Tips and Tricks

Analyze Your Baseline Security

MBSA offers much more than updates to your network.

A couple of years ago, Microsoft offered a free utility called HFNetChk. Written by Shavlik Technologies (www.shavlik.com) and licensed to Microsoft, this utility included an XML database of security issues and updates and could be used to scan Windows computers for potential security problems. Shavlik sold (and still sells) HFNetChk Pro, a graphical version of the utility.

Today, Microsoft has replaced HFNetChk with a friendly, graphical tool called the Microsoft Baseline Security Analyzer (MBSA). That’s a subtle name: It’s not a complete security analysis, but it does say what minimum stuff your servers are missing in order to have a shot at being considered secure. MBSA can be downloaded free from www.microsoft.com/mbsa. The current version, 1.2, scans for security problems not only in Windows but also in SQL Server, Exchange, MDAC, MSXML, BizTalk, Commerce Server, Content Management Server and Host Integration Server—all remotely, if you like. For local scans, MBSA can even find security issues with Microsoft Office. It also checks the configuration of the Internet Connection Firewall, Automatic Updates client, IE zones, the MBSA tool itself and more. It’s an awesome utility with a robust command-line interface that lends itself especially well to automation.

For example, say you want to scan a remote server and get a report of missing security updates, improper configurations and so forth. Nothing could be simpler! Just run:

mbsacli.exe /c domainname\computername

Even better, scan every computer in an entire domain by using:

mbsacli.exe /d domainname

Or, if your servers are in a block of IP addresses, scan them with:

mbsacli.exe /r aaa.aaa.aaa.aaa bbb.bbb. bbb.bbb

specifying the appropriate IP addresses to define the start and end of the block containing your servers. If you have an SUS server on your network, specify the /sus server option and MBSA will only report on updates that you’ve approved for distribution through SUS and will ignore unapproved updates. Want your security report to go to a file? Add the /o filename parameter and specify an output path and filename. For best effect, run something like:

mbsacli.exe /d domainname /o filename

once a month using the Task Scheduler, and you’ll have a monthly report of security issues on every computer in your domain—a perfect To Do list for the intern who’s starting next week!

Batch Files Still Usable
If you’re one of the proud, few admins who has used HFNetChk, all of your batch files aren’t useless. Run MBSA with the /hf command-line parameter and it’ll accept HFNetChk command-line parameters. That means your HFNetChk batch files can be easily ported to use MBSA: Just search and replace “hfnetchk.exe” with “mbsacli.exe /hf” in your .bat files.

The cool part about MBSA is that it’s more than just a list of updates you need to install; the Automatic Updates client could take care of that. MBSA also lists configuration issues that aren’t corrected by an update, such as a SQL Server computer with a blank password for the all-powerful “sa” account. You’ll be tipped off to these configuration problems and can fix them for an immediate boost to your network’s security.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Sat, Sep 25, 2004 Anonymous Anonymous

I installed MBSA ver 1.2 BUT I keep gettin g error messages. Cannot find computer.

Wed, Aug 11, 2004 Victor UK-Slough

Great tool & asset- every home based PC deserves to have a copy of MBSA.

Mon, Jun 14, 2004 Anonymous Anonymous

good

Sat, Jun 5, 2004 tan mauritius

Very helpful tools.

Thu, May 20, 2004 Anonymous Anonymous

Excellent information about a tool that is likely under used, considering that it is free, easy to use, and available to anyone.

Fri, May 7, 2004 Anonymous Anonymous

great idea for the interns... good suggestion.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.