Scan Options

Before performing a scan, users can disable the following scan items in the tool UI:

• Hotfix check
• Password check
• Operating System (OS) vulnerability checks
• Internet Information Server (IIS) vulnerability checks
• SQL vulnerability checks

Hotfix Check
Microsoft Baseline Security Analyzer uses the HFNetChk tool during a scan to detect any missing hotfixes on the machine. HFNetChk uses an XML database that is continuously updated by Microsoft to check the hotfix status on the machines being scanned.  If any hotfixes in the XML database are not installed on the scanned machine, the tool will flag these hotfixes in the security report.  HFNetChk scans for hotfixes available for the following products:

• Windows NT 4.0
• Windows 2000
• All system services, including IIS 4.0 and 5.0
• SQL Server 7.0 and 2000 (including Microsoft Data Engine)
• IE 5.01 and later

Password Check
Microsoft Baseline Security Analyzer checks machines for blank and weak passwords during a scan. This check can take a long amount of time, depending on the number of user accounts on the machine. Users may want to disable this check before scanning Domain Controllers on their network. Note that this check may produce event log entries in the Security log if auditing is enabled on the machine for Logon/Logoff events.

OS Vulnerability Checks
This group of checks scans for security issues in the Windows operating systems (Windows NT 4, 2000, XP), such as Guest account status, file system type, available file shares, members of the Administrators group, etc. Descriptions of each OS check are shown in the security reports with instructions on fixing any issues found.

IIS Vulnerability Checks
This group of checks scans for security issues in IIS 4.0 and 5.0, such as sample applications and certain virtual directories present on the machine. The tool also checks if the IIS Lockdown tool has been run on the machine, which can help an Administrator configure and secure their IIS servers. Descriptions of each IIS check are shown in the security reports with instructions on fixing any issues found.

SQL Vulnerability Checks
This group of checks scans for security issues in SQL 7.0 and 2000, such as the type of authentication mode, sa account password status, and SQL service account memberships. Descriptions of each SQL check are shown in the security reports with instructions on fixing any issues found.