Having repeatedly seen the advice on the Microsoft Security home page to use the company's Microsoft Baseline Security Analyzer (based on Shavlik's HFNetChk product), I decided to go ahead and give it a try. The results were both interesting and educational, and showed me that Windows Update alone is not enough to keep a Windows system properly patched and updated. MBSA, in fact, is sensitive to the types of machines it scans (and does a pretty good job of scanning remotely, as well as on the machine where it's installed).
Among the many things I learned from running MBSA on the six computers on my local network were the following:
- Windows Update does not scan for patches or updates for certain non-core Windows components. Because I work regularly with XML, I have MSXML installed on most of my Windows machines. I wasn't aware, until I ran MBSA, that a new service pack with security updates included had been issued. Not aware all too often translates into not installed, so that's what I did next thanks to the advice from the software (it's also good about providing pointers to the MS Web site so you can go and grab necessary downloads without having to spend a lot of time searching for them).
- It also seems that last year I elected not to install some DirectX critical security updates because my computers seldom, if ever, run DirectX code. Windows Update was perfectly happy to let me slide on this, but not MBSA. By reading the relevant KB article I found that a new version of DirectX (9.0b) has been released, which includes fixes for all known security issues, and runs on all flavors of Windows except NT 4.0. I installed this on my machines, and believed it probably fixed those problems. But alas, MBSA doesn't recognize that code and still warns me that it can't confirm that the fixes in MS03-030 have been applied (despite the indication therein that "DirectX 9.0b has been released at the same time as this security bulletin and contains the security fix discussed in the security bulletin").
- The scan on my server was much more detailed and comprehensive than those performed on my various desktop machines. In addition to the two foregoing items, it also came out with a slew of recommendations related to password strengths and assignments, made recommendations on changing security settings in the Registry, pointed out some potentially unnecessary services that could be disabled (it reminded me, in fact, that Telnet is stopped on my server, rather than totally disabled as it more properly should be), and pointed out some potential MS Office problems as well.
My conclusion is that MBSA is a free tool that provides useful and informative reports, and should be a part of anybody's Windows security regimen, unless they're already using a similar security scanner on a regular basis. It's definitely worth the time and energy it takes to download, install and run.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.