Scan Options

Before performing a scan, users can disable the following scan items in the tool UI:

• Windows vulnerability checks
• Weak passwords check
• Internet Information Server (IIS) vulnerability checks
• SQL vulnerability checks
• Security updates check

Windows Vulnerability Checks
This group of checks scans for security issues in the Windows operating systems (Windows NT 4, 2000, XP), such as Guest account status, file system type, available file shares, members of the Administrators group, etc. Descriptions of each Windows check are shown in the security reports with instructions on fixing any issues found.

Weak Passwords Check
Microsoft Baseline Security Analyzer checks machines for blank and weak passwords during a scan. This check can take a long amount of time, depending on the number of user accounts on the machine. Users may want to disable this check before scanning Domain Controllers on their network. Note that this check may produce event log entries in the Security log if auditing is enabled on the machine for Logon/Logoff events. If this option is unchecked, both the Windows and SQL account password checks will not be performed.

IIS Vulnerability Checks
This group of checks scans for security issues in IIS 4.0 and 5.0, such as sample applications and certain virtual directories present on the machine. The tool also checks if the IIS Lockdown tool has been run on the machine, which can help an Administrator configure and secure their IIS servers. Descriptions of each IIS check are shown in the security reports with instructions on fixing any issues found.

SQL Vulnerability Checks
This group of checks scans for security issues in SQL 7.0 and 2000, such as the type of authentication mode, sa account password status, and SQL service account memberships. Descriptions of each SQL check are shown in the security reports with instructions on fixing any issues found.

Security Updates Check
Microsoft Baseline Security Analyzer uses a version of the HFNetChk tool during a scan to detect any missing security updates on the machine. HFNetChk uses an XML database that is continuously updated by Microsoft to check the security update status on the machines being scanned.  If any security updates in the XML database are not installed on the scanned machine, the tool will flag these updates in the security report.  HFNetChk scans for security updates available for the following products:

• Windows NT 4.0
• Windows 2000
• Windows XP
• All system services, including IIS 4.0 and 5.0
• SQL Server 7.0 and 2000 (including Microsoft Data Engine)
• Exchange 5.5 and 2000 (including Exchange Admin Tools)
• IE 5.01 and later
• Windows Media Player 6.4 and up

Software Update Services (SUS) Option
Users can opt to perform the security updates check against the list of approved updates from their local SUS server (formerly called Windows Update Corporate Edition). This option will look for missing security updates included in an approved items list on the SUS server rather than from the full list of available security updates in the mssecure.xml file from the Microsoft web site. All security updates marked as approved by the SUS Administrator, including updates that have been superseded, will be scanned and reported by MBSA.