About security state assessment checks

Applies To: Forefront Client Security

SSA scans search for potential vulnerabilities by using SSA checks, which are included in the definitions updates provided by Microsoft and which Client Security distributes to client computers. SSA checks are updated on a monthly basis, typically on the fourth Tuesday of each month.

SSA checks describe aspects of the operating system and common applications that can be better configured to protect a computer. For example, the Password Expiration SSA check scans for local user accounts that have passwords that don't expire. Client Security assigns this vulnerability a score and logs an event if a client computer permits user accounts to have passwords that don't expire.


The parameters of SSA checks are not configurable. For example, you cannot change which services the Unnecessary Services check identifies as possible vulnerabilities.

Client Security does not support custom SSA checks. You cannot create checks or use third-party checks.

As with malware definitions, you use WSUS to receive updates to SSA checks and to distribute them to client computers. SSA check updates are distinct from malware definition updates and are listed separately in WSUS. Client computers can also retrieve them directly from Microsoft Update when the WSUS server is unavailable, if you enable fallback to the Microsoft Update feature. For more information, see Configuring fallback for updates.

SSA definition and scan engine files

On each client computer, the definitions file containing SSA checks is called VulnerabilityDefinitions.manifest. The default location for this file is:

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\Manifests

The scan engine files that support SSA checks are bpacommon.dll and bpaconfigcollector.dll. The default location for these files is:

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA

Summary of SSA checks

The following table summarizes the checks that Client Security performs when it performs an SSA scan of a client computer and what to do if you find that the score for the check is unacceptable. For detailed descriptions about each SSA check, see the Client Security Technical Reference (https://go.microsoft.com/fwlink/?LinkId=86991).

Typically, when the settings examined by a check are configured by Group Policy on the scanned computer, the resulting score is Informational. It is assumed that settings configured by Group Policy conform to your organization's standards and are therefore intentional.

SSA check What it checks Resolution for unacceptable scores

Windows Version

Determines which operating system is running.

Upgrade the scanned computer to Windows Server 2003 or Windows® 2000 Server.

Automatic Updates

Identifies whether the Automatic Updates feature is enabled, and if so, how it is configured.

Enable automatic updating and configure it to automatically download and install updates.

Security Updates

Determines which available security updates are missing.

Install missing security updates.

Incomplete Updates

Determines if a restart is required to complete an update.

Restart the scanned computer.

Restrict Anonymous

Determines whether the RestrictAnonymous registry setting is used to restrict anonymous connections.

The resolution depends on the operating system and the role the computer performs. For more information about the Restrict Anonymous check, see the Client Security Technical Reference (https://go.microsoft.com/fwlink/?LinkId=86991).

File System

Determines the file system of each hard disk, to ensure that the NTFS file system is being used.

Convert the file system of the local drive to NTFS.


Determines whether the Auto Logon feature is enabled and if the logon password is encrypted in the registry or stored in plaintext.

Disable the automatic logon feature. For more information about the Autologon check, see the Client Security Technical Reference (https://go.microsoft.com/fwlink/?LinkId=86991).


Lists shared folders, including administrative shares, along with their share level and NTFS permissions.

Review the list of shares and remove any shares that are not needed. For those shares required on the scanned computer, review the share permissions to ensure that access is limited to authorized users only and is not shared to everyone.

Unnecessary Services

Lists potentially unnecessary services. The services checked for are:


  • TlntSvr (Telnet)

  • W3SVC (WWW)


Disable unnecessary services.

Guest Account

Determines if the Guest account is disabled or nonexistent.

Disable the Guest account.


Determines if the local Administrators group contains more than one member.

Keep the number of local administrators on the scanned computer to a minimum.

Passwords Expiration

Determines whether any local accounts have passwords that do not expire.

The resolution depends on the user account and whether there is a reason for assigning the account a password that does not expire. For more information about the Passwords Expiration check, see the Client Security Technical Reference (https://go.microsoft.com/fwlink/?LinkId=86991).