBSA is not a penetration testing tool that's actually going to exploit the weaknesses it uncovers (this requires higher-end commercial tools and, in many cases, some hacking know-how).
- MBSA is not a tool that's going to generate fancy and easily-customized security assessment reports (they may be good enough for you but probably not enough for your managers, auditors, and business partners).
Despite these downsides, MBSA does provide a general security snapshot of your Microsoft systems. It highlights the low-hanging fruit and shows you where you're not following sound security practice – at least in the eyes of Microsoft. But, again, it's still better than nothing and a good starting point that I highly recommend if you've yet to test your systems for security vulnerabilities.
|ABOUT THE AUTHOR:|
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.
This was first published in March 2009