Tips and Tricks
Analyze Your Baseline Security
MBSA offers much more than updates to your network.
A couple of years ago, Microsoft offered a free utility called HFNetChk.
Written by Shavlik Technologies (www.shavlik.com) and licensed to Microsoft,
this utility included an XML database of security issues and updates and
could be used to scan Windows computers for potential security problems.
Shavlik sold (and still sells) HFNetChk Pro, a graphical version of the
Today, Microsoft has replaced HFNetChk with a friendly, graphical tool
called the Microsoft Baseline Security Analyzer (MBSA). That’s a subtle
name: It’s not a complete security analysis, but it does say what minimum
stuff your servers are missing in order to have a shot at being considered
secure. MBSA can be downloaded free from www.microsoft.com/mbsa.
The current version, 1.2, scans for security problems not only in Windows
but also in SQL Server, Exchange, MDAC, MSXML, BizTalk, Commerce Server,
Content Management Server and Host Integration Server—all remotely, if
you like. For local scans, MBSA can even find security issues with Microsoft
Office. It also checks the configuration of the Internet Connection Firewall,
Automatic Updates client, IE zones, the MBSA tool itself and more. It’s
an awesome utility with a robust command-line interface that lends itself
especially well to automation.
For example, say you want to scan a remote server and get a report of
missing security updates, improper configurations and so forth. Nothing
could be simpler! Just run:
mbsacli.exe /c domainname\computername
Even better, scan every computer in an entire domain by using:
mbsacli.exe /d domainname
Or, if your servers are in a block of IP addresses, scan them with:
mbsacli.exe /r aaa.aaa.aaa.aaa bbb.bbb. bbb.bbb
specifying the appropriate IP addresses to define the start and end of
the block containing your servers. If you have an SUS server on your network,
specify the /sus server option and MBSA will only report on updates that
you’ve approved for distribution through SUS and will ignore unapproved
updates. Want your security report to go to a file? Add the /o filename
parameter and specify an output path and filename. For best effect, run
mbsacli.exe /d domainname /o filename
once a month using the Task Scheduler, and you’ll have a monthly report
of security issues on every computer in your domain—a perfect To Do list
for the intern who’s starting next week!
Files Still Usable
|If you’re one of the proud, few admins who
has used HFNetChk, all of your batch files aren’t useless.
Run MBSA with the /hf command-line parameter and it’ll
accept HFNetChk command-line parameters. That means your
HFNetChk batch files can be easily ported to use MBSA:
Just search and replace “hfnetchk.exe” with “mbsacli.exe
/hf” in your .bat files.
The cool part about MBSA is that it’s more than just a list of updates
you need to install; the Automatic Updates client could take care of that.
MBSA also lists configuration issues that aren’t corrected by an update,
such as a SQL Server computer with a blank password for the all-powerful
“sa” account. You’ll be tipped off to these configuration problems and
can fix them for an immediate boost to your network’s security.
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.