Utility Spotlight

Microsoft Baseline Security Analyzer 2.1

Lance Whitney

K eeping track of all the security settings and updates on the PCs in your organization can be a full-time job. How do you ensure that each client and server you support are properly secure? Microsoft's free Baseline Security Analyzer can help.

The Microsoft Baseline Security Analyzer (MBSA) scans a workstation or server for any security holes or weaknesses. It can also determine if all recommended security updates and patches have been applied. If any holes are found, the tool provides steps to help you fix them.

Download the .MSI file for MBSA, choosing the correct version from the list based on your language and OS type—32-bit or 64-bit. After installation, launch the program from the Microsoft Baseline Security Analyzer 2.1 shortcut on the desktop or in the Programs menu.

Your first step is to select a PC to scan, which can be either your local PC or any networked machine. You can even scan several PCs in one shot by specifying a domain name or range of IP addresses. If you choose to scan one computer, by default the scan points to your local machine, but you can target a different PC by entering its IP address.

From the MBSA scan menu, you can choose to check some or all of the following, which are all selected by default:

Windows administrative vulnerabilities MBSA checks for Windows account-related issues, such as an open Guest account or too many administrative accounts. It also looks at the number of file shares and the PC's file system to make sure you're using NTFS instead of FAT for better security.

Weak passwords MBSA looks for blank or weak passwords throughout all accounts.

IIS administrative vulnerabilities For machines running IIS 5.0 or 6.0, MBSA scans to make sure all the necessary default security options and hotfixes have been run. The tool does not support IIS7.

SQL Server administrative vulnerabilities MBSA scans for any versions of SQL Server or Microsoft Data Engine (MSDE) on the machine, looking at the authentication mode to see if you're using Windows authentication or Mixed Mode (Windows and SQL authentication). It also checks the status of the system administrator account password.

Security updates MBSA checks the status of all security updates to determine if any are missing. You can also use this option to install Microsoft Update on a client, which MBSA uses to scan for certain applications. Finally, you can tell MBSA whether to use Microsoft Update or Windows Server Update Services (WSUS) in its scan.

After you select the appropriate options and computers, you trigger the scan, which typically takes several minutes to run. MBSA then generates a full on-screen report, displaying the results of the scan item by item, as shown in Figure 1. The report groups its findings into categories matching the options in the scan menu, such as administrative vulnerabilities, SQL Server status and security updates.


Figure 1 The results of an MBSA scan are displayed in an on-screen report.

A variety of details are available on each flagged item. Selecting the "What was scanned" option tells you why each item was scanned and flagged. The "Result Details" option pinpoints the item that was flagged, for example, the specific account or application. The "How to correct this" option opens a page with a detailed description and step-by-step instructions on how to fix the flaw.

MBSA supports Windows 2000, XP, and Vista and Windows Server 2003 and 2008 and can scan both 32-bit and 64-bit systems.


Lance Whitney is an IT consultant, software trainer and technical writer. He has spent countless hours tweaking Windows workstations and servers. Originally a journalist, he took a blind leap into the IT world back in the early 1990s.