Reporting Bugs or Requesting Support
The following are the requirements when scanning a local computer:
The following are the requirements for a computer running the tool that is scanning remote machine(s):
The following are the requirements for a computer to be scanned remotely by the tool:
Please see Q303215 for more information on these services.
Users must have local administrative privileges on each computer being scanned, whether a local or remote scan is being performed.
Note: the tool will scan Windows .Net Server but this operating system is not officially supported in version 1.1.
Microsoft Baseline Security Analyzer version 1.1 checks for the following security settings during a full scan. Clicking on each check will display its associated description file with more details.
Check for missing security updates and service packs
Check for account password expiration
Check for file system type on hard drives
Check if autologon feature is enabled
Check if the Guest account is enabled
Check the RestrictAnonymous registry key settings
Check the number of local Administrator accounts
Check for blank and/or simple local user account
passwords
Check if unnecessary services are running
List the shares present on the computer
Check if auditing is enabled
Check the Windows version running on the scanned
computer
Check if the IIS Lockdown tool (Version 2.1) was
run on the computer
Check if the IIS sample applications are installed
Check if parent paths are enabled
Check for missing IIS security updates
Check if the IIS Admin virtual folder is installed
Check if the MSADC and Scripts virtual directories are
installed
Check if IIS logging is enabled
Check if IIS is running on a Domain Controller
Check if Administrators group belongs to sysadmin
role
Check if CmdExec role is restricted to sysadmin only
Check if SQL Server is running on a Domain Controller
Check if sa account password is exposed
Check SQL installation folders access permissions
Check if Guest account has database access
Check if the Everyone group has access to SQL registry
keys
Check if SQL service accounts are members of the local
Administrators group
Check if SQL accounts have blank or simple passwords
Check for missing SQL security updates
Check the SQL Server authentication mode type
Check the number of sysadmin role members
List the Internet Explorer security zone settings
per each local user
List the Outlook security zone settings per each local
user
List the Office products security zone settings per
each local user
The following parts of a scan are optional and can be turned off in the tool user interface prior to scanning a computer:
Note the security update checks performed on the computer use the HFNetChk technology which is automatically installed during setup.
There are two types of scans that can be performed using the MBSA command line interface: MBSA-style scans and HFNetChk-style scans.
The MBSA-style scan will store results, as was done in MBSA V1.0, in individual XML files to later be viewed in the MBSA UI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks. Note users will have to explicitly use the -baseline, -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe" with the following parameters:
<no option> - Scan the local computer
/c <domainname>\<computername> - Scan the named computer
/i <xxx.xxx.xxx.xxx> - Scan the named IP
/r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Scan range of IP addresses
/d <domainname> - scan named domain
/n IIS - Skip IIS checks
/n OS - Skip Windows Operating System (OS) checks
/n Password - Skip password checks
/n SQL - Skip SQL checks
/n Updates - Skip security update checks
/sus <SUS server> - Check only for security updates approved at the specified SUS server
/s 1 - Suppress security update check notes
/s 2 - Suppress security update check notes and warnings
/nosum - Security update checks will not test file checksums
/o %domain% - %computername% (%date%)
/e - List errors from latest scan
/l - List all reports available
/ls - List of reports from latest scan
/lr <report name> - Display overview report
/ld <report name> - Display detailed report
/? - Usage help
/qp - Don't display progress
/qe - Don't display error list
/qr - Don't display report list
/q - Don't display any of the above
/f - Redirect output to a file
The HFNetChk-style scan will check for missing security updates and will display scan results as text in the command line window, as is done in the standalone HFNetChk tool. MBSA V1.1 includes the "/hf" flag which will indicate an HFNetChk scan to the MBSA engine. The HFNetChk switches listed below can be used after the "/hf" flag is specified on the command line. Note users will have to explicitly use the -b, -v, and -nosum switches to perform the same scan as done in the MBSA GUI.
Note: the MBSA-style scan parameters listed above cannot be combined with the /hf flag option.
The tool can be run from the command line (in the Microsoft Baseline Security Analyzer installation folder) using "mbsacli.exe /hf" followed by any of the parameters below. For a full description of each parameter, please see KB article Q303215.
-h <hostname> - Scan the named NetBIOS computer name. Default location is the local host. Multiple hosts can be scanned by separating host names with a comma.
-fh <filename> - Scans the NetBIOS computer names specified in the named text file. Specify one computer name on each line in the .txt file, with a 256 name maximum.
-i <xxx.xxx.xxx.xxx> - Scans the named IP address. Multiple IP address can be scanned by separating each entry with a comma.
-fip <filename> - Scans the IP addresses specified in the named text file. Specify one IP address on each line in the .txt file, with a 256 entry maximum.
-r <xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx> - Specifies IP address range to be scanned.
-d <domainname> - Specifies the domain name to be scanned.
-n - Specifies that all computers on the local network should be scanned. All computers from all domains in Network Neighborhood are scanned.
-sus <SUS filename | SUS server> - Specify a SUS text file or a SUS URL from which to obtain the SUS file. If a file or server is not specified then the engine will try to use the value stored in the local machine registry.
-b - Scans a computer only for those security updates that are marked as baseline critical by the Microsoft Security Response Center.
-fq <filename> - Specifies the name of a file that contains Qnumbers to suppress on output. Specify one Qnumber per line. This switch only suppresses the specified item(s) from being displayed in the output; it does not remove the item(s) from consideration during the course of a scan.
-s - Suppresses NOTE and WARNING messages. The default is not to suppress either of these message types. The following options are used with this switch:
(1) Suppresses NOTE messages only.
(2) Suppresses both NOTE and WARNING messages.
-nosum - Specifies to not perform checksum validation for the security update files. You do not need to use this switch under typical circumstances.
-sum - Forces a checksum scan when scanning a non-English language system. Use this switch only if you have a custom XML file with language-specific checksums.
-z - Specifies to not perform registry checks.
-history - Displays security updates that have been explicitly installed, explicitly not installed, or both. This switch is not necessary for normal operation; you do not need to use it except under very specific circumstances. The following options are used with this switch:
(1) displays those security updates that have been
explicitly installed.
(2) displays those security updates that have been explicitly
not installed.
(3) displays those security updates that have explicitly been
installed and not installed.
-v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered "not found" or if you receive a NOTE or WARNING message.
-o - Specifies the desired output format. The following options are used with this switch:
(tab) Displays output in tab-delimited format.
(wrap) Displays output in word-wrapped format.
-f <filename> - Specifies the name of a file in which to store the results. You can use the switch in both wrap and tab output.
-t - Displays the number of threads that are used to run the scan. Possible values are 1 to 128, with the default value being 64. This switch can be used to throttle down (or up) the scanner speed.
-u <username> - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
-p <password> - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security purposes, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
-x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a Uniform Resource Locator (URL). The default file is the Mssecure.cab file from the Microsoft Web site. When this switch is not used, the mssecure.xml file will be downloaded from the Microsoft Web site.
-ver - Checks if you are running the latest available version of HFNetChk.
-trace - Creates a debug log to assist with troubleshooting (hf.log in the local directory). This switch must be the first switch specified in the command line and may be used in conjunction with other switches.
-about - Displays information about HFNetChk.
-? - Displays a usage menu. You can also call this switch by using the /? syntax. The menu is also displayed any time that you pass incorrect syntax at a command prompt.
Scan reports will be stored on the computer on which the tool is installed under the %userprofile%\SecurityScans folder. An individual security report will be created for each computer scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans created by the tool in this folder.
By default, a security update scan executed from the MBSA GUI or from mbsacli.exe (MBSA-style scan) will scan and report missing updates marked as critical security updates in Windows Update (WU), also referred to as "baseline" critical security updates. When a security update scan is executed from mbsacli.exe using the /hf switch (HFNetChk-style scan), all security-related security updates will be scanned and reported on. A user running an HFNetChk-style scan would have to use the -b option to scan only for WU critical security updates. When the SUS option is chosen, all security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.
The password checks can add a substantial amount of time to a scan, depending on the computer role and number of user accounts on the computer. In addition, attempts to check individual accounts for weak passwords can add Security log entries (Logon/Logoff events) if auditing is enabled on the computer. Note the tool will reset any account lockout policies detected on the computer so as to not lockout any individual user accounts during the password check. This check is not performed on domain controllers.
If this option is unchecked prior to scanning a computer, both the local Windows and SQL account password checks will not be performed.
The tool checks for vulnerabilities on each instance of SQL Server found on the computer. All individual SQL checks will be performed on each instance.
Version 1.1 of the tool can scan localized builds of the Windows operating system, however this version is not fully supported or tested on non-English builds. Additional languages will be tested and supported in the next release of the tool.
Microsoft Baseline Security Analyzer will display errors if any of the following occur:
A Microsoft Baseline Security Analyzer newsgroup has been created for users to post questions and obtain information on tool updates, technical questions, and upcoming versions:
News server: Msnews.microsoft.com
Newsgroup: Microsoft.public.security.baseline_analyzer
To contact Microsoft PSS Support, please go to http://www.microsoft.com/security to the Microsoft Baseline Security Analyzer download/tool information pages.
When reporting bugs, please include the following information: