Reporting Bugs or Requesting Support
The following are required on a computer running the tool:
The following are required on a computer to be scanned by the tool:
Users must have local Administrative privileges on each computer being scanned, whether a local or remote scan is being performed. The Server service (as well as the Remote Registry service on Windows 2000 and Windows XP) is required to be running on all systems being scanned.
Please see Q303215 for more information on these services.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported in V1.
Microsoft Baseline Security Analyzer V1 checks for the following security settings during a full scan. Clicking on each check will display its associated description file with more details.
Check for missing hotfixes and service packs
Check for account password expiration
Check for file system type on hard drives
Check if autologon feature is enabled
Check if the Guest account is enabled
Check the RestrictAnonymous registry key settings
Check the number of local Administrator accounts
Check for blank and/or simple local user account
passwords
Check if unnecessary services are running
List the shares present on the computer
Check if auditing is enabled
Check the Windows version running on the scanned
computer
Check if the IIS Lockdown tool (Version 2.1) was
run on the computer
Check if the IIS sample applications are installed
Check if parent paths are enabled
Check for missing IIS hotfixes
Check if the IIS Admin virtual folder is installed
Check if the MSADC and Scripts virtual directories are
installed
Check if IIS logging is enabled
Check if IIS is running on a Domain Controller
Check if Administrators group belongs to sysadmin
role
Check if CmdExec role is restricted to sysadmin only
Check if SQL Server is running on a Domain Controller
Check if sa account password is exposed
Check SQL installation folders access permissions
Check if Guest account has database access
Check if the Everyone group has access to SQL registry
keys
Check if SQL service accounts are members of the local
Administrators group
Check if SQL accounts have blank or simple passwords
Check for missing SQL hotfixes
Check the SQL Server authentication mode type
Check the number of sysadmin role members
List the Internet Explorer security zone settings
per each local user
List the Outlook security zone settings per each local
user
List the Office products security zone settings per
each local user
The following parts of a scan are optional and can be disabled in the tool UI prior to scanning a computer:
Note the hotfix checks performed on the computer use a custom version of the HFNetChk tool which is automatically installed during setup.
If hotfix checks are not performed using the Microsoft Baseline Security Analyzer, users can download the HFNetChk tool separately from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Hotfix - Skip Hotfix checks
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
The tool checks for vulnerabilities on the first (DEFAULT) instance of SQL Server found on the computer. If the DEFAULT instance is not found, the tool will check for the first named instance found. Scanning multiple versions of SQL may be supported in a future version of the tool.
In addition, the hotfix checker in V1 will report all available hotfixes from Microsoft, but may not be able to confirm the presence of all SQL-related hotfixes. This is due to a limitation in scanning each instance of SQL Server and will be addressed in future Microsoft Baseline Security Analyzer versions.
V1 of the tool can scan against localized builds of the Windows operating system, however this version is not fully supported or tested on non-English builds. Additional languages will be tested and supported in the next release of the tool.
Microsoft Baseline Security Analyzer will display errors if any of the following occur:
Please email bug reports or questions to: mbsafdbk@microsoft.com
A Microsoft Baseline Security Analyzer newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
To contact Microsoft PSS Support, please go to http://www.microsoft.com/security to the Microsoft Baseline Security Analyzer download/tool information pages.
When reporting bugs, please include the following information: