Thank you for installing Microsoft« Baseline Security Analyzer version 1.2.1.
MBSA version 1.2.1 fixes and enhancements
The release of Windows XP Service Pack 2 includes new functionality that MBSA 1.2 did not check for and did not provide the steps to configure the firewall feature for strong security. This release note includes the specific procedures to enable the Windows Firewall to the recommended setting.
Notes
Windows XP Service Pack 2 and Windows Server 2003 service packs include more secure defaults for the Windows Firewall which prevent MBSA from remotely scanning through the firewall unless specific ports and services are enabled. For deployment guidelines for the Windows Firewall and Windows XP Service Pack 2, refer to the appropriate Deployment Guides.
If you require remote scanning of Windows XP, use these MBSA requirements in conjunction with the deployment guides for Windows XP Service Pack 2 to ensure the firewall configuration is compatible with MBSA for a remote scan:
Windows NT« 4.0 SP4 and above, Windows 2000, Windows XP (local scans only on Windows XP computers that use simple file sharing), or Windows Server 2003.
The Server service, Remote Registry service, and File & Print Sharing services must be enabled.
Remote machine scans are performed using TCP ports 139 and 445. In a multi-domain environment, where a firewall or filtering router separates the two networks, TCP ports 139 and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote network being scanned.
Internet Explorer includes new security mitigations for web pages attempting to access the local computer. The Printing dialog and the Result Details dialog used by MBSA would appear to Internet Explorer as web pages, and the user would be prompted to permit them to display text.
Improved security in this release of Windows XP limits the number of concurrent outbound connections. To ensure needed compatibility, MBSA 1.2.1 will restrict the number of concurrent outbound connections on Windows XP SP2 to just a single connection when performing a remote scan.
When using the -b or -baseline command line options, only a limited set of "baseline" security updates were displayed. Microsoft recommends that all applicable security updates be installed rather than only for a subset of specific products. Because users of these options are not receiving the best recommendation, this feature has been removed in this version of MBSA. For compatibility purposes, the -b and -baseline command line options may still be specified, however they will have no effect. Users of these options need to be aware that they may see additional updates reported than in the prior version, such as updates for Internet Explorer and Windows Media Player.
In the previous release of the MBSA graphical user interface (GUI), result reports could include non-critical warnings for outdated service packs and for files having newer than expected version information. To help provide greater clarity when performing a security assessment through the MBSA GUI, the scanning result report now only includes non-critical warnings related to outdated service packs by default. These warnings also include new remediation steps as part of the ôHow to correct thisö link of the report. This enhancement helps reduce report complexity and increases consistency with the latest enhancements to Microsoft Security Update release procedures.
Other non-critical informational messages are now available exclusively through the command line interface (CLI) or when results of a scan launched through the CLI are viewed within the MBSA GUI.
A new ô-s 3ö command line option generates reports that follow the same behavior as the new GUI defaults described above. Users that require the non-service pack, non-critical informational messages to appear within the GUI, will need to generate the report utilizing the CLI.
Internet Connection Firewall (ICF) / Windows Firewall is firewall
software that provides protection for computers by controlling what
information is communicated from your machine to and from the Internet
or other machines on a network. ICF is included in Windows« XP and
Windows Server 2003 Standard Edition and Enterprise Edition. Windows XP
Service Pack 2 and service packs for Windows Server 2003 include the enhanced features of Windows Firewall.
The scanned machine does not have ICF / Windows Firewall enabled on all network connections.
MBSA does not detect whether another firewall (either hardware or software) is in use and protecting the scanned machine.
Enable Internet Connection Firewall / Windows Firewall on each network
connection on your machine. Refer to the appropriate guidance below for
either the Windows Firewall or the Internet Connection Firewall (each
use different procedures.)
To turn Windows Firewall on with no exceptions:
You must be logged on as an administrator or a member of the
Administrators group in order to complete this procedure. If your
computer is connected to a network, network policy settings might also
prevent you from completing this procedure.
1. Open Windows Firewall.
2. On the General tab, click On.
3. Select the DonÆt allow exceptions check box.
Be sure to check the system requirements included in this release note to permit an MBSA remote scan before configuring the firewall settings. Unless you do this, MBSA may be unable to remotely scan the security compliance of your Windows XP Service Pack 2 computers.
To open Windows Firewall, click Start, click Control Panel, and then click Windows Firewall.
When you select Don't allow exceptions, Windows Firewall blocks all requests to connect to your computer, including those from programs or services on the Exceptions tab. The firewall also blocks file and printer sharing, and discovery of network devices.
Using Windows Firewall with no exceptions is useful when you connect to a public network, such as one at an airport or hotel. This setting can help to protect your computer by blocking all attempts to connect to your computer.
When you use Windows Firewall with no exceptions, you can still view
Web pages, send and receive e-mail, or use an instant messaging program.
To enable ICF manually for a network connection:
In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
Right-click on the connection on which you would like to enable ICF, and
then click Properties.
On the Advanced tab, click the box to select the option to "Protect my
computer or network."
Automatic Updates can keep your computer up-to-date automatically with
the latest updates from Microsoft by delivering them directly to your
computer from the Windows Update site (or from a local Software Update
Services (SUS) server if you are in a managed environment). MBSA will
warn users if Automatic Updates is not enabled on the scanned machine,
or if it is enabled but is not configured to automatically download and
install updates. Automatic Updates is available on Windows« 2000 SP3
machines and higher.
The Automatic Updates control panel settings have been enhanced in Windows XP Service Pack 2, and the steps used to configure the feature have changed from those steps documented in MBSA for prior Windows versions. These enhancements also appear in Windows 2000 Service Pack 3 and above for computers that have automatically updated from Windows Update to obtain the latest Automatic Updates client version.
Enable and configure Automatic Updates to automatically download and install the latest updates from Microsoft. For more information on Automatic Updates settings, please refer to the Knowledge Base article on scheduling Automatic Updates in Windows XP, Windows 2000, or Windows Server 2003.
You must be logged on as a computer administrator to complete this
procedure. These procedures assume the latest version of Automatic
Updates is available, if not please refer to the original procedures
documented in the MBSA help files.
1. Open System, and then click the Automatic Updates tab.
û or û
If you are running Windows 2000, click Start, point to Settings, click
Control Panel, and then double-click Automatic Updates.
2. Click Automatic (recommended).
3. Under Automatically download recommended updates for my computer and
install them, select the day and time you want Windows to install
updates.
To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System.
Automatic Updates provides high-priority updates, which include security and other critical updates that can help protect your computer. It's a good idea to visit the Windows Update Web site (http://www.microsoft.com/) on a regular basis to get optional updates, such as recommended software and hardware updates, that can help improve your computer's performance.