Problem solve Get help with specific problems with your technologies, process and projects.

Why should Windows shops use Microsoft Baseline Security Analyzer?

Learn about Microsoft's Baseline Security Analyzer, a free and easy-to-use tool that helps enterprises with necessary security scanning measures.

We've all heard the adage, "something is better than nothing," and know how it holds true to information security. When I hear this saying, Microsoft's Baseline Security Analyzer (MBSA), a barebones security configuration scanner, comes to mind. Sure this tool may be best suited for small and medium-sized businesses, but it can help enterprises with necessary security scanning measures.

MBSA, now in version 2.1 is actually pretty decent. It not only tests for missing patches (what it's well-known for) but also uncovers other weaknesses in your Windows-based systems such as:

  • Users in the Administrator group
  • Open file shares
  • Null sessions enabled
  • Automatic Update status
  • IIS lockdown status
  • Login auditing status
  • Blank or weak Windows and SQL Server passwords
  • Weak Internet Explorer zone and Microsoft Office macros security settings

MBSA is free and relatively painless to run. You can download and run it on your local computer or, if you have administrative rights and are currently connected, run it against a single networked system or your entire network for that matter. To show you how MSBA works, I ran it against my network (Figure 1). As it turns out, it found some missing updates on my test system that I assumed were up-to-date -- after all, Automatic Updates were enabled.

Figure 1
Figure 1 MBSA can highlight missing patches assumed to have been taken care of elsewhere. (Click on image for enlarged view.)

This is a perfect example of how assuming your patches are current simply because you use WSUS, Automatic Updates, or third-party tool can really come back to bite you.

Yet, even with all of MBSA's positive traits, I have found some downsides:

  1. MBSA is not a full-fledged vulnerability scanner that you can rely on to detect everything (never assume that just because MBSA has checked for the basics that you're in the clear).
  2. MBSA is not a vulnerability scanner that's going to check for third-party software weaknesses, Web application flaws, or really anything outside of the out-of-the-box Microsoft-delivered realm (the source of many vulnerabilities in Windows).
  3. MBSA is not a penetration testing tool that's actually going to exploit the weaknesses it uncovers (this requires higher-end commercial tools and, in many cases, some hacking know-how).
  4. MBSA is not a tool that's going to generate fancy and easily-customized security assessment reports (they may be good enough for you but probably not enough for your managers, auditors, and business partners).

Despite these downsides, MBSA does provide a general security snapshot of your Microsoft systems. It highlights the low-hanging fruit and shows you where you're not following sound security practice – at least in the eyes of Microsoft. But, again, it's still better than nothing and a good starting point that I highly recommend if you've yet to test your systems for security vulnerabilities.

Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/

Dig Deeper on Unified endpoint management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.