Help using the Microsoft Baseline Security Analyzer (MBSA)
The Microsoft Baseline Security Analyzer (MBSA) is a software tool that helps determine the security of your Windows computer based on Microsoft’s security recommendations. MBSA can be used to improve your security management process by analyzing a computer or a group of computers and detecting missing patches/updates and common security misconfigurations. After you run a MBSA scan, the tool will provide you with specific suggestions for remediating security vulnerabilities. An MBSA scan can reduce and eliminate possible threats caused by security configuration problems and missing security updates. This document explains how to use MBSA from the graphical user interface (GUI).
Note: System administrators who wish to utilize the command line tool for scanning multiples systems remotely should refer to the detailed instructions provided in Microsoft’s document titled How To: Use the Microsoft Baseline Security Analyzer, which can be found at http://msdn.microsoft.com/en-us/library/aa302360.aspx.
Before installing MBSA, make sure that your computer meets the following minimum requirements:
- In order to perform a scan you MUST have administrator privileges.
- Operating System: Visit Microsoft for a list of supported operating systems.
- Microsoft Office: Visit Microsoft for a list of supported versions of Microsoft Office.
- The latest Windows Update Agent (WUA) client; MBSA automatically updates computers that need an updated WUA client if the option Configure computers for Microsoft Update and scanning prerequisites is selected.
- IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks).
- SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks).
MBSA performs the following actions during a scan:
- Checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server.
- Scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+.
- Uses Microsoft Update and Windows Server Update Services (WSUS) technologies to determine what updates are needed.
Installing the MBSA Tool
To download MBSA from the SecureU SharePoint site, complete the following steps.
- Click the Download Now button on the Run Security Scans page for Windows.
- You may see a File Download – Security Warning window. If this window displays, click Run to download MBSA. It is safe to run or save this file.
- You may see an Internet Explorer – Security Warning window. If this window displays, click Run to install MBSA. It is safe to run this file.
- The MBS Setup window displays. Click Next.
- Select the button next to I accept the license agreement and click Next.
- Select a destination for the installation and click Next.
- Click the Install button to start the installation.
- A window will display when the installation has been successfully completed. Click OK.
Scanning Your System
- On the Programs menu, click Microsoft Baseline Security Analyzer.
- Click Scan a computer.
- Leave all options set to default and click Start Scan.
- MBSA will download the list of latest security catalogue from Microsoft and begin the scan. Once the scan is complete, the scan results are shown in an organized report with several sections. Each section may require you to take different actions in order to remediate any problems that have been detected. On the left you will see a column labeled Score. Scan this list for any Red Xs . A red X represents an item that needs to be fixed.
Note: Most computers will have results for Security Updates, Windows, and Desktop Applications. If you are running Windows Server, contact the 24/7 Help Desk for more information about these services.
How to Interpret the MBSA Scan Reports
MBSA generates a report file in the profile directory of the logged in user (%userprofile%). This report file is stored on the computer from which you ran the MBSA tool. MBSA displays different icons in the report score columns depending upon whether a vulnerability was found on the scanned machine.
For the administrative vulnerability checks, a red X is used when a critical check failed (for example, a user has a blank password). A yellow X is used when a non-critical check failed (for example, an account has a password that does not expire). A green checkmark is used when a check passes (that is, no issue was found for that particular check). A blue asterisk is used for best practice checks (for example, checking if auditing is enabled), and a blue informational icon is used for checks that simply provide information about the computer being scanned (for example, the operating system version of the scanned computer).
For the security update checks, a red exclamation mark is used when MBSA confirms that a security update is missing or a security check was unable to be performed from the scanned computer. A yellow X is used for warning messages (for example, the computer does not have the latest service pack or update rollup), and a blue star is used for informational messages indicating that an update is not available to the computer because it has not been approved on the Update Services server. Scores cannot be changed or reassigned for system configuration checks.
For additional details, refer to the MBSA Frequently Asked Questions document on Microsoft’s website.
MBSA Scan Summary Sections
The MBSA scan summary is organized into sections. It also contains links that provide more detailed information, such as What was scanned, Result Details, and How to Correct this. The more often you run the scan, the less often you will be prompted to fix something.
Security Update Checks
The Security Updates section determines which available service packs and security updates for predetermined MS products match the state of your computer. If it has been a while since you last updated your computer, this will most likely be marked with a red X . Running updates on your computer will fix these problems.
The Windows and Desktop Applications check determines if your current configuration leaves your computer vulnerable to easy attacks. Potential problems include weak passwords, Automatic Updates that are not turned on, Firewalls that are not turned on, or applications that need to be updated. If any of these items are marked with a red X, then a How to correct this link will display. Click this link to open a page with instructions for correcting the problem.
Additional System Information
The MBSA also provides additional information about the system that was scanned in a separate section.
Analyzing the Scan
- For each vulnerability, MBSA provides additional details about the scan via the What was scanned link, the Result details link, and the How to correct this link.
- The screen shot below displays the window that appears after you click on the Result details link. The Result details window contains details about the vulnerability (in this case, weak passwords).
- The screen shot below displays the window that appears after you click on the How to correct this link. The How to correct this window displays the recommended solution with step-by-step instructions.
- Once you have reviewed the report and corrected all the vulnerabilities, rerun MBSA to check that there are no more additional vulnerabilities that exist on your system.
Requirements for Performing Remote Scans
System administrators can also run remote scans by selecting either the Check for IIS vulnerabilities or the Check for SQL vulnerabilities option. If you are not a system administrator, you should not run these scans. Contact the Help Desk if you have questions or need assistance resolving problems uncovered by these scans.
Note: If either of these services is unavailable or disabled, the scan results will indicate this. The scan will result in an error if these services do not have an exception configured in the Windows Firewall.