Thank you for installing Microsoft Baseline Security Analyzer Version 1 (V1) BETA.
How to use the Microsoft Baseline Security Analyzer
System and Language Applicability
Reporting Bugs or Providing Feedback
The GUI version of the tool is run by executing SecScan.exe from the directory in which the tool was installed. The command line version is run by
executing bsacli.exe in a command window.
Microsoft Baseline Security Analyzer V1 Beta may be run on Windows 2000 or Windows XP machines. It can perform scans against Windows NT 4, Windows 2000,and Windows XP machines. Note: Only local scans can be performed against Windows XP Home Edition and unjoined Windows XP Professional machines, due to the simple sharing models used in XP. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems.
Microsoft Baseline Security Analyzer is currently not localized for languages other than English. Localization will be included in Version 2.
The following are required on a machine running the tool:
- Windows 2000 or Windows XP
- Internet Explorer 5.01 or greater
- An XML parser (MSXML version 3.0 SP2) is required in order for the tool to function correctly. Systems not running Internet Explorer 5.0 or greater will need to download and install an XML parser in order to run this tool. MSXML version 3.0 SP2 can be installed during tool setup. If you opt to not install the XML parser that is bundled with the tool, see the notes below on obtaining an XML parser separately.
The following are required on a machine to be scanned by the tool:
- Windows NT 4.0 SP4 and above, Windows 2000, or Windows XP (local scans only on XP Home Edition and non-domain joined XP Professional machines)
- IIS 4.0, 5.0 (required for IIS vulnerability checks)
- Internet Explorer 5.01 or greater
- SQL 7.0, 2000 (required for SQL vulnerability checks)
- Microsoft Office 2000, XP (required for Office vulnerability checks)
The Server service (as well as the Remote Registry service on Windows 2000 and Windows XP) is required to be running on all systems being scanned.
Please see Q303215 for more information on these services.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported for V1.
XML parsers have shipped in each version of Internet Explorer since IE 5.0. If you are running IE 5.0 or greater, you do not need to install a separate parser*.
- If you are running an earlier version of Internet Explorer and do not wish to upgrade to IE 5.0 or greater, you may download and install a standalone version of the Microsoft XML parser.
MSXML version 3.0 SP2 is available from the following location:
(above URL may have been wrapped for readability)
Additional information on the Microsoft XML parser is available from
http://www.microsoft.com/xml
*If you are running IE 5.0 or greater...
-------------------------------------
but the tool is still unable to read or locate the XML file, there is a chance that another application may have "unregistered" the XML parser.
To "re-register" the XML parser, please type the following at a command prompt:
'regsvr32 msxml.dll' (without the quotes)
The following parts of a machine scan are optional and can be disabled in the tool UI prior to scanning a machine:
- Windows Operating System (OS) checks
- IIS checks
- SQL checks
- Hotfix checks
- Password checks
Note the hotfix checks performed on the machine use a custom version of the HFNetChk tool which is automatically installed during setup.
If hotfix checks are not performed using the Microsoft Baseline Security Analyzer, users can download the HFNetChk tool separately from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp. The hotfix checks in this beta do not scan for
IE hotfixes, though they will be included in the final tool release.
The password checks can add a substantial amount of time to a scan, depending on the machine role and number of user accounts on the machine. In addition,
attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the machine. Note
the tool will reset any account lockout policies detected on the machine so as to not lockout any individual user accounts during the password check.
The tool can be run from the command line using "bsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Hotfix - Skip Hotfix checks
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
Scan reports will be stored on the machine on which the tool is installed under the %userprofile%\SecurityScans folder. Users must use
Windows Explorer to rename or delete scans created by the tool in this directory.
The tool checks for vulnerabilities on the first (DEFAULT) instance of SQL Server found on a machine. If the DEFAULT instance is not found,
the tool will check for the first named instance found. Scanning multiple versions of SQL may be supported in a future version of the tool.
IIS is installed by default on Windows NT 4 and Windows 2000 Server. If you are running Windows NT 4 Workstation, Windows 2000 Professional,
or Windows XP Professional, you may need to manually install the following IIS components through Add/Remove Programs applet in the Control Panel
(Add/Remove Windows Components) before the IIS checks can be performed in a scan:
- Common Files
- Internet Information Services Snap-in
Please email bug reports or questions to
When reporting bugs to this alias, please include the following information:
- Operating System and Service Pack version on the machine running the tool,
- Operating System and Service Pack version of the machine being scanned,
- Internet Explorer version,
- XML data version
Microsoft Baseline Security Analyzer was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com/security).