Analyze Your Baseline Security
MBSA offers much more than updates to your network.
A couple of years ago, Microsoft offered a free utility called HFNetChk.
Written by Shavlik Technologies (www.shavlik.com) and licensed to Microsoft,
this utility included an XML database of security issues and updates and
could be used to scan Windows computers for potential security problems.
Shavlik sold (and still sells) HFNetChk Pro, a graphical version of the
Today, Microsoft has replaced HFNetChk with a friendly, graphical tool
called the Microsoft Baseline Security Analyzer (MBSA). That’s a subtle
name: It’s not a complete security analysis, but it does say what minimum
stuff your servers are missing in order to have a shot at being considered
secure. MBSA can be downloaded free from www.microsoft.com/mbsa.
The current version, 1.2, scans for security problems not only in Windows
but also in SQL Server, Exchange, MDAC, MSXML, BizTalk, Commerce Server,
Content Management Server and Host Integration Server—all remotely, if
you like. For local scans, MBSA can even find security issues with Microsoft
Office. It also checks the configuration of the Internet Connection Firewall,
Automatic Updates client, IE zones, the MBSA tool itself and more. It’s
an awesome utility with a robust command-line interface that lends itself
especially well to automation.
For example, say you want to scan a remote server and get a report of
missing security updates, improper configurations and so forth. Nothing
could be simpler! Just run:
mbsacli.exe /c domainname\computername
Even better, scan every computer in an entire domain by using:
mbsacli.exe /d domainname
Or, if your servers are in a block of IP addresses, scan them with:
mbsacli.exe /r aaa.aaa.aaa.aaa bbb.bbb. bbb.bbb
specifying the appropriate IP addresses to define the start and end of
the block containing your servers. If you have an SUS server on your network,
specify the /sus server option and MBSA will only report on updates that
you’ve approved for distribution through SUS and will ignore unapproved
updates. Want your security report to go to a file? Add the /o filename
parameter and specify an output path and filename. For best effect, run
mbsacli.exe /d domainname /o filename
once a month using the Task Scheduler, and you’ll have a monthly report
of security issues on every computer in your domain—a perfect To Do list
for the intern who’s starting next week!
Files Still Usable
|If you’re one of the proud, few admins who
has used HFNetChk, all of your batch files aren’t useless.
Run MBSA with the /hf command-line parameter and it’ll
accept HFNetChk command-line parameters. That means your
HFNetChk batch files can be easily ported to use MBSA:
Just search and replace “hfnetchk.exe” with “mbsacli.exe
/hf” in your .bat files.
The cool part about MBSA is that it’s more than just a list of updates
you need to install; the Automatic Updates client could take care of that.
MBSA also lists configuration issues that aren’t corrected by an update,
such as a SQL Server computer with a blank password for the all-powerful
“sa” account. You’ll be tipped off to these configuration problems and
can fix them for an immediate boost to your network’s security.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.