Thank you for installing Microsoft Baseline Security Analyzer Version 1.0 (V1).
How to use the Microsoft Baseline Security Analyzer
System and Language Applicability
Reporting Bugs or Providing Feedback
The GUI version of the tool is run by executing MBSA.exe from the folder in which the tool was installed. The command line version is run by executing mbsacli.exe in a command window (from the Microsoft Baseline Security Analyzer installation folder path).
Microsoft Baseline Security Analyzer V1 may be run on Windows 2000 or Windows XP computers. It can perform scans against Windows NT 4, Windows 2000, and Windows XP computers. Note: Only local scans can be performed against Windows XP Home Edition and Windows XP Professional computers that use the simple file sharing model. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems.
Microsoft Baseline Security Analyzer is currently not localized for languages other than English. Localization will be included in a future version of the tool.
The following are required on a computer running the tool:
The following are required on a computer to be scanned by the tool:
Users must have local Administrative privileges on each computer being scanned, whether a local or remote scan is being performed. The Server service (as well as the Remote Registry service on Windows 2000 and Windows XP) is required to be running on all systems being scanned.
Please see Q303215 for more information on these services.
Note: the tool will scan against Windows .Net Server but this operating system is not officially supported in V1.
XML parsers have shipped in each version of Internet Explorer since IE 5.01. If you are running IE 5.01 or greater, you do not need to install a separate parser*.
If you are running an earlier version of Internet Explorer and do not wish to upgrade to IE 5.01 or greater, you may download and install a standalone version of the Microsoft XML parser. MSXML version 3.0 SP2 is available from the following location:
(above URL may have been wrapped for readability)
Additional information on the Microsoft XML parser is available from
If you are running IE 5.01 or greater and the tool is still unable to read or locate the XML file, there is a chance that another application may have "unregistered" the XML parser. To "re-register" the XML parser, please type the following at a command prompt:
'regsvr32 msxml.dll' (without the quotes)
The following parts of a scan are optional and can be disabled in the tool UI prior to scanning a computer:
Note the hotfix checks performed on the computer use a custom version of the HFNetChk tool which is automatically installed during setup.
If hotfix checks are not performed using the Microsoft Baseline Security Analyzer, users can download the HFNetChk tool separately from:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp.
The tool can be run from the command line using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Hotfix - Skip Hotfix checks
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
The tool checks for vulnerabilities on the first (DEFAULT) instance of SQL Server found on the computer. If the DEFAULT instance is not found, the tool will check for the first named instance found. Scanning multiple versions of SQL may be supported in a future version of the tool.
V1 of the tool can scan against localized builds of the Windows operating system, however this version is not fully supported or tested on non-English builds. Additional languages will be tested and supported in the next release of the tool.
Please email bug reports or questions to: mbsafdbk@microsoft.com
A Microsoft Baseline Security Analyzer newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
When reporting bugs to this alias, please include the following information:
Microsoft Baseline Security Analyzer was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com/security).