Managing the Life Cycle—Keeping Windows 7 Up to Date : Using MBSA for Security Audits

Figure 1 shows the first screen you'll see when launching the MBSA. Although the title bar shows it as version 2.1, the introductory text states that it includes support for Windows 7, indicating that it is version 2.1.1.

Figure 1. MBSA 2.1.1

MBSA 2.1.1 was released to support Windows 7 clients. It can run on and scan any of the following clients:

• Windows 2000

• Windows XP

• Windows Vista

• Windows Server 2003

• Windows Server 2003 R2

• Windows Server 2008

• Windows Server 2008 R2

After you've run at least a single report, the View Existing Security Scan Reports link will be enabled, allowing you to view past reports. If you click this link, it'll provide a list of all the reports that have been run. This list includes the computer name, the IP address, the overall assessment of the scan, and the date when it was run.

1. Picking Computers to Scan

You can run MBSA against a single computer or multiple computers in a network. When you choose to scan a single computer, you'll see a screen similar to Figure 2. You can identify the computer to scan based on the computer name or its IP address.

Figure 2. Picking a single computer to scan

You'll need administrative access to scan any computers using MBSA, so if you're scanning remote computers, you should be logged on with an account that is in the remote computer's Administrators group.

If you instead click the Scan Multiple Computers link of MBSA, you'll see a display similar to Figure 3. You can choose to scan all the computers in a domain or all the computers in a range of IP addresses.

Figure 3. Selecting multiple computers to scan

In the figure, I added the IP address range of 192.168.1.2 to 192.168.1.254 to scan all the computers in this subnet. I omitted 192.168.1.1 because it is the address of the router in this network and not a Microsoft computer. MBSA will then connect to the specified computers and inspect them for installed updates and other security issues.

When MBSA is run, it will first connect to a Microsoft website to download the MBSA detection catalog (wsusscn2.cab). This catalog includes information about all available updates and security vulnerabilities. It is used to compare the existing updates and configurations on individual clients with a list of security updates that have been released along with known vulnerabilities. If the catalog has already been downloaded, MBSA will check to be sure it is up to date.

The previous version of the cabinet file was named wsusscan.cab and is still available. However, wsusscan.cab has not been updated since March 2007 and doesn't include updates and security vulnerabilities since then. You need to use the wsusscn2.cab file to ensure that you are checking against the most recent data.

2. Vulnerability Checks

MBSA will scan computers for several security issues. It uses Windows Management Instrumentation queries to inspect the system for the following vulnerabilities:

Check for Windows Administrative Vulnerabilities

MBSA inspects the system for basic security issues such as whether more than one user is a member of the Administrators group, the Guest account is enabled (it should be disabled), NTFS is used on all the drives, and any folders are being shared.

Check for Weak Passwords

MBSA checks for blank or weak passwords on each local account on the system. A strong password will have at least eight characters and use a combination of at least three of the four character types (uppercase, lowercase, numbers, and symbols).

Check for IIS Administrative Vulnerabilities

This check looks for vulnerabilities in Internet Information Services (IIS) versions 5.0, 5.1, and 6.0. It also checks to see whether the IIS Lockdown Tool has been run on these versions. If IIS is not installed on the scanned system, this check is skipped.

Check for SQL Administrative Vulnerabilities

This check looks for vulnerabilities in both SQL Server instances and the Microsoft Data Engine (MSDE) that is installed on any scanned computers. If SQL Server or MSDE is not installed on the system, this check is skipped.

Check for Security Updates

This check scans all systems to determine whether all current security updates are installed. It uses the same technology that is used by WSUS and SCCM to scan the computers. However, if your network is not using WSUS or SCCM, this is a valuable tool to determine easily whether clients are up to date. A green check indicates that no missing security updates were identified. Missing updates are marked with a red X, and missing service packs or update rollups are marked with a yellow X.

The security updates check gives you several additional options, including these:

Configure Computers for Microsoft Update And Scanning Prerequisites

If a client doesn't have the Windows Update Agent installed, it can't be scanned. However, selecting this setting allows you to install the Windows Update Agent and other prerequisites automatically on the target computers so that they can be scanned.

Advanced Update Services Options

Two additional update services options are available for clients that are configured to receive updates from WSUS servers. If your environment is not using WSUS, these settings won't be used.

Scan Using Assigned Windows Server Update Services (WSUS) Servers Only

This option can be used in an environment where WSUS is being used. It will scan only computers that are configured to receive updates from WSUS servers.

Scan Using Microsoft Update Only

This option allows you to compare clients against the list of updates available from Microsoft instead of the list of updates that have been approved on the WSUS server.

MBSA provides a report on the findings for each scan. Reports include information on any issues that are found and also provide instructions on how to fix any of the issues.

Figure 4 shows a sample report with the Windows Scan Results showing. If you look at the vertical scroll bar on the right side of the window, you can see that there is a lot more to this report.

Figure 4. Viewing the MBSA report

The report shows three different icons referred to as risk scores. The orange shield icon with an exclamation mark generally indicates that action is required to secure your system. You may also find a red shield icon, which indicates a severe risk.

Orange shield with exclamation mark

This indicates a risk that should be addressed. In the figure, it shows that automatic updates are not set to be installed automatically (requiring user action), an update is not complete and is pending a reboot, and four out of five accounts have non-expiring passwords.

Blue circle with exclamation mark

This generally indicates a best practice and not necessarily a security issue. An exception for a firewall allows certain traffic through. The firewall should be enabled and that's the most important setting, but it is often acceptable and even necessary to enable exceptions.

Green shield with check mark

This indicates that MBSA checked for the vulnerability and found the system compliant.

Red shield with an X

This indicates a known security update, service pack, or update rollup is not installed. In addition, if Automatic Updates is completely disabled, it will show up with a red shield.

By clicking Result Details in the report for any of the issues, you can see additional data that can tell you what to do. As an example, Figure 5 shows the result details for the issue related to user accounts having non-expiring passwords.

Figure 5. Viewing report details from MBSA

You can drill into the details of any of the report issues and determine exactly what the problem is and how to resolve it.

3. Installing MBSA

MBSA is a free download available at Microsoft's download site (www.microsoft.com/downloads) by searching for "MBSA 2.1.1." You should download at least version 2.1.1 to support Windows 7. Versions exist for both x86 (32-bit) and x64 (64-bit) systems.

4. Running the MBSA

The first time it is run, it may take some time to connect to Microsoft's site to download the wsusscn2.cab file, which includes the catalog of security update information. Later, it only checks to see if the version is up to date.

5. Running the MBSACLI

When you install the MBSA, the MBSA command-line interface (MBSACLI) will also be installed. The great strength of the MBSACLI is the same as with any command-line tool: It can be scripted, and anything that can be scripted can be scheduled.

You could create a batch file to run MBSACLI on all the computers in your domain or on all the computers within a specific subnet. You can then schedule this batch file to run every Sunday night. When you come in to work on Monday, you'll only need to check it. If you want to get fancier, you can include a script to send the output to your email address or the email address of a group of administrators.

5.1. MBSACLI Location

The Mbsacli.exe file is located in the \Program Files\Microsoft Security Baseline Analyzer 2\ folder when MBSA is installed. You need to specify this path when executing MBSACLI.

Just as MBSA must be run with administrative permissions, MBSACLI also needs administrative permissions. When running the command from the command prompt, launch it with administrative permissions by right-clicking Command Prompt and selecting Run as Administrator.

As a simple way to see MBSACLI in action, you can execute the following command:

"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" i
/target localhost

Since the path and command contain spaces, they must be enclosed in quotes. The /target switch is used to identify the computer to check. Localhost is resolved to the computer from where it's run using the host file (located at C:\Windows\System32\Drivers\etc\).

Some of the common switches used with MBSACLI are shown in Table 4.1. As with any command-prompt tool, you can redirect the output to a text file using the redirect symbol (>). For example, the following command runs the same report as shown in the previous command but redirects it to a text file named mbsacli.txt.

"C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli" 

/target localhost > mbsacli.txt

5.2. Running in an Isolated Environment

It is possible to run MBSACLI in an isolated environment that doesn't have access to the Internet. For example, you may be running Windows 7 in a VPC machine used for testing, or you may have an entire network that is completely isolated from the Internet for security reasons. When running MBSACLI in an isolated environment, you'll need to take a couple of extra steps:

• Download an up-to-date version of the wsusscn2.cab file from http://go.microsoft.com/fwlink/?linkid=76054.

• Download an up-to-date version of the wuredist.cab file from go.microsoft.com/fwlink/?LinkId=84399.

• Copy the wuredist.cab file to the %systemroot%\Users\username\AppData\Local\Microsoft\MBSA\2.1.1\Cache folder.

If the wuredist.cab file is not copied to the appropriate folder, MBSACLI will return the following error: The catalog file (Wuredist.Cab) is damaged or an invalid catalog. Once these steps are taken, you can then run MBSACLI with the /catalog switch to point to the location of the file. It's also common to include the /nvc, /nd, and /ia switches. Assuming the wsusscn2.cab file is located in the c:\mbsa folder, you could use the following commands. The first command changes the directory to where MBSACLI is located, and the second runs it with the appropriate switches for an isolated environment.

CD "C:\Program files\Microsoft Baseline Security Analyzer 2\mbsacli"
Mbsacli /catalog C:\mbsa\wsusscn2.cab /ia /nvc /nd