Doug Vitale Tech Blog

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer, or MBSA, is a simple, easy-to-use application that helps determine the security state of Windows-based computers against Microsoft’s recommendations. MBSA can detect common security misconfigurations and missing security updates for Windows and other related Microsoft software.

MBSA v2.3 was released on Nov. 14, 2013 and adds support for Windows Server 2012 and Windows 8, and drops support for Windows 2000. Version 2.2 of MBSA was released on Aug. 20, 2010 and was intended to provide support for the latest Windows technologies at the time, such as Windows 7 and Windows Server 2008.

Jump to:

The MBSA user interface

Microsoft Baseline Security Analyzer interface

The Microsoft Baseline Security Analyzer v2.3 main interface

As you can see, the three main options for utilizing MBSA are Scan A Computer, Scan Multiple Computers, and View Existing Security Scan Reports.

When you want to scan a single host (whether a remote node or your own computer), choose Scan A Computer and you will be shown the interface below.

MBSA v2.3 single computer scan options

The MBSA v2.3 options for single host scanning

When you want to scan multiple hosts (including an entire subnet range or all hosts in a domain), choose Scan Multiple Computers and you will be shown the interface below.

MBSA v2.3 multiple host scan options

MBSA v2.3 scanning options for multiple targets

When you initiate a scan, MBSA attempts to connect to the Internet to download the latest signatures and definitions from Microsoft.com.

MBSA downloading updates

MBSA downloading updates

After the download completes, the scan runs. When it’s finished the results are displayed and you are given the option to print a report or save it to the clipboard.

MBSA finished scan and results

An MBSA finished scan and its results

Later on you can view this scan report again by choosing View Existing Security Scan Reports from the main MBSA interface.

MBSA requirements

1. To run MBSA, you must be logged on with an account that has local administrative privileges on each computer being scanned either locally or remotely. If you are running mbsacli.exe (see below) make sure you have opened the command prompt (cmd.exe) using the ‘Run as administrator’ option.

2a. To scan a computer locally (not over the network), the following requirements must be met on that computer:

  • Windows Server 2012/2012 R2, Windows 8/8.1, Windows Server 2008/2008 R2, Windows 7, Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 Service Pack 3 or later.
  • Internet Explorer 5.01 or later.
  • An XML parser is required in order for the tool to function correctly. It is recommended that the most recent version of the MSXML parser be installed.
  • The World Wide Web Service is required if you want to perform local IIS administrative vulnerability checks.
  • Windows Update Agent 3.0.
  • The following must be enabled:
    • Workstation service
    • Server service

2b. To scan computers remotely, the scanning computer must meet the following requirements:

  • Windows Server 2012/2012 R2, Windows 8/8.1, Windows Server 2008/2008 R2, Windows 7, Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 Service Pack 3 or later.
  • Internet Explorer 5.01 or later.
  • An XML parser is required in order for the tool to function correctly. It is recommended that the most recent version of the MSXML parser be installed.
  • The World Wide Web Service is required if you want to perform local IIS administrative vulnerability checks.
  • Windows Update Agent 3.0.
  • The IIS Common Files are required on the local computer when remotely scanning an IIS server.
  • The following must be enabled:
    • Workstation service
    • Server service

2c. To scan computers remotely, the following requirements must be met on the computers being scanned.

  • Windows Server 2012/2012 R2, Windows 8/8.1, Windows Server 2008/2008 R2, Windows 7, Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 Service Pack 3 or later. Itanium-based computers must be running Windows Server 2003 with SP1 or higher.
  • Internet Explorer 5.01 or later is required for IE zone checks.
  • IIS is required for IIS product and administrative vulnerability checks.
  • Microsoft SQL Server 7.0, 2000, 2005, 2008 or Microsoft Data Engine or Microsoft SQL Server 2000 Desktop Engine (MSDE) is required for SQL product and administrative vulnerability checks.
  • Windows Update Agent 3.0.
  • Microsoft Office 2000, Office XP or Office System 2003 is required for Office product and administrative vulnerability checks.
  • Windows Installer 3.0 or later is required for Office product updates checks.
  • The following must be enabled:
    • Server service
    • Remote Registry service
    • File and Print Sharing
  • Distributed COM (DCOM) is required for remote security update scanning.


MBSA GUI scanning options explained

  • Check for Windows administrative vulnerabilities – Selecting this option scans for problems with the way that Windows is configured on the target computer. Such factors as the number of members of the local Administrators group, file system type, and whether Windows Firewall is enabled are checked and reported on.
  • Check for weak passwords – Selecting this option tests the passwords of local user accounts to determine whether any are blank or have other problems that might allow them to be guessed easily.
  • Check for IIS administrative vulnerabilities – Selecting this option checks for Internet Information Services (IIS) administrative vulnerabilities. When scanning servers running IIS, the computer running MBSA must have the Common Files installed for the highest version of IIS to be scanned. For example, to scan servers running IIS 6.0, the IIS 6.0 Common Files must be installed on the computer running MBSA.
  • Check for SQL Server administrative vulnerabilities – Selecting this option checks for administrative vulnerabilities on each instance of Microsoft SQL Server, Microsoft Data Engine, SQL Express or Microsoft SQL Server 2000 Desktop Engine (MSDE) running on the target computer. Note: scanning SQL Server running in a cluster configuration can produce erroneous errors for Sysadmin role members, guest account, and account password tests.
  • Check for security updates- Selecting this option checks the target computer for missing Microsoft Windows and Microsoft Office updates. When you select this option, you can also specify the following options:
    • Configure computers for Microsoft Update and scanning prerequisites – Selecting this option installs the current version of the Windows Update Agent on the target computer if it is absent or out of date and configures the target computer to meet other requirements for scanning for security updates.
    • Use additional catalogs (if available) – This option will appear only if additional catalogs are found on the local machine. If present, this option will be selected. De-selecting this option will ignore any additional catalogs even if they are present.
    • Scan using Windows Server Update Services (WSUS) servers only – Selecting this option scans only for those security updates that are approved on the computer’s assigned WSUS server. The Microsoft Update Web site, offline or additional catalogs are not used.
    • Scan using Microsoft Update only – Selecting this option uses only the security update catalog downloaded from the Microsoft Update Web site to determine the updates to be checked. Updates that are not approved on the computer’s Update Services server are reported as though they were approved. If the Microsoft Update site cannot be reached by the client, an error will be reported.
    • Scan using offline catalog only – Selecting this option uses only the offline security update catalog (WSUSSCN2.CAB) downloaded from Microsoft or cached on the local machine. If the offline catalog cannot be downloaded from Microsoft and there is no locally cached copy, an error will be reported.
    • Scan using additional catalogs only – Selecting this option uses only additional catalogs (if available). If there are no additional catalogs, an error will be reported.


Using MBSA without Internet access

In order to get the most accurate scan results, MBSA needs to download the latest updates from Microsoft.com. If you need to scan computers from a network that has no Internet access, you need to take extra steps to update MBSA since it won’t be able to reach Microsoft.com. To complete this step you need to update the Wsusscn2.cab file located in %SystemDrive%\Users\UserName\AppData\Local\Microsoft\MBSA\Cache. The Wsusscn2.cab file (signed by Microsoft) contains the security updates, update rollups, and service packs that are available from Microsoft Update. Wsusscn2.cab is automatically updated when a security update, update rollup, or service pack is added, removed, or revised on the Microsoft Updates site. Computers that are not connected to the Internet can be scanned and then updated for the updates in the WsusScn2.cab file. Go here for further reference.


Mbsacli.exe

MBSA installs by default in %SystemDrive%\Program Files\Microsoft Baseline Security Analyzer 2. In this folder you can find mbsacli.exe, the command line executable for those who prefer to use MBSA from a command line prompt. There are many options available for mbsacli.exe and the full list can be found below.

Be aware that in some cases, the command-line interface provides more technical options for advanced administrators. The following command line switches are examples of features that are not available in the MBSA GUI tool pictured above:

Mbsacli-only commands

Description

mbsacli.exe /catalog [file]
Lets you specify an alternate location for the offline catalog (Wsusscn2.cab) file.
mbsacli.exe /nd Instructs MBSA to not download any files from the Microsoft Web site when performing a scan. In other words, it instructs MBSA to perform the scan like it would in offline mode.
mbsacli.exe /nvc Instructs MBSA to not attempt to connect to the Internet to check for an updated version of the MBSA scan tool.
mbsacli.exe /p [password]
Specifies the password of an administrator-level user on the target computer(s).
mbsacli.exe /qp Instructs MBSA not to show scan progress.
mbsacli.exe /qt Instructs MBSA not to display the completed scan report immediately after a scan completes.
mbsacli.exe /rd [directory]
Specifies an alternate location for the completed scan report (this is useful when running MBSA in a non-user context or as a domain administrator). You can use this switch to place completed scan reports on a network share or in a particular local directory.
mbsacli.exe /u [username]
Specifies the username of an administrator-level user on the target computer(s).
mbsacli.exe /Unicode Instructs MBSA to provide the completed scan report in Unicode format.
mbsacli.exe /xmlout Specifies that MBSA checks only for security updates and displays the scan results as XML text in the command line window. Only the MBSA engine (MBSAcli.exe and Wusscan.dll) files are needed for this type of scanning, and only the parameters listed below can be used with this parameter: /catalog, /wa, /wi, /nvc, and /Unicode.

.

List of additional of mbsacli.exe options

Mbsacli.exe commands

Description

mbsacli.exe /addonly Uses only the additional catalogs (if they exist) for security update information. Updates that are not approved on the computer’s Update Services server are ignored unless the WSUS server includes the updates in the additional catalogs, in which case they are displayed as though they were approved. This parameter cannot be used with /noadd parameter. Use this parameter to force MBSA to use only additional catalogs, not Microsoft Update, WSUS Server or the offline catalog.
mbsacli.exe /cabpath [path] instructs MBSA to not attempt to connect to the Internet to check for an updated version of the MBSA scan tool.
mbsacli.exe /d [domain] Scans all the computers in the specified domain.
mbsacli.exe /l Lists all available reports.
mbsacli.exe /ld [report] Displays the details of the specified report. When scanning a single computer, this is the default behavior unless the /qt parameter is used.
mbsacli.exe /listfile [file] Scans the computers identified in a text file. The [file] argument is the path and name of a text file in ASCII or Unicode format that contains one or more IP addresses or computer names. Each IP address or computer name must appear on a separate line.
mbsacli.exe /lr [report] Displays an overview of the specified report.
mbsacli.exe /ls Lists reports from the most recent scan.
mbsacli.exe /mu Configures computers to use the Microsoft Update site on the computer being scanned.
mbsacli.exe /n IIS Excludes the IIS administrative vulnerability checks.
mbsacli.exe /n OS Skips Windows Operating System (OS) checks. This also skips the Internet Explorer and Outlook zone checks and the Office macro security checks.
mbsacli.exe /n Password Excludes password vulnerability checks.
mbsacli.exe /n SQL Excludes SQL Server/MSDE checks..
mbsacli.exe /n Updates Skips security update checks.
mbsacli.exe /noadd Updates Ignores any additional catalogs (even if they exist) and any other security assessment options selected. This parameter cannot be used with the /addonly parameter. Use this parameter to ignore additional catalogs even if they exist.
mbsacli.exe /o [template] Specifies the template that MBSA uses when naming the XML output file. You can use these symbols to represent computer-specific information:
%d% Replaced with the name of the computer’s domain.
%c% Replaced with the name of the computer.
%t% Replaced with the date and time when the scan was performed.
%IP% Replaced with the computer’s IP address.
.
The default file-name template is %d - :%c% (%t%).
.
You can also use the variable names that were supported by previous versions of MBSA: %domain%, %computername%, and %date%.
mbsacli.exe /offline Uses only the offline catalog for security update information. Updates that are not approved on the computer’s Update Services server are displayed as though they were approved. Use this parameter to force MBSA to act as if it is in a secure or offline environment without access to Microsoft or WSUS for assessments. Combine with /nvc and /nd to prevent MBSA from connecting to Microsoft for newer versions of MBSA or needed scan files.
mbsacli.exe /q Does not display scan progress, the report list, the error list, or text output.
mbsacli.exe /qe Does not display the error list.
mbsacli.exe /qr Does not display the report list.
mbsacli.exe /r [IP_address]-[IP_address] Scans all hosts withing the specified range of IP addresses.
mbsacli.exe /target [domain]\[host] Scans the specified computer. You can identify the computer by using its IP address or its name and, optionally, the domain to which it belongs.
mbsacli.exe /wa Scans only for security updates that are approved on the computer’s Update Services server. The Microsoft Update web site and the offline catalog are not used. This parameter cannot be used with the /wi parameter.
mbsacli.exe /wi Uses only the Microsoft Update web site or offline catalog for security update information. Updates that are not approved on the computer’s Update Services server are displayed as though they were approved. This parameter cannot be used with /wa parameter. Use this parameter to scan computers whose assigned Update Services servers are not available.
mbsacli.exe /? Displays usage information for the command line tool.


Mbsacli.exe command examples

mbsacli /target 192.168.195.137 /n os+iis+sql+password Scans the specified host with the supplied IP address and checks for missing updates and patches. you can redirect the output to a text file for later review by adding the following to the end of the mbsacli command-line command: > output.txt.
mbsacli /d companyA /n os+iis+sql+password Scans all computers in the companyA domain for security updates, but does not scan for administrative vulnerabilities.
mbsacli /r 192.168.195.130-192.168.195.254 /n os+iis+sql+password Scans all hosts in the IP address range 192.168.195.130 to 192.168.195.254 for security updates, but does not scan for administrative vulnerabilities.
mbsacli /listfile computernames.txt /n os+iis+sql+password Scans all hosts listed in the computernames.txt file for security updates, but does not scan for administrative vulnerabilities


Further reference

If you have questions about the usage of MBSA or if you encounter difficulties or errors, consult the Microsoft Baseline Security Analyzer FAQ or visit the Microsoft Baseline Security Analyzer support forum.


Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book or two using the links below. Thanks!

Windows Server 2008 Security Resource Kit on Amazon Windows Server 2008 Security Windows Security Resource Kit on Amazon Windows Security Resource Kit

Microsoft Windows 7 Administrator's Reference: Upgrading, Deploying, Managing, and Securing Windows 7 on Amazon Windows 7 Admin’s Reference Microsoft Windows Security Essentials on Amazon Windows Security Essentials

About these ads

Written by Doug Vitale

November 18, 2011 at 4:07 PM

%d bloggers like this: