Tips and Tricks

Analyze Your Baseline Security

MBSA offers much more than updates to your network.

A couple of years ago, Microsoft offered a free utility called HFNetChk. Written by Shavlik Technologies ( and licensed to Microsoft, this utility included an XML database of security issues and updates and could be used to scan Windows computers for potential security problems. Shavlik sold (and still sells) HFNetChk Pro, a graphical version of the utility.

Today, Microsoft has replaced HFNetChk with a friendly, graphical tool called the Microsoft Baseline Security Analyzer (MBSA). That’s a subtle name: It’s not a complete security analysis, but it does say what minimum stuff your servers are missing in order to have a shot at being considered secure. MBSA can be downloaded free from The current version, 1.2, scans for security problems not only in Windows but also in SQL Server, Exchange, MDAC, MSXML, BizTalk, Commerce Server, Content Management Server and Host Integration Server—all remotely, if you like. For local scans, MBSA can even find security issues with Microsoft Office. It also checks the configuration of the Internet Connection Firewall, Automatic Updates client, IE zones, the MBSA tool itself and more. It’s an awesome utility with a robust command-line interface that lends itself especially well to automation.

For example, say you want to scan a remote server and get a report of missing security updates, improper configurations and so forth. Nothing could be simpler! Just run:

mbsacli.exe /c domainname\computername

Even better, scan every computer in an entire domain by using:

mbsacli.exe /d domainname

Or, if your servers are in a block of IP addresses, scan them with:

mbsacli.exe /r bbb.bbb. bbb.bbb

specifying the appropriate IP addresses to define the start and end of the block containing your servers. If you have an SUS server on your network, specify the /sus server option and MBSA will only report on updates that you’ve approved for distribution through SUS and will ignore unapproved updates. Want your security report to go to a file? Add the /o filename parameter and specify an output path and filename. For best effect, run something like:

mbsacli.exe /d domainname /o filename

once a month using the Task Scheduler, and you’ll have a monthly report of security issues on every computer in your domain—a perfect To Do list for the intern who’s starting next week!

Batch Files Still Usable
If you’re one of the proud, few admins who has used HFNetChk, all of your batch files aren’t useless. Run MBSA with the /hf command-line parameter and it’ll accept HFNetChk command-line parameters. That means your HFNetChk batch files can be easily ported to use MBSA: Just search and replace “hfnetchk.exe” with “mbsacli.exe /hf” in your .bat files.

The cool part about MBSA is that it’s more than just a list of updates you need to install; the Automatic Updates client could take care of that. MBSA also lists configuration issues that aren’t corrected by an update, such as a SQL Server computer with a blank password for the all-powerful “sa” account. You’ll be tipped off to these configuration problems and can fix them for an immediate boost to your network’s security.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at


comments powered by Disqus

Subscribe on YouTube