Before performing a scan, users can disable the following scan items in the Microsoft® Baseline Security Analyzer (MBSA) user interface:
Windows administrative vulnerability checks
This group of checks scans for security issues in the Windows operating
systems (Windows NT® 4.0, Windows 2000, Windows XP, and Windows Server 2003),
such as Guest account status, file system
type, available file shares, and members of the Administrators group.
Descriptions of each Windows check are shown in the security reports, with
instructions on how to fix any issues that are found.
Weak passwords check
Microsoft Baseline Security Analyzer checks machines for blank and weak
passwords during a scan. This check can take a long time, depending on
the number of user accounts on the machine. Users may want to disable this check
before scanning domain controllers on their network. Note that this check may
produce event log entries in the Security log, if auditing is enabled on the
machine for Logon/Logoff events. If this option is not selected, the Windows
and SQL Server account password checks will not be performed.
IIS administrative vulnerability checks
This group of checks scans for security issues in Internet Information Server (IIS) 4.0,
Internet Information Services (IIS) 5.0, and Internet Information Services (IIS) 6.0 such as
sample applications and certain virtual directories present on the machine. The
tool also checks if the IIS Lockdown tool
has been run on the machine, which can help an administrator configure and secure servers running IIS. Descriptions of each IIS
check are shown in the security reports, with instructions on how to fix any issues that are
found.
SQL Server administrative vulnerability checks
This group of checks scans for administrative vulnerabilities on each instance of SQL and
Microsoft Data Engine (MSDE) found on the computer, such as the type of
authentication mode, sa account password status, and service account
memberships. All individual checks will be performed on each instance of SQL and
MSDE. Descriptions of each check are shown in the security
reports, with instructions on how to fix any issues that are found.
MSDE is a data engine built and based on core SQL Server technology. It is a redistributable database engine that supports single- and dual-processor desktop computers. MSDE is packaged in a self-extracting archive for ease of distribution and embedding. Since it is fully compatible with other editions of SQL Server, users can upgrade from MSDE to SQL Server if an application grows beyond the storage and scalability limits of MSDE.
Security updates check
Microsoft Baseline Security Analyzer uses an XML database that is continuously updated by Microsoft to check
the security update status on the machines being scanned. If any security
updates in the XML database are not installed on the scanned machine, the tool will flag these updates in the security report. MBSA scans for missing security updates for
the following products:
Note: For products that are not installed on a scanned machine, the security updates check will not be performed for those products and will not be listed in the Security Update Scan Results table in the report.
SUS option
Users can opt to perform a security updates check against the list of
approved updates from their local Software Update Services (SUS) server (formerly called
Windows Update Corporate Edition). This option checks for missing security updates included in an approved items list on the SUS server, rather
than from the full list of available security updates in the Mssecure.xml file
from the Microsoft Web site. All security updates marked as approved by the SUS
administrator, including updates that have been superseded, will be scanned and
reported by MBSA. Note that SUS currently does not include updates for SQL,
Exchange, or Office products.