At the RSA conference in February, Microsoft Corp. unveiled MBSA (Microsoft Baseline Security Analyzer), developed with Shavlik Technologies, to help identify missing patches, hotfixes, and other important security configurations.
(MBSA is available at www.microsoft.com/technet/tree-view/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp)Made available for public download April 8, MBSA is an excellent addition to the security administrator's toolbox. It provides an easy-to-use GUI for HfNetCheck, the previously released command-line tool to help identify which systems were missing which patches. MBSA takes this process one step further, adding security checks in four main categories: Windows OS, IIS, SQL Server, and desktop security zones.
In all categories, MBSA reports on missing hotfixes using HfNetChk. Other checks include RestrictAnonymous registry key settings, blank passwords, guest account status, sa account passwords, unnecessary virtual sites such as ADMIN and SCRIPTS, and unnecessary services.
For the unnecessary services check, MBSA uses the Services.txt file, which includes default checks for Telnet, FTP, SMTP, WWW, and the Remote Access Manager. I like the ability to easily expand this list by adding the service name you want to check to the services.txt file.
The desktop checks evaluate the security zones for Internet Explorer, Outlook, and Office. One future development I would like to see in MBSA is a check for Office and Outlook security patches.
I downloaded MBSA to test its functionality on April 10, the same day the new IIS roll-up was released. I was pleasantly surprised to find that MBSA was able to identify systems missing this latest patch. When comparing the results to scans run by ISS and Retina, MBSA can hold its own. Although the commercial tools provide more comprehensive system scans, MBSA analyzes Windows security issues very well, especially when it comes to SQL server, which ISS and Retina don't cover.
I am very impressed with MBSA and find it to be a very accurate and useful tool for checking the security configurations on Windows systems. Although it's not a replacement for commercial vulnerability assessment scanners, it can definitely provide value by augmenting these tools -- great for a security administrator on a tight budget.
A lot of talk has circulated about Microsoft's Trusted Computing Initiative. If the level of thought and development put into MBSA is an example of changes throughout the organization, I have hope Microsoft can achieve some of its objectives. But they do need to develop a more comprehensive tool to help administrators manage and deploy patches -- currently, the process using available tools is very cumbersome and not all that accurate. Third-party tools are available, but they only work from the limited information gleaned from Microsoft. Why can't Microsoft simply use the knowledge of their own products to develop tools to help administrators better manage and maintain their security?