In-Depth

The Good and the Bad of MBSA

Microsoft's free vulnerability scanner works well—as long as you don't have to stretch it too far.

Those who are charged with managing just a handful of machines sing the praises of Microsoft's Baseline Security Analyzer (MBSA) fairly readily. Those who need more of an enterprise-level tool to lock down hundreds or thousands of machines, however, find that MBSA's shortcomings quickly become apparent.

MBSA does have a lot going for it. In addition to being free, it's a simple vulnerability scanner that's easy to use and configure, most users say. The latest version (1.2.1) checks for configuration errors and security holes not only in Windows 2000, XP and Windows Server 2003, but also key Microsoft applications like Office, IIS, SQL Server and Internet Explorer.

"At first, I used MBSA quite a bit," says Ben Hearn, systems administrator at Cincinnati, Ohio-based financial services firm GAFRI. Hearn is responsible for managing more than 1,200 Windows XP servers. "I've really gotten away from using it at all now because it just proves to be too cumbersome when you're dealing with lots of machines."

Hearn's primary complaint is the lack of flexible reporting capabilities or any sort of standard report formatting. "MBSA can scan an entire domain of 1,200 computers, but then it generates one giant list of results," he says. "There's no good built-in way to see the percentage of my machines that are missing patches."

Microsoft Baseline Security Analyzer (MBSA)

Free
Microsoft Corp.
800-426-9400
www.microsoft.com

MBSA scans every computer within an organization and returns a full list of items. Those items designated with a green check are checked out as secure. Others are flagged for remediation. That's about as deep as MBSA's reporting goes, and it's not deep enough for most users. "It just takes too long to try and decipher the list," says Justin Clutter, CIO of Appserve Technologies LLC, a small hosting services provider based in Dallas, Texas. "Most of the time, you'll get the little green check back, but what I really want to see are the critical issues that need fixing."

Clutter says he wishes the MBSA reports were integrated with something like SQL, so he could import the scan results into a database and make it easier for users to run exception reports.

"Integration with SQL would be great," agrees Jeff Hinrichs, technical lead at Dermatological Lab and Supply Co., in Council Bluffs, Iowa. He also agrees that MBSA's reporting is its weakest feature. "What I want it to do is throw flags to show me what's different. Right now, it can't do that for me." Hinrichs has built his own workaround so he can sort through MBSA's XML-based results to better understand the most critical issues. He takes the newest scan results and the results he has saved from the last time he ran an MBSA scan. "I take both XML files and flatten them," he says. "Then, I run a standard DIFF tool on it to find the differences between the two files."

Without this extra step, Hinrichs says it's difficult to see what has changed and what needs his immediate attention. "Maybe 90 percent of my machines are updated for this patch, but that means there are 10 percent that didn't take it and that's what I need to know about."

Questionable Results
Another thing users have noticed is that MBSA's reported vulnerabilities don't always match those reported by other tools, like Windows Update and Windows Software Update Services (WSUS). "When I use MBSA to scan one of my servers, it comes back saying that four critical updates could not be verified or need to be updated," Clutter says. "But when I go to the WSUS site, it says the server is completely up to date."

In most cases, this is because Windows Update focuses on OS updates, whereas MBSA also checks for application-level vulnerabilities like those found in Office and IIS. "They work off different databases at Microsoft, so that's why you get the conflicting results," Clutter explains.

However, some cases aren't quite as clear-cut. Stephen Olson, owner of SJO Computer Services in Millerstown, Pa., says he often receives MBSA scan results that are less than definitive. "I just ran a scan and it told me that it couldn't verify whether I needed a certain update," he says. "It turned out that it was an update for Windows Media Player 9, but we had already upgraded to Windows Media Player 10. MBSA couldn't tell that and so it was flagged as a possible vulnerability."

The problem, Olson says, is that there's no way to configure MBSA so it doesn't flag those types of issues. "It just keeps reporting it every time I do a scan, which can be a pain," he says.

In other cases, MBSA will report that it is unsure whether or not a patch has been installed on a scanned machine, an event that Hinrichs attributes to Microsoft's less-than-linear patch naming policy. "MSBA should be able to look at the version number of a DLL and tell you whether the patch is installed or not," Hinrichs says. "If you install a patch from Microsoft, but Microsoft can't detect that it's installed, well that's a problem."

Although Microsoft says you can use MBSA across a network and multiple domains, most users say its network support is not a strong suit. For example, MBSA can scan Office for vulnerabilities, but you need to do the scans from a local machine, not via a network. "That's really annoying," says GAFRI's Hearn. "I'm not about to physically go to each machine. It's almost a tease."

Justin Clutter, CIO AppServer Technologies

"[MBSA] is good in security issues, like making sure IE or the IIS server is set properly."

Justin Clutter, CIO
AppServe Technologies

Similarly, users needing to scan multiple servers across domains can run into password issues. "If you try to run an MBSA scan across two domains where the admin user name and password aren't the same—which technically, they shouldn't be—it doesn't work," Clutter says. "There's no way to designate that the two domains use different passwords, so you end up having to scan them separately."

Smaller Is Better
There is good news for MBSA. Those who use MBSA to scan single computers or smaller environments give the tool high marks for its comprehensive scanning and ease of use.

SJO's Olson uses it to support his clients, which are primarily one-person, small or home office environments. "It's a great tool," he says. "It doesn't do anything that I couldn't do manually, but it's very easy to run and it's nice to have this little report come out."

Olson says he uses the MBSA reports to give his customers peace of mind. "They can look and see that their computer has strong security, according to Microsoft, and it gives them a good feeling."

Because Olson runs MBSA on single computers, the tool's reporting capabilities are more than adequate for his needs. Plus, he says, MBSA is reliable. "The thing has run flawless every time," he says. "It's definitely a comprehensive and easy way to keep your Microsoft computer updated."

Wish List for MBSA

For a free tool, Microsoft's Baseline Security Analyzer does quite a bit. Still, most users would like to see some features added in future releases. Here are a few things for Microsoft to ponder:

Better reporting. Make it easier to slice and dice reports, perhaps by providing back-end integration with SQL Server.

Clearer results. Sync up the databases for the various vulnerability scanners—Windows Update, WSUS, MBSA—so each tool provides the same information and downloads.

Better network support. Make it easier to schedule scans across a large network, and provide a way to scan across domains with different admin passwords.

Mitigate the false positives. Provide a way to customize scans for each computer, obviating the problem of receiving reports for applications and versions that may not be loaded.

Update the patch certainty. Change the way patches are named and implemented so this tool and other like it can detect patches more accurately.

— J.C.

Going Beyond the OS
Others say MBSA's biggest asset is its ability to go beyond the OS to ferret out holes in various applications. "It's good in security issues, like making sure IE or the IIS server is set properly," Clutter says. "I use it to make sure that I have everything locked down."

This helps Clutter ensure his servers won't be easily hacked. "If somebody hacks into one of my machines and decides to install the FTP service on my domain controller, I can run this utility and see that right away," he says. "It lets you spot application-level things like that quickly."

Brendan O'Connor agrees. As the network and systems administrator for the William Floyd School District in Mastic Beach, N.Y., he uses MBSA to lock down every machine before it enters the school network. "It's one of the steps we take when we create an image now," he explains. "We put on Windows, all the Service Pack updates and all the Office applications before it goes out the door, but then we run MBSA to make sure we haven't missed anything," he explains. "It's a good baseline tool, and it's free, so you really can't complain too much."

comments powered by Disqus

Reader Comments:

Thu, Aug 16, 2007 Sudh India

Karl Schantz: Of the top of my head I can tell you that you can use a domain admin account. This account would have admin rights on all systems in the domain.

Tue, Jun 20, 2006 Karl Schantz Fort Bragg, North Carolina

I tried to use MBSA 2.0 on a Win 2003 AD-DC to scan networked computers for vulnerabilities before they were added to the domain. I kept getting the error that the user was not an administrator on the computer being scanned. I assure you that the File and Print service was enabled, simple file sharing was disabled, Security policy was set to classic, and all required services were running on the client. The problem is that there are no local accounts on an AD-DC so of course your user account isn't an administrator on the machine being scanned. This is a severe shortcoming to the best security plan: prevention. Is there a work around?

Mon, Sep 12, 2005 Bubba TEXAS

How do you output the results to a CSV?

Thu, Jun 23, 2005 Denis WI

When I tried MBSA 1.2.1 I found that I could only scan another workstation when the firewall was turned off.

Wed, May 18, 2005 Anonymous Anonymous

Not bad for free!

Tue, May 10, 2005 Edwin Nigeria

I am using this tool to scan more 150 workstations and 10 servers across a VPN. It is a good tool.

Wed, May 4, 2005 JV NJ

The article is just flat wrong about not being able to scan Office products. MBSA 1.2.1 will do it across the network. We do it on a regular basis.

My only desire is to be able to set conditions to ignore in a very granular way. I am hoping that futuer versions work more like the Micrsoft Best Practives tools which have this ability.

Wed, May 4, 2005 Raghavendra India

I am using this tool to scan more than 1400 server acros AP. Good tool use command version.

Mon, May 2, 2005 Anonymous Anonymous

In your article, The Good and the Bad of MBSA, you states that Ben Hearn is responsible for managing more than 1,200 Windows XP servers. Their is no such thing as XP server. Is this server 2003 or XP desktops?

Thu, Apr 14, 2005 Anonymous Anonymous

I have tried the program, but am yet to be able to view a report. The report screen is always blank, even though the program says there is a report there. I have tried to open the files outside of the program and was unable to. I'm assuming that the problem is with my PC as other posters have gotten results, but I'm yet to find a solution to my problem.

Thu, Apr 14, 2005 Anonymous Anonymous

I find it hard to believe that anyone would have "over 1200 Windows XP servers"? That would be a heck of a peer to peer environment and well beyond the size necessary to realize the benefits of having a domain not too mention AD.

Thu, Apr 14, 2005 Adrian Amos Richmond, VA

I use the CLI version, output the results to a .csv file, and run a macro in Excel to format the results. I have had no problems with this method, and use the tool to baseline the security on over 100 servers.

The only real serious weeakness in this tool is the evil "Please refer to 306460" message that comes up when MBSA cannot accurately determine if a patch is installed.

That is a pain, but otherwise the tool is very good for simple security monitoring and maintenance.

Wed, Apr 13, 2005 jv NJ

You can use the XML output to create customized reports. Using the command line version allows for more targeted scans.

Perhaps the next version will add some of the features of the BPAs (Best Practice Analyzer) to MBSA to allow for point-and-click override of certain detections. Taking scans from the WUS would greatly improve reliability too.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.