Release notes for MBSA version 1.2.1
Reporting Bugs or Requesting Support
The following are the requirements when scanning a local computer:
The following are the requirements for a computer running the tool that is scanning remote machine(s):
The following are the requirements for a computer to be scanned remotely by the tool:
Please see article 303215 for more information on these services.
Users must have local administrative privileges on each computer being scanned, whether a local or remote scan is being performed.
Internet access is also required to download the mssecure.cab file from the Microsoft Download Center used for the security updates scan. If a previous copy of the file was downloaded in a prior scan, the tool will attempt to use the locally cached copy if an Internet connection is not detected.
XML parsers have shipped in each version of Internet Explorer since IE 5.01. However it is recommended to have the latest version of IE and the latest version of the MSXML parser installed.
The latest version of the MSXML parser is available from the following location:
Additional information on the Microsoft XML Parser is available from http://www.microsoft.com/xml.
Microsoft® Baseline Security Analyzer version 1.2 checks for the following security settings during a full scan. Clicking each check will display its associated description file, which provides details. Note if any products are not found to be installed on scanned machines, the associated product checks will not be performed and will not be reflected in the MBSA scan reports.
Check for missing Windows security updates
Check for missing IIS security updates
Check for missing SQL Server security updates
Check for missing Exchange Server security updates
Check for missing IE security updates
Check for missing Windows Media Player security updates
Check for missing Microsoft Virtual Machine (VM) security updates
Check for missing Microsoft Data Access Components (MDAC) security updates
Check for missing MSXML security updates
Check for missing Content Management Server security
updates
Check for missing Commerce Server security updates
Check for missing BizTalk«
Server security updates
Check for missing Host Integration Server security
updates
Check for missing Office security updates
Check for account password expiration
Check for file system type on hard drives
Check if Auto Logon feature is enabled
Check if Guest account is enabled
Check the RestrictAnonymous registry key settings
Check the number of local Administrator accounts
Check for blank or simple local user account
passwords
Check if unnecessary services are running
List the shares present on the computer
Check if Windows auditing is enabled
Check the Windows version running on the scanned
computer
Check if Internet Connection Firewall is enabled
Check if Automatic Updates is enabled
Check if the IIS Lockdown tool (version 2.1) was
run on the computer
Check if IIS sample applications are installed
Check if IIS parent paths are enabled
Check if the IIS Admin virtual folder is installed
Check if the MSADC and Scripts virtual directories are
installed
Check if IIS logging is enabled
Check if IIS is running on a domain controller
Check if Administrators group belongs in Sysadmin
role
Check if CmdExec role is restricted to Sysadmin only
Check if SQL Server is running on a domain controller
Check if sa account password is exposed
Check SQL Server installation folders access permissions
Check if Guest account has database access
Check if Everyone group has access to SQL Server registry
keys
Check if SQL Server service accounts are members of the local
Administrators group
Check if SQL Server accounts have blank or simple passwords
Check the SQL Server authentication mode type
Check the number of Sysadmin role members
List the Internet Explorer security zone settings
for each local user
Check if Internet Explorer Enhanced Security
Configuration is enabled for Administrators
Check if Internet Explorer Enhanced Security
Configuration is enabled for non-Administrators
List the Office products security zone settings for
each local user
The following parts of a scan are optional and can be turned off in the tool user interface prior to scanning a computer:
There are two types of scans that can be performed using the MBSA command line interface: MBSA-style scans and HFNetChk-style scans.
The MBSA-style scan will store results, as was done in MBSA V1.1.1, in individual XML files to later be viewed in the MBSA UI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks. Note users will have to explicitly use the -nosum switch to perform the same scan as done in the MBSA GUI.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks (note this will also skip the IE/Outlook zones and Office macro security checks)
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Updates - Skip security update checks
/sus <SUS server | SUS filename> - Check only for security updates approved at the specified URL of the SUS server or the file path to the approveditems.txt file. If a URL or path is not specified, the value stored in the registry will be used if available.
/s 1 - Suppress security update check notes
/s 2 - Suppress security update check notes and warnings
/nosum - Security update checks will not test file checksums
/nvc - Don't check for a new version of MBSA
/o <filename> - Default filename format is "%d% - %c% (%t%)", where %d% is the domain, %c% is the computername, and %t% is the date and time. %IP% can be used to include the IP address of the scanned machine. Note that report name variables from previous versions of MBSA will also function: "%domain% - %computername% (%date%)"
Note these report options cannot be combined with the security update scan options listed above.
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/v - Display security update reason codes
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
/unicode - Generate unicode output (Users running Japanese MBSA or scanning Japanese Windows machines should specify this switch)
The HFNetChk-style scan will check for missing security updates and will display scan results as text in the command line window, as is done in the standalone HFNetChk tool. MBSA V1.2 includes the "/hf" flag which will indicate an HFNetChk scan to the MBSA engine. The HFNetChk switches listed below can be used after the "/hf" flag is specified on the command line. Note users will have to explicitly use the -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
Note: the Office security update scan will NOT be performed with the /hf flag as it is performed outside of the HFNetChk engine. Office security updates can be scanned in the MBSA GUI (mbsa.exe) or the MBSA-style scan using mbsacli.exe.
Note: the MBSA-style scan parameters listed above cannot be combined with the /hf flag option.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe /hf" followed by any of the parameters below. For a full description of each parameter, please see KB article Q303215.
-h <hostname> - Scan the named NetBIOS computer name. Default location is the local host. Multiple hosts can be scanned by separating host names with a comma.
-fh <filename> - Scans the NetBIOS computer names specified in the named text file. Specify one computer name on each line in the .txt file, with a 256 name maximum.
-i <xxx.xxx.xxx.xxx> - Scans the named IP address. Multiple IP address can be scanned by separating each entry with a comma.
-fip <filename> - Scans the IP addresses specified in the named text file. Specify one IP address on each line in the .txt file, with a 256 entry maximum.
-r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Specifies IP address range to be scanned.
-d <domainname> - Specifies the domain name to be scanned.
-n - Specifies that all computers on the local network should be scanned. All computers from all domains in Network Neighborhood are scanned.
sus <SUS server | SUS filename> - Check only for security updates approved at the specified URL of the SUS server or the file path to the approveditems.txt file. If a URL or path is not specified, the value stored in the registry will be used if available.
-fq <filename> - Specifies the name of a file that contains Qnumbers to suppress on output. Specify one Qnumber per line. This switch only suppresses the specified item(s) from being displayed in the output; it does not remove the item(s) from consideration during the course of a scan.
-s - Suppresses NOTE and WARNING messages. The default is not to suppress either of these message types. The following options are used with this switch:
(1) Suppresses NOTE messages only.
(2) Suppresses both NOTE and WARNING messages.
-nosum - Specifies to not perform checksum validation for the security update files. You do not need to use this switch under typical circumstances.
-sum - Forces a checksum scan when scanning a non-English language system. Use this switch only if you have a custom XML file with language-specific checksums.
-z - Specifies to not perform registry checks. (Note when this switch is used with -history, registry checks will still be performed for those patches that only have registry key data and no file version information in the mssecure.xml file)
-history - Displays updates that have been explicitly installed, explicitly not installed, or effectively installed. (Updates that are effectively installed indicate that the update itself may not have been explicitly installed, but a later, superseding update was installed that contains the fixes from this earlier update.) This switch is not necessary for normal operation; you do not need to use it except under very specific circumstances. The following options are used with this switch:
(1) displays those updates that have been explicitly installed.
(2) displays those updates that have been explicitly not installed.
(3) displays those updates that have been effectively
installed.
-v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered "not found" or if you receive a NOTE or WARNING message.
/nvc - Don't check for a new version of MBSA.
-o - Specifies the desired output format. The following options are used with this switch:
(tab) Displays output in tab-delimited format.
(wrap) Displays output in word-wrapped format.
-f <filename> - Specifies the name of a file in which to store the results. You can use the switch in both wrap and tab output.
-unicode - Generate unicode output (Users running Japanese MBSA or scanning Japanese Windows machines should specify this switch)
-t - Displays the number of threads that are used to run the scan. Possible values are 1 to 128, with the default value being 64. This switch can be used to throttle down (or up) the scanner speed.
-u <username> - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
-p <password> - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security purposes, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
-x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a Uniform Resource Locator (URL). The default file is the Mssecure.cab file from the Microsoft Web site. When this switch is not used, the mssecure.xml file will be downloaded from the Microsoft Web site.
-? - Displays a menu. You can also call this switch by using the /? syntax. The menu is also displayed any time that you pass incorrect syntax at a command prompt.
Scan reports will be stored on the computer on which the tool is installed in the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related updates will be scanned and reported. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.
Note for products that are not installed on a scanned machine, the security updates check will not be performed for those products and will not be listed in the Security Update Scan Results table in the report. In addition, the Office security update scan will not be performed with the /hf flag as it is performed outside of the HFNetChk engine. Office security updates can be scanned in the MBSA GUI (mbsa.exe) or the MBSA-style scan using mbsacli.exe.
Password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user account during the password check. This check is not performed on domain controllers.
If this option is cleared prior to scanning a computer, both the local Windows and SQL account password checks will not be performed.
The IIS 6.0 Common Files are required on the local machine that is remotely scanning an IIS 6.0 server. The IIS 6.0 Common Files can be used to also scan downlevel IIS machines (e.g., IIS 5.0), however the IIS 5.0 Common Files cannot be used to remotely connect to and scan against a machine running IIS 6.0.
The tool checks for administrative vulnerabilities on each instance of SQL and MSDE found on the computer. All individual SQL checks will be performed on each instance of SQL and MSDE.
MSDE is a data engine built and based on core SQL Server technology. It is a redistributable database engine that supports single- and dual-processor desktop computers. MSDE is packaged in a self-extracting archive for ease of distribution and embedding. Since it is fully compatible with other editions of SQL Server, users can upgrade from MSDE to SQL Server if an application grows beyond the storage and scalability limits of MSDE.
Version 1.2 has localization support for Japanese, German, and French, including the ability to download localized versions of the mssecure.xml file from Microsoft. When a non-English machine is scanned for missing security updates without the associated localized mssecure.xml file, checksum checks will not be performed.
MBSA V1.2 can be used to scan up to 10,000 machines on a network at a time. More information on network scans is available in the MBSA White Paper.
Microsoft Baseline Security Analyzer will display errors if any of the following occur:
An MBSA newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
To contact Microsoft Product Support Services, go to http://www.microsoft.com/security and search for the Microsoft Baseline Security Analyzer page.
When reporting bugs, include the following information: