Microsoft Baseline Security Analyzer v2.0

[REM]

"Version: 2.0

Date Published: 7/1/2005

Download Size: 1250 KB - 5202 KB*

*Download size depends on selected download components.


Overview
In response to direct customer need for a streamlined method of
identifying common security misconfigurations, Microsoft has developed
the Microsoft Baseline Security Analyzer (MBSA). Version 2.0 of MBSA
includes a graphical and command line interface that can perform local
or remote scans of Windows systems. MBSA runs on Windows Server 2003,
Windows 2000, and Windows XP systems and will scan for common security
misconfigurations in the following products: Windows 2000, Windows XP,
Windows Server 2003, Internet Information Server (IIS) 5.0, and 6.0,
SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and
Office 2000, 2002 and 2003. MBSA also scans for missing security
updates, update rollups and service packs published to Microsoft
Update.

System Requirements
Supported Operating Systems: Windows 2000; Windows Server 2003;
Windows XP"


http://www.microsoft.com/technet/security/tools/mbsahome.mspx

 

[B. R. 'BeAr' Ederson]

"Version: 2.0

Tried and ditched it weeks (months?) ago. That version is worse than
the previous one. (Which says something!) Even the command line part
can't be run without server process *and* the newest Windows Update
components. What a mess!

I'd advise (for private and small business use) to extract mbsacli.exe
from the current MBSA 1.2.1 package:

http://www.microsoft.com/technet/security/tools/mbsa1/default.mspx

After that the newest mssecure.cab file (containing the test conditions)
should be loaded here (on a regular basis - coming to this):

http://www.microsoft.com/technet/security/tools/mbsa1/qa.mspx

The download links for English and some local versions can be found
inside the second question:
| Q. How can I use MBSA in an offline or secure environment that may
| require proxy authentication?

Check
mbsacli.exe /hf /?
for a list of command line parameters. Unfortunately, the workstation
service is required, still. One can take the computer off the Net and
activate MS Networks before running MBSA. After that MS Networks ought
to be deactivated, again. (If it is not needed for normal system
operation...) Btw., that's the syntax I usually use:

mbsacli.exe /hf /v /o tab /nvc /sum /x mssecure.cab /f %USERDOMAIN%.txt

As long as MS updates the *.cab for the 1.x versions the new MBSA 2.x
should, IMHO, be avoided.

BeAr

 

[REM]

"B. R. 'BeAr' Ederson" <[email protected]> wrote:

REM wrote:

Tried and ditched it weeks (months?) ago.

This version looks to have come out around the beginning of July from
the dates on the documentation and of the files.

That version is worse than
the previous one. (Which says something!) Even the command line part
can't be run without server process *and* the newest Windows Update
components. What a mess!

I haven't tried the commandline yet. The graphical portion ran fine
here. I just fired it up again to be certain.

The newest Windows Update components run fine also. Given the nature
of the program I'd expect that they be required.

What sort of problems have you had BeAr?

Running XP Pro patched here...

I had good results with v1.2.1 also.

I'd advise (for private and small business use) to extract mbsacli.exe
from the current MBSA 1.2.1 package:

After that the newest mssecure.cab file (containing the test conditions)
should be loaded here (on a regular basis - coming to this):

The download links for English and some local versions can be found
inside the second question:

| Q. How can I use MBSA in an offline or secure environment that may
| require proxy authentication?

Check
mbsacli.exe /hf /?
for a list of command line parameters. Unfortunately, the workstation
service is required, still. One can take the computer off the Net and
activate MS Networks before running MBSA. After that MS Networks ought
to be deactivated, again. (If it is not needed for normal system
operation...) Btw., that's the syntax I usually use:

 

[B. R. 'BeAr' Ederson]

[...]
This version looks to have come out around the beginning of July from
the dates on the documentation and of the files.

So it might have been the first day of release when I checked it. ;-)
Although I noticed the Beta phase, I didn't take part on that, myself.
MBSA isn't a piece of software I'm too eager to hunt for...

I haven't tried the commandline yet. The graphical portion ran fine
here. I just fired it up again to be certain.

The newest Windows Update components run fine also. Given the nature
of the program I'd expect that they be required.

What sort of problems have you had BeAr?

To get the program running I have to *lower* the security settings of
the systems I usually want to check.

All versions (GUI and command line) need workstation and server service
running. MBSA is the only software on many systems I deal with (only a
few of them stand alone!!) which needs these services installed.

The GUI versions needs (updated) MS-XML parser. Another part of software
to be installed, which is needed on very few systems. (No InternetExplorer
used for browsing, of course.) The XML parser has been vulnerable in past
and won't probably be secure at the moment.

*Additionally* required is now the Windows Update Agent. Even for computer
without internet connection! MS pushes the users to accept more and more
components which places them under disability and makes their system
vitreous and vulnerable at the same time. I don't need an automatic
update service. I always install security updates by hand. And before I
do this I thoroughly read about the pros and cons and the general aims
of these updates.

Running XP Pro patched here...

Most systems are Win2k Pro. But there is also WinXP Pro.

I tried and didn't get v2.0 running on any Win2k Pro SP4 with +/- all
current security updates installed. Even the activation of workstation
and server service didn't make MBSA2 happier. I'm unwilling to lower
the security of the systems any further. So farewell MBSA2!

BeAr

 

[charles]

Tried and ditched it weeks (months?) ago. That version is worse than
the previous one. (Which says something!) Even the command line part
can't be run without server process *and* the newest Windows Update
components. What a mess!

mbsacli.exe runs fine here without enabling the server process. I do
have the workstation process running automatically.

Windows 2000, never use Windows Update and have terminated anything to
do with it I have found. I do all OS updates manually and selectively.

 

[B. R. 'BeAr' Ederson]

mbsacli.exe runs fine here without enabling the server process. I do
have the workstation process running automatically.

Which version? Did you get mbsacli of MBSA 2 running without installing/
updating Windows Update Agent? I see no possibility for that at the
moment.

You're right about the server service. It installs automatically if one
loads MS Network and File and Printer sharing. If I run MBSA I always do
it without Network access. So I install (but deactivate) both. After that
I run MBSA and deinstall both components again. It's only a matter of a
few seconds. So I never bothered to check MS own requirement declarations.

I tested the need for the workstation service and took the server service
as an additional annoyance... Sorry for the inaccurate information.

BeAr

 

[charles]

Which version? Did you get mbsacli of MBSA 2 running without installing/
updating Windows Update Agent? I see no possibility for that at the
moment.

Microsoft Baseline Security Analyzer
Version 1.2.1 (1.2.4013.0)

the files wupdmgr.exe (v5.0.2134.1) and wupdinfo.dll (v5.0.5099.1) still
exist on this machine but they do not run. Automatic Update service
(wuauserv) has been disabled.

When I run mbsacli /hf I do allow it to download the latest mssecure
file.

The commandline version works fine for me. The gui provides some
convenience but it irks me to start/stop the server service to use it.

 

[B. R. 'BeAr' Ederson]

Microsoft Baseline Security Analyzer
Version 1.2.1 (1.2.4013.0)

That's the version I recommend myself. And which I know is running. (As
long as the workstation service is enabled.) Thanks for your answer!

BeAr