Review: Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a mature, but little-know product that has just been relaunched with the release of version 2.2. This is yet another is a free PC-security tool, intended for IT professionals working in small and medium-sized businesses, but the clear, graphical user interface makes it a very good security tool for personal use.

MBSA analyses the security status of local and networked Windows computers, with the aim of identifying security holes such as firewall and anti-virus states, but most usefully, missing program updates…

With a staggering number of PC’s out in the wild without either active virus protection (maybe half)or active firewall protection (perhaps a fifth) and averaging more than a dozen other security flaws each, it seems we’re just not taking security seriously and Microsoft is getting tired of constantly getting the blame.

MBSA 2.2 is available as a free download from the Microsoft Download Center. There are executables for all the current and legacy Windows releases in both 64-bit (x64) and 32-bit (x86):

  • Windows 2000,
  • Windows XP,
  • Windows Server 2003,
  • Windows Vista,
  • Windows Server 2008,
  • Windows 7, and
  • Windows Server 2008 R2.

You also get the option of four supported languages:

  • German (DE),
  • English (EN),
  • French (FR),
  • Japanese (JA).

Installation
Running the stub installer with Administrator rights gets it rolling. MBSA will install to the local machine, creating a menu entry in your Start menu.

On running it, you will find a very simple interface, which is remarkably consumer-friendly. Because it’s a specialist tool, with a narrow focus, it isn’t trying to do too much or pack in functionality like certain other security suites we could mention. The three options are: scan a computer, scan multiple computers, or view existing security scan reports. The sidebar provides links to program documentation and the Microsoft security website.

The program requires Administrator rights to examine all machines you intend to scan. You can scan a single or multiple systems based on computer network name or specified IP address. If you choose to scan multiple machines, you will need to enter a domain name or a range of IP addresses.

Although the scanning options are straightforward, an inexperienced user may struggle to understand just what, and indeed why, it does what it does. You can select the Scanning Options link at the bottom of the main pane to get some explanatory text and even diagrams, although this fires up a separate browser window.

Scanning a single machine can take anything from a few seconds to a few minutes; the program effectively does an initial version check on your system then dials-home to the Microsoft security site to determine what patches and updates it thinks you should be running.

Scanning Options:

For each scan, you can enable or disable the categories of test in the MBSA user interface:

  • Check for Windows administrative vulnerabilities. This scans Guest account status, file-system types, open file shares, and members of the Administrators group having elevated permissions
  • Check for weak passwords. This checks for blank and weak user profile passwords.
  • Check for web-server (Internet Information Services, or IIS) vulnerabilities.
  • Check for MS-SQL database vulnerabilities. Hack-attacks by SQL-injection are now so common it’s a real hazard and yet there are huge numbers of databases weakly defended. MBSA checks for the type of authentication mode, account passwords and memberships.
  • Check for security updates, or rather, for missing updates against the published lists for the products supported by the Microsoft Update site only. This doesn’t cover even commonly used third-party software.

MBSA produces a categorised and weighted report. Results for each item are summarised and given a colour-coded severity score

  • Passes are green
  • Skipped or indeterminate tests are grey
  • Conditions with room for improvement are blue
  • Non-critical vulnerabilities are yellow
  • Critical issues are red.
  • There are links to additional instructions on which patches or updates to download.

The two areas most useful to a home user are:

  • ‘Security misconfiguration’ (less secure settings and configurations).
  • Missing security updates and service packs (if any).

Usefully, all reports are saved and can be recalled later for reference, so if you are looking to standardise machines across a network, you can run relative health checks, see just how things compare, what policies and procedures to adopt. You can also print or copy a report to the clipboard.

What MBSA does is take advantage of the whole range of Microsoft security infrastructure: built on the Windows Update Agent and Microsoft Update service, for the various versions of Windows, it will hook into Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007 and Small Business Server (SBS) to draw up what it thinks is the hit-list of vulnerabilities.

Verdict
Although MBSA has been around for the best part of a couple of years, it’s almost unknown to the home user. Sys-admins and support staff in business have been using it to run scheduled and unattended scans from the command line as often as from the desktop.

Truth is, Microsoft Baseline Security Analyzer is a surprisingly simple tool get to the crux of security-settings on most Windows machines. The instructions for correcting security flaws are fairly clear and should be easy to follow for most users, not just the technical support team. At first glance, it appears to have been written as a companion to MS Security Essentials and Windows Defender.

Not all findings are that simple to remedy, however; anything beyond locating and applying an update or software patch may escape a non-technical user – issues with file-systems and drives for example. It also gives prominence to password-use and expiry policies, of which home-users are unlikely to have any concept.

I’ve run it on my Windows-7 netbook and got a comprehensive report which might be very scary to some people. To it’s credit, it did find some un-patched software – MS-trialware it has to be said – which is disposable and I’m not keen to patch as I know what the risks are. It also laid down the law on user accounts and password policies, which could actually cause the home user more trouble than it cures. I’d advise a bit of further reading before fretting through any sleepless nights.

Friendly enough as a standalone, one can’t help thinking there’s a wrapper or a management console going begging to turn MBSA, Defender and MS Security Essentials onto a coherent security suite – but maybe that’s a step too far for the other vendors, and those lobbying the FTC and EU Trade Commissions against the Microsoft leviathan. AJS

2 thoughts on “Review: Microsoft Baseline Security Analyzer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s