3. Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer, or MBSA
, is an excellent tool that you can use to assess your network and the
effects of your security policy. MBSA works by scanning a machine or
range of machines for specific policy problems, security updates that
aren't present, Microsoft Office updates that aren't present, and other
red flags that might indicate security risks. Then it lists all the
problems in an easy-to-read report that you can use to rectify each
problem.
The latest version as of
this writing, Version 2.0, adds a better interface over the previous
version with more informative screens and reports, and makes use of both
the much-improved Microsoft Update catalog and Windows Update Agent
detection engine. MBSA can scan for configuration problems in the
following products out of the box:
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
IIS
SQL Server
Internet Explorer
Office
MBSA 2.0 also scans for missing security hotfixes in the following products:
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
IIS
SQL Server
Internet Explorer
Exchange Server
Windows Media Player
Microsoft Data Access Components (MDAC)
MSXML
Microsoft Virtual Machine
Commerce Server
Content Management Server
BizTalk Server
Host Integration Server
Office
MBSA is an essential tool
for ensuring the computers in your organization remain in compliance
with any security policy you have in place. You can download the tool
from the Microsoft web site at:
- http://www.microsoft.com/technet/security/tools/mbsahome.mspx
3.1. Using the MBSA
Running a scan on a
computer or set of computers using the MBSA is simple. In the following
example, I'll assume we're scanning only a single computer. First, open
the MBSA program. Then do the following:
Click Scan a computer to scan a single computer.
The Pick a computer to scan screen appears, as shown in Figure 5.
Ensure
the correct computer name is listed in the Computer Name field. You can
also specify an IP address instead. Additionally, enter a name for the
resulting report; you can use any of the options listed there—domain, IP
address, date and time, or computer name.
Select
the scope of the scan. You can choose to scan for Windows
vulnerabilities, weak passwords, IIS vulnerabilities, SQL
vulnerabilities, and security updates. (You can use a Windows Software
Update Services [WSUS] server if you want. SUS is covered later in this
chapter.)
Click
Start Scan to begin the scan. The wizard will fetch the latest security
update information from the Microsoft site and then commence the scan.
When the scan is complete, you'll see the View security report screen. A sample screen is shown in Figure 6.
You can see each issue the scan identified, how serious the issue is, and a link to information on how to correct it.
A suggestion
about security strategy: I recommend you use the MBSA before applying
your security templates or SCW policies to know what issues to address,
and then run it once again after your templates or SCW policies have
been applied and tested to in order to identify what might have slipped
through the cracks.
